Malware Analysis Report

2024-09-11 08:36

Sample ID 240610-p45evawgmp
Target 62914d591da2c0450aca2faf74a82c6e86a03bb0bd060bbc633a0a2ac15b3dcd
SHA256 62914d591da2c0450aca2faf74a82c6e86a03bb0bd060bbc633a0a2ac15b3dcd
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

62914d591da2c0450aca2faf74a82c6e86a03bb0bd060bbc633a0a2ac15b3dcd

Threat Level: Known bad

The file 62914d591da2c0450aca2faf74a82c6e86a03bb0bd060bbc633a0a2ac15b3dcd was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Detects executables built or packed with MPress PE compressor

Neconyd

Detects executables built or packed with MPress PE compressor

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-10 12:53

Signatures

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 12:53

Reported

2024-06-10 12:56

Platform

win10v2004-20240426-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\62914d591da2c0450aca2faf74a82c6e86a03bb0bd060bbc633a0a2ac15b3dcd.exe"

Signatures

Neconyd

trojan neconyd

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4576 set thread context of 4272 N/A C:\Users\Admin\AppData\Local\Temp\62914d591da2c0450aca2faf74a82c6e86a03bb0bd060bbc633a0a2ac15b3dcd.exe C:\Users\Admin\AppData\Local\Temp\62914d591da2c0450aca2faf74a82c6e86a03bb0bd060bbc633a0a2ac15b3dcd.exe
PID 528 set thread context of 880 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3372 set thread context of 2548 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4180 set thread context of 808 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\62914d591da2c0450aca2faf74a82c6e86a03bb0bd060bbc633a0a2ac15b3dcd.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\omsecor.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4576 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\62914d591da2c0450aca2faf74a82c6e86a03bb0bd060bbc633a0a2ac15b3dcd.exe C:\Users\Admin\AppData\Local\Temp\62914d591da2c0450aca2faf74a82c6e86a03bb0bd060bbc633a0a2ac15b3dcd.exe
PID 4576 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\62914d591da2c0450aca2faf74a82c6e86a03bb0bd060bbc633a0a2ac15b3dcd.exe C:\Users\Admin\AppData\Local\Temp\62914d591da2c0450aca2faf74a82c6e86a03bb0bd060bbc633a0a2ac15b3dcd.exe
PID 4576 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\62914d591da2c0450aca2faf74a82c6e86a03bb0bd060bbc633a0a2ac15b3dcd.exe C:\Users\Admin\AppData\Local\Temp\62914d591da2c0450aca2faf74a82c6e86a03bb0bd060bbc633a0a2ac15b3dcd.exe
PID 4576 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\62914d591da2c0450aca2faf74a82c6e86a03bb0bd060bbc633a0a2ac15b3dcd.exe C:\Users\Admin\AppData\Local\Temp\62914d591da2c0450aca2faf74a82c6e86a03bb0bd060bbc633a0a2ac15b3dcd.exe
PID 4576 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\62914d591da2c0450aca2faf74a82c6e86a03bb0bd060bbc633a0a2ac15b3dcd.exe C:\Users\Admin\AppData\Local\Temp\62914d591da2c0450aca2faf74a82c6e86a03bb0bd060bbc633a0a2ac15b3dcd.exe
PID 4272 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\62914d591da2c0450aca2faf74a82c6e86a03bb0bd060bbc633a0a2ac15b3dcd.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4272 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\62914d591da2c0450aca2faf74a82c6e86a03bb0bd060bbc633a0a2ac15b3dcd.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4272 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\62914d591da2c0450aca2faf74a82c6e86a03bb0bd060bbc633a0a2ac15b3dcd.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 528 wrote to memory of 880 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 528 wrote to memory of 880 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 528 wrote to memory of 880 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 528 wrote to memory of 880 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 528 wrote to memory of 880 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 880 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 880 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 880 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3372 wrote to memory of 2548 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3372 wrote to memory of 2548 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3372 wrote to memory of 2548 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3372 wrote to memory of 2548 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3372 wrote to memory of 2548 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2548 wrote to memory of 4180 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2548 wrote to memory of 4180 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2548 wrote to memory of 4180 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4180 wrote to memory of 808 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4180 wrote to memory of 808 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4180 wrote to memory of 808 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4180 wrote to memory of 808 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4180 wrote to memory of 808 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\62914d591da2c0450aca2faf74a82c6e86a03bb0bd060bbc633a0a2ac15b3dcd.exe

