Malware Analysis Report

2024-11-16 13:01

Sample ID 240524-eeykwsca7t
Target d582262bb8ac5fc4ebbeffc080268bbecd7307123cbf67a35677e3502afb3b5f
SHA256 d582262bb8ac5fc4ebbeffc080268bbecd7307123cbf67a35677e3502afb3b5f
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d582262bb8ac5fc4ebbeffc080268bbecd7307123cbf67a35677e3502afb3b5f

Threat Level: Known bad

The file d582262bb8ac5fc4ebbeffc080268bbecd7307123cbf67a35677e3502afb3b5f was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Detects executables built or packed with MPress PE compressor

Neconyd

Detects executables built or packed with MPress PE compressor

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-24 03:51

Signatures

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-24 03:51

Reported

2024-05-24 03:54

Platform

win7-20240221-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d582262bb8ac5fc4ebbeffc080268bbecd7307123cbf67a35677e3502afb3b5f.exe"

Signatures

Neconyd

trojan neconyd

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1056 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\d582262bb8ac5fc4ebbeffc080268bbecd7307123cbf67a35677e3502afb3b5f.exe C:\Users\Admin\AppData\Local\Temp\d582262bb8ac5fc4ebbeffc080268bbecd7307123cbf67a35677e3502afb3b5f.exe
PID 1056 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\d582262bb8ac5fc4ebbeffc080268bbecd7307123cbf67a35677e3502afb3b5f.exe C:\Users\Admin\AppData\Local\Temp\d582262bb8ac5fc4ebbeffc080268bbecd7307123cbf67a35677e3502afb3b5f.exe
PID 1056 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\d582262bb8ac5fc4ebbeffc080268bbecd7307123cbf67a35677e3502afb3b5f.exe C:\Users\Admin\AppData\Local\Temp\d582262bb8ac5fc4ebbeffc080268bbecd7307123cbf67a35677e3502afb3b5f.exe
PID 1056 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\d582262bb8ac5fc4ebbeffc080268bbecd7307123cbf67a35677e3502afb3b5f.exe C:\Users\Admin\AppData\Local\Temp\d582262bb8ac5fc4ebbeffc080268bbecd7307123cbf67a35677e3502afb3b5f.exe
PID 1056 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\d582262bb8ac5fc4ebbeffc080268bbecd7307123cbf67a35677e3502afb3b5f.exe C:\Users\Admin\AppData\Local\Temp\d582262bb8ac5fc4ebbeffc080268bbecd7307123cbf67a35677e3502afb3b5f.exe
PID 1056 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\d582262bb8ac5fc4ebbeffc080268bbecd7307123cbf67a35677e3502afb3b5f.exe C:\Users\Admin\AppData\Local\Temp\d582262bb8ac5fc4ebbeffc080268bbecd7307123cbf67a35677e3502afb3b5f.exe
PID 2052 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\d582262bb8ac5fc4ebbeffc080268bbecd7307123cbf67a35677e3502afb3b5f.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2052 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\d582262bb8ac5fc4ebbeffc080268bbecd7307123cbf67a35677e3502afb3b5f.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2052 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\d582262bb8ac5fc4ebbeffc080268bbecd7307123cbf67a35677e3502afb3b5f.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2052 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\d582262bb8ac5fc4ebbeffc080268bbecd7307123cbf67a35677e3502afb3b5f.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2684 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2684 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2684 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2684 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2684 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2684 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2128 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2128 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2128 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2128 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1168 wrote to memory of 2000 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1168 wrote to memory of 2000 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1168 wrote to memory of 2000 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1168 wrote to memory of 2000 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1168 wrote to memory of 2000 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1168 wrote to memory of 2000 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2000 wrote to memory of 1648 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2000 wrote to memory of 1648 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2000 wrote to memory of 1648 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2000 wrote to memory of 1648 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1648 wrote to memory of 764 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1648 wrote to memory of 764 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1648 wrote to memory of 764 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1648 wrote to memory of 764 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1648 wrote to memory of 764 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1648 wrote to memory of 764 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d582262bb8ac5fc4ebbeffc080268bbecd7307123cbf67a35677e3502afb3b5f.exe

