Malware Analysis Report

2024-11-16 13:01

Sample ID 240524-fj1fqaeb6z
Target eb8f1b49c8fdc3727bc6689eaec467462608922218226e5c1d335e1de07ee855
SHA256 eb8f1b49c8fdc3727bc6689eaec467462608922218226e5c1d335e1de07ee855
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eb8f1b49c8fdc3727bc6689eaec467462608922218226e5c1d335e1de07ee855

Threat Level: Known bad

The file eb8f1b49c8fdc3727bc6689eaec467462608922218226e5c1d335e1de07ee855 was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Detects executables built or packed with MPress PE compressor

Neconyd

Detects executables built or packed with MPress PE compressor

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

Drops file in System32 directory

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-24 04:54

Signatures

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-24 04:54

Reported

2024-05-24 04:57

Platform

win7-20240221-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eb8f1b49c8fdc3727bc6689eaec467462608922218226e5c1d335e1de07ee855.exe"

Signatures

Neconyd

trojan neconyd

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2156 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\eb8f1b49c8fdc3727bc6689eaec467462608922218226e5c1d335e1de07ee855.exe C:\Users\Admin\AppData\Local\Temp\eb8f1b49c8fdc3727bc6689eaec467462608922218226e5c1d335e1de07ee855.exe
PID 2156 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\eb8f1b49c8fdc3727bc6689eaec467462608922218226e5c1d335e1de07ee855.exe C:\Users\Admin\AppData\Local\Temp\eb8f1b49c8fdc3727bc6689eaec467462608922218226e5c1d335e1de07ee855.exe
PID 2156 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\eb8f1b49c8fdc3727bc6689eaec467462608922218226e5c1d335e1de07ee855.exe C:\Users\Admin\AppData\Local\Temp\eb8f1b49c8fdc3727bc6689eaec467462608922218226e5c1d335e1de07ee855.exe
PID 2156 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\eb8f1b49c8fdc3727bc6689eaec467462608922218226e5c1d335e1de07ee855.exe C:\Users\Admin\AppData\Local\Temp\eb8f1b49c8fdc3727bc6689eaec467462608922218226e5c1d335e1de07ee855.exe
PID 2156 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\eb8f1b49c8fdc3727bc6689eaec467462608922218226e5c1d335e1de07ee855.exe C:\Users\Admin\AppData\Local\Temp\eb8f1b49c8fdc3727bc6689eaec467462608922218226e5c1d335e1de07ee855.exe
PID 2156 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\eb8f1b49c8fdc3727bc6689eaec467462608922218226e5c1d335e1de07ee855.exe C:\Users\Admin\AppData\Local\Temp\eb8f1b49c8fdc3727bc6689eaec467462608922218226e5c1d335e1de07ee855.exe
PID 2072 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\eb8f1b49c8fdc3727bc6689eaec467462608922218226e5c1d335e1de07ee855.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2072 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\eb8f1b49c8fdc3727bc6689eaec467462608922218226e5c1d335e1de07ee855.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2072 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\eb8f1b49c8fdc3727bc6689eaec467462608922218226e5c1d335e1de07ee855.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2072 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\eb8f1b49c8fdc3727bc6689eaec467462608922218226e5c1d335e1de07ee855.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2264 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2264 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2264 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2264 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2264 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2264 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2172 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2172 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2172 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2172 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2588 wrote to memory of 1672 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2588 wrote to memory of 1672 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2588 wrote to memory of 1672 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2588 wrote to memory of 1672 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2588 wrote to memory of 1672 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2588 wrote to memory of 1672 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1672 wrote to memory of 1888 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1672 wrote to memory of 1888 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1672 wrote to memory of 1888 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1672 wrote to memory of 1888 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1888 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1888 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1888 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1888 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1888 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1888 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\eb8f1b49c8fdc3727bc6689eaec467462608922218226e5c1d335e1de07ee855.exe