"C:\Users\Admin\AppData\Local\Temp\62914d591da2c0450aca2faf74a82c6e86a03bb0bd060bbc633a0a2ac15b3dcd.exe"

C:\Users\Admin\AppData\Local\Temp\62914d591da2c0450aca2faf74a82c6e86a03bb0bd060bbc633a0a2ac15b3dcd.exe

C:\Users\Admin\AppData\Local\Temp\62914d591da2c0450aca2faf74a82c6e86a03bb0bd060bbc633a0a2ac15b3dcd.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4576 -ip 4576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 288

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 528 -ip 528

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 528 -s 264

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3372 -ip 3372

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 292

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4180 -ip 4180

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 256

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp

Files

memory/4576-0-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4272-3-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4272-2-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4272-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4272-6-0x0000000000400000-0x0000000000429000-memory.dmp

memory/528-10-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 99c68eea6fc316f2506ec4a4a7f99812
SHA1 0e93ef9fb76acfdb6c2e04a378dc25a7e2611ba4
SHA256 479a22c1f22723baca34fbc9264fe81d1be49ee8ad6edeb36259df9111bdcd71
SHA512 5b7e52ab6da168eb0b4d9b5c890e9db71abe2bc6684d828c1a6931edd2d6617951da6dd6c932ff8b3d029678637e5db4d053991e89cc1f60d0d5dccf22fe21ba

memory/880-13-0x0000000000400000-0x0000000000429000-memory.dmp

memory/880-14-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4576-15-0x0000000000400000-0x0000000000424000-memory.dmp

memory/880-16-0x0000000000400000-0x0000000000429000-memory.dmp

memory/880-19-0x0000000000400000-0x0000000000429000-memory.dmp

memory/880-22-0x0000000000400000-0x0000000000429000-memory.dmp

memory/880-23-0x0000000000400000-0x0000000000429000-memory.dmp

memory/880-30-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 4d4d33aa253b82af8b3fe911d48d8188
SHA1 b09c3721e403841fec7795eb71736452766ad957
SHA256 ca108ddca085fde657c6a700e7a38b7dcb3209fe5221145eb185e3b9ecea3beb
SHA512 0cafc2ec98c01255e1b1b3882e6f4714e2ac3f22f285f92c577b2b82a45c3081d6369105ff1356ac13667ddb6c60add77562f9b26a8b0d30f203a4ca2265b520

memory/3372-31-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2548-34-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2548-35-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2548-37-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 c153685c7333ef72423023a4a258b1f6
SHA1 da4291d6bf0baebbfe2fda2b9df61e77a07fecdd
SHA256 8bfa55981841c42d20be560c1f2bb212048052f353f39debbf1f9dcd7cbe716a
SHA512 78428ecdd3066dc6050fd72031d727a6ff345b3357f0ef75902c1165e0a35f2c357488bd40416b74ae3c89b027e9dc25c6c2ac958d4c573b0bee2656ff569e24

memory/4180-41-0x0000000000400000-0x0000000000424000-memory.dmp

memory/808-46-0x0000000000400000-0x0000000000429000-memory.dmp

memory/808-48-0x0000000000400000-0x0000000000429000-memory.dmp

memory/808-49-0x0000000000400000-0x0000000000429000-memory.dmp

memory/808-52-0x0000000000400000-0x0000000000429000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 12:53

Reported

2024-06-10 12:56

Platform

win7-20240221-en

Max time kernel

146s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\62914d591da2c0450aca2faf74a82c6e86a03bb0bd060bbc633a0a2ac15b3dcd.exe"