"C:\Users\Admin\AppData\Local\Temp\d582262bb8ac5fc4ebbeffc080268bbecd7307123cbf67a35677e3502afb3b5f.exe"

C:\Users\Admin\AppData\Local\Temp\d582262bb8ac5fc4ebbeffc080268bbecd7307123cbf67a35677e3502afb3b5f.exe

C:\Users\Admin\AppData\Local\Temp\d582262bb8ac5fc4ebbeffc080268bbecd7307123cbf67a35677e3502afb3b5f.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/1056-0-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2052-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1056-6-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2052-5-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2052-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 dd87b1b2046bb43538c0f53f687fb023
SHA1 5457e3bd01b3048bfd813f1334f8d0537e1b61c2
SHA256 cf2136a4f947381b2007988ef3ddfdfb5897dcfb27fa6c0fa96b90046bb4ff67
SHA512 48ec3255b9ee674036186ca73304568d52624a1879b3091563c7c4d071f966b01c27ff511bd31ab7db02183c5796766daaa8437fc4bd745ba13fde46ac97ea75

memory/2052-8-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2052-18-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2684-20-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2684-28-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2128-32-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2128-35-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2128-38-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2128-41-0x0000000000400000-0x0000000000429000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 85050c71de25f85cc4c218d46f68961a
SHA1 9936790e8c475e110a15546d3d8fbfadb449d90c
SHA256 13dc27f3489724ecb199549c65272bfb40baf153631ebf71227462b1eb18783f
SHA512 55c90c45aafa7081b4e0c0dbf4fea46daf8784ba5e94c1309765af162cc39e94ddeefa66ce840a3df67230090b0237bfcd1b4b27593ae543ddb09b49c1034444

memory/2128-44-0x0000000000380000-0x00000000003A4000-memory.dmp

memory/2128-52-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1168-54-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1168-62-0x0000000000400000-0x0000000000424000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 e4e99ad6c123743c6742d97ab94dd17e
SHA1 2475d79ad2d1792c79ad2d79eee6ede9285c13e5
SHA256 ac81d867bff562e21ede524b774933614e1614d954b4299a8c364f5ddf6a1eaf
SHA512 64d6b0422792af799cb862afb613823f3ed5ec02ada3d0b1e44f2477bcb89ceccfa843c8ed6a9d3e58b46e39542910cf1a5b058ba2445e640968bd5311291595

memory/2000-68-0x0000000000230000-0x0000000000254000-memory.dmp

memory/1648-82-0x0000000000400000-0x0000000000424000-memory.dmp

memory/764-84-0x0000000000400000-0x0000000000429000-memory.dmp

memory/764-87-0x0000000000400000-0x0000000000429000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-24 03:51

Reported

2024-05-24 03:54

Platform

win10v2004-20240426-en

Max time kernel

146s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d582262bb8ac5fc4ebbeffc080268bbecd7307123cbf67a35677e3502afb3b5f.exe"