"C:\Users\Admin\AppData\Local\Temp\eb8f1b49c8fdc3727bc6689eaec467462608922218226e5c1d335e1de07ee855.exe"

C:\Users\Admin\AppData\Local\Temp\eb8f1b49c8fdc3727bc6689eaec467462608922218226e5c1d335e1de07ee855.exe

C:\Users\Admin\AppData\Local\Temp\eb8f1b49c8fdc3727bc6689eaec467462608922218226e5c1d335e1de07ee855.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2156-0-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2072-9-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2156-7-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2072-5-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2072-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2072-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2072-14-0x0000000000230000-0x0000000000253000-memory.dmp

memory/2072-13-0x0000000000400000-0x0000000000429000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 649501b2bfcb91352f968e175f9e87f3
SHA1 885b517f268ba87b9ef0c3109105d23e93bd98b2
SHA256 bc989dd822a8eddfe5ceb8e553660a6e6e6356f532f3ae6e24ff55ea010f88fe
SHA512 8f7613b3de747838d77972e9f91a4f99b63034cca9e6328e43711f1c2f12d607622ce694347160d7826bcf466df5ad7b3aee6757b70d3532024a6c327beeb579

memory/2264-22-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2264-31-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2172-35-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2172-39-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2172-42-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2172-45-0x0000000000400000-0x0000000000429000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 3d9b8532853b280dcc53480966a0a142
SHA1 63303f0ad36d9e2f9319d31e5178d6b39817f23c
SHA256 88fe38031375f754e61eea613144465d461dce8ffedca01276cdd9304dbf9f84
SHA512 7df7413634ccc6738a323dbac1516c9bb4ecadddcf9a944c946784cefd10f37a3a0aa91ce47c4674f52d61b6f4de4394b31ed731ff774e52421f6b7b019650dc

memory/2172-48-0x0000000000320000-0x0000000000343000-memory.dmp

memory/2172-54-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2172-55-0x0000000000320000-0x0000000000343000-memory.dmp

memory/2588-58-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2588-67-0x0000000000400000-0x0000000000423000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 3e3a00e908118656403b584f188d6a26
SHA1 332bd0d520f980ada229babaf6446d71664ad108
SHA256 89e2a687bfb2109440fd28de60bcac73831494f4712b909e901f3e2aee5cbe90
SHA512 c76bce2d1548dd4aea9134516510e7d18d2d32e4104a217a11ad653f833fe3667a15fd55e5c214d63c65bff4b763bbdbe4c6fa6fad78bf38c694439968886a97

memory/1888-80-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1888-88-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2856-90-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2856-93-0x0000000000400000-0x0000000000429000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-24 04:54

Reported

2024-05-24 04:57

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eb8f1b49c8fdc3727bc6689eaec467462608922218226e5c1d335e1de07ee855.exe"

Signatures

Neconyd

trojan neconyd

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 312 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\eb8f1b49c8fdc3727bc6689eaec467462608922218226e5c1d335e1de07ee855.exe C:\Users\Admin\AppData\Local\Temp\eb8f1b49c8fdc3727bc6689eaec467462608922218226e5c1d335e1de07ee855.exe
PID 312 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\eb8f1b49c8fdc3727bc6689eaec467462608922218226e5c1d335e1de07ee855.exe C:\Users\Admin\AppData\Local\Temp\eb8f1b49c8fdc3727bc6689eaec467462608922218226e5c1d335e1de07ee855.exe
PID 312 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\eb8f1b49c8fdc3727bc6689eaec467462608922218226e5c1d335e1de07ee855.exe C:\Users\Admin\AppData\Local\Temp\eb8f1b49c8fdc3727bc6689eaec467462608922218226e5c1d335e1de07ee855.exe
PID 312 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\eb8f1b49c8fdc3727bc6689eaec467462608922218226e5c1d335e1de07ee855.exe C:\Users\Admin\AppData\Local\Temp\eb8f1b49c8fdc3727bc6689eaec467462608922218226e5c1d335e1de07ee855.exe
PID 312 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\eb8f1b49c8fdc3727bc6689eaec467462608922218226e5c1d335e1de07ee855.exe C:\Users\Admin\AppData\Local\Temp\eb8f1b49c8fdc3727bc6689eaec467462608922218226e5c1d335e1de07ee855.exe
PID 2944 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\eb8f1b49c8fdc3727bc6689eaec467462608922218226e5c1d335e1de07ee855.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2944 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\eb8f1b49c8fdc3727bc6689eaec467462608922218226e5c1d335e1de07ee855.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2944 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\eb8f1b49c8fdc3727bc6689eaec467462608922218226e5c1d335e1de07ee855.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2952 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2952 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2952 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2952 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2952 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2196 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2196 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2196 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2840 wrote to memory of 1096 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2840 wrote to memory of 1096 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2840 wrote to memory of 1096 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2840 wrote to memory of 1096 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2840 wrote to memory of 1096 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1096 wrote to memory of 632 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1096 wrote to memory of 632 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1096 wrote to memory of 632 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 632 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 632 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 632 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 632 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 632 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\eb8f1b49c8fdc3727bc6689eaec467462608922218226e5c1d335e1de07ee855.exe

"C:\Users\Admin\AppData\Local\Temp\eb8f1b49c8fdc3727bc6689eaec467462608922218226e5c1d335e1de07ee855.exe"

C:\Users\Admin\AppData\Local\Temp\eb8f1b49c8fdc3727bc6689eaec467462608922218226e5c1d335e1de07ee855.exe

C:\Users\Admin\AppData\Local\Temp\eb8f1b49c8fdc3727bc6689eaec467462608922218226e5c1d335e1de07ee855.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 312 -ip 312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 312 -s 288

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2952 -ip 2952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 300

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2840 -ip 2840

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 292

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 632 -ip 632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 632 -s 244

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp

Files

memory/312-0-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2944-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2944-3-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2944-2-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2944-9-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 649501b2bfcb91352f968e175f9e87f3
SHA1 885b517f268ba87b9ef0c3109105d23e93bd98b2
SHA256 bc989dd822a8eddfe5ceb8e553660a6e6e6356f532f3ae6e24ff55ea010f88fe
SHA512 8f7613b3de747838d77972e9f91a4f99b63034cca9e6328e43711f1c2f12d607622ce694347160d7826bcf466df5ad7b3aee6757b70d3532024a6c327beeb579

memory/2952-11-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2196-14-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2196-15-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2952-17-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2196-19-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2196-22-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2196-25-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2196-26-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2196-33-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 b4ce130e5d7e35df14ab3ebec601e0c2
SHA1 6db55e7923db7f110b62c7c3e698e32928c28a8a
SHA256 bbb80426fcfcd1ab53589834174da07c555bce864fe383da4b47583e721f2c51
SHA512 3b24892a434ee38e4846ba5f1e5b7987bde5513ec35f76046f1a7b85236f5d06fa0cc99f12e1984dbd9e54643226a7f0a97c0db1c3435a6acfcb24adfe239d67

memory/2840-34-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1096-38-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1096-40-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1096-37-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 b9ef7b0fa707a8dc12411e30fbecff75
SHA1 bfd4e86e8995db35f2c6219c6692e7a05ade1854
SHA256 ee951a7cdc26d2f433d9f4503e0bd520ad53b5a346ec9a9c13673a212401952a
SHA512 f41c40fc203d1689a660b520eb743b3f01a151892b95ee3552be2f91d12fd487475e830384c2b291955d0dc6f2c05eccf29aa1ce7735460533dc0d0e821f71c2

memory/632-45-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1624-49-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1624-51-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2840-53-0x0000000000400000-0x0000000000423000-memory.dmp

memory/632-54-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1624-55-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1624-58-0x0000000000400000-0x0000000000429000-memory.dmp