Signatures

Neconyd

trojan neconyd

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1156 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\d582262bb8ac5fc4ebbeffc080268bbecd7307123cbf67a35677e3502afb3b5f.exe C:\Users\Admin\AppData\Local\Temp\d582262bb8ac5fc4ebbeffc080268bbecd7307123cbf67a35677e3502afb3b5f.exe
PID 1156 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\d582262bb8ac5fc4ebbeffc080268bbecd7307123cbf67a35677e3502afb3b5f.exe C:\Users\Admin\AppData\Local\Temp\d582262bb8ac5fc4ebbeffc080268bbecd7307123cbf67a35677e3502afb3b5f.exe
PID 1156 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\d582262bb8ac5fc4ebbeffc080268bbecd7307123cbf67a35677e3502afb3b5f.exe C:\Users\Admin\AppData\Local\Temp\d582262bb8ac5fc4ebbeffc080268bbecd7307123cbf67a35677e3502afb3b5f.exe
PID 1156 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\d582262bb8ac5fc4ebbeffc080268bbecd7307123cbf67a35677e3502afb3b5f.exe C:\Users\Admin\AppData\Local\Temp\d582262bb8ac5fc4ebbeffc080268bbecd7307123cbf67a35677e3502afb3b5f.exe
PID 1156 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\d582262bb8ac5fc4ebbeffc080268bbecd7307123cbf67a35677e3502afb3b5f.exe C:\Users\Admin\AppData\Local\Temp\d582262bb8ac5fc4ebbeffc080268bbecd7307123cbf67a35677e3502afb3b5f.exe
PID 1376 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\d582262bb8ac5fc4ebbeffc080268bbecd7307123cbf67a35677e3502afb3b5f.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1376 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\d582262bb8ac5fc4ebbeffc080268bbecd7307123cbf67a35677e3502afb3b5f.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1376 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\d582262bb8ac5fc4ebbeffc080268bbecd7307123cbf67a35677e3502afb3b5f.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2216 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2216 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2216 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2216 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2216 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1324 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1324 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1324 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 5064 wrote to memory of 4956 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 5064 wrote to memory of 4956 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 5064 wrote to memory of 4956 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 5064 wrote to memory of 4956 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 5064 wrote to memory of 4956 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4956 wrote to memory of 4860 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4956 wrote to memory of 4860 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4956 wrote to memory of 4860 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4860 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4860 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4860 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4860 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4860 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d582262bb8ac5fc4ebbeffc080268bbecd7307123cbf67a35677e3502afb3b5f.exe

"C:\Users\Admin\AppData\Local\Temp\d582262bb8ac5fc4ebbeffc080268bbecd7307123cbf67a35677e3502afb3b5f.exe"

C:\Users\Admin\AppData\Local\Temp\d582262bb8ac5fc4ebbeffc080268bbecd7307123cbf67a35677e3502afb3b5f.exe

C:\Users\Admin\AppData\Local\Temp\d582262bb8ac5fc4ebbeffc080268bbecd7307123cbf67a35677e3502afb3b5f.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1156 -ip 1156

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2216 -ip 2216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 300

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5064 -ip 5064

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 292

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4860 -ip 4860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 256

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/1156-0-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1376-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1376-3-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1376-2-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1376-7-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 dd87b1b2046bb43538c0f53f687fb023
SHA1 5457e3bd01b3048bfd813f1334f8d0537e1b61c2
SHA256 cf2136a4f947381b2007988ef3ddfdfb5897dcfb27fa6c0fa96b90046bb4ff67
SHA512 48ec3255b9ee674036186ca73304568d52624a1879b3091563c7c4d071f966b01c27ff511bd31ab7db02183c5796766daaa8437fc4bd745ba13fde46ac97ea75

memory/2216-11-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1324-14-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1324-16-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1156-17-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1324-18-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1324-21-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1324-24-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1324-25-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 b5ff29fb1ece040bb1db8864664ca092
SHA1 8c201675a3757303e5fa6e0fce323b7a36f820e5
SHA256 34049c3306c95cc994834509ad618138ad1fa494ac264f6f71da0491be4d7b19
SHA512 65df5db7fb8e8d7b0c96f8321545ca0685ef210f602b4d48b7e2a6165009121f67c6d5c0a7bc2d56d6bd2ee5c1343d4e45aef022d0e33e5a125c0011d95a7d26

memory/1324-32-0x0000000000400000-0x0000000000429000-memory.dmp

memory/5064-33-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4956-37-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 1aabc1963359d5019deaf1f99dc7fdaa
SHA1 35e64df6ccf79fc2f90a0c46a88c6ae64d6c47cd
SHA256 09d127e880fa5a43612a31608d120fed6607a0c417706faae0d6d4310203672c
SHA512 f2992450e1e017708ff83ea25ffb3c5c94c506cbb9f8322c4dc1bf412fee704a7a36517ca42d1e44438c92403e4bf9945fff7f712e75db4668191050769b8094

memory/4956-42-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4956-36-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4860-44-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1364-48-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1364-50-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1364-51-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1364-54-0x0000000000400000-0x0000000000429000-memory.dmp