Signatures

Neconyd

trojan neconyd

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\62914d591da2c0450aca2faf74a82c6e86a03bb0bd060bbc633a0a2ac15b3dcd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62914d591da2c0450aca2faf74a82c6e86a03bb0bd060bbc633a0a2ac15b3dcd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2524 set thread context of 2804 N/A C:\Users\Admin\AppData\Local\Temp\62914d591da2c0450aca2faf74a82c6e86a03bb0bd060bbc633a0a2ac15b3dcd.exe C:\Users\Admin\AppData\Local\Temp\62914d591da2c0450aca2faf74a82c6e86a03bb0bd060bbc633a0a2ac15b3dcd.exe
PID 2736 set thread context of 2636 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1608 set thread context of 2684 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 884 set thread context of 2320 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2524 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\62914d591da2c0450aca2faf74a82c6e86a03bb0bd060bbc633a0a2ac15b3dcd.exe C:\Users\Admin\AppData\Local\Temp\62914d591da2c0450aca2faf74a82c6e86a03bb0bd060bbc633a0a2ac15b3dcd.exe
PID 2524 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\62914d591da2c0450aca2faf74a82c6e86a03bb0bd060bbc633a0a2ac15b3dcd.exe C:\Users\Admin\AppData\Local\Temp\62914d591da2c0450aca2faf74a82c6e86a03bb0bd060bbc633a0a2ac15b3dcd.exe
PID 2524 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\62914d591da2c0450aca2faf74a82c6e86a03bb0bd060bbc633a0a2ac15b3dcd.exe C:\Users\Admin\AppData\Local\Temp\62914d591da2c0450aca2faf74a82c6e86a03bb0bd060bbc633a0a2ac15b3dcd.exe
PID 2524 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\62914d591da2c0450aca2faf74a82c6e86a03bb0bd060bbc633a0a2ac15b3dcd.exe C:\Users\Admin\AppData\Local\Temp\62914d591da2c0450aca2faf74a82c6e86a03bb0bd060bbc633a0a2ac15b3dcd.exe
PID 2524 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\62914d591da2c0450aca2faf74a82c6e86a03bb0bd060bbc633a0a2ac15b3dcd.exe C:\Users\Admin\AppData\Local\Temp\62914d591da2c0450aca2faf74a82c6e86a03bb0bd060bbc633a0a2ac15b3dcd.exe
PID 2524 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\62914d591da2c0450aca2faf74a82c6e86a03bb0bd060bbc633a0a2ac15b3dcd.exe C:\Users\Admin\AppData\Local\Temp\62914d591da2c0450aca2faf74a82c6e86a03bb0bd060bbc633a0a2ac15b3dcd.exe
PID 2804 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\62914d591da2c0450aca2faf74a82c6e86a03bb0bd060bbc633a0a2ac15b3dcd.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2804 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\62914d591da2c0450aca2faf74a82c6e86a03bb0bd060bbc633a0a2ac15b3dcd.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2804 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\62914d591da2c0450aca2faf74a82c6e86a03bb0bd060bbc633a0a2ac15b3dcd.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2804 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\62914d591da2c0450aca2faf74a82c6e86a03bb0bd060bbc633a0a2ac15b3dcd.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2736 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2736 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2736 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2736 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2736 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2736 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2636 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2636 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2636 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2636 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1608 wrote to memory of 2684 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1608 wrote to memory of 2684 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1608 wrote to memory of 2684 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1608 wrote to memory of 2684 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1608 wrote to memory of 2684 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1608 wrote to memory of 2684 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2684 wrote to memory of 884 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2684 wrote to memory of 884 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2684 wrote to memory of 884 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2684 wrote to memory of 884 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 884 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 884 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 884 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 884 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 884 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 884 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\62914d591da2c0450aca2faf74a82c6e86a03bb0bd060bbc633a0a2ac15b3dcd.exe

"C:\Users\Admin\AppData\Local\Temp\62914d591da2c0450aca2faf74a82c6e86a03bb0bd060bbc633a0a2ac15b3dcd.exe"

C:\Users\Admin\AppData\Local\Temp\62914d591da2c0450aca2faf74a82c6e86a03bb0bd060bbc633a0a2ac15b3dcd.exe

C:\Users\Admin\AppData\Local\Temp\62914d591da2c0450aca2faf74a82c6e86a03bb0bd060bbc633a0a2ac15b3dcd.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2524-0-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2804-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2804-5-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2804-8-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2524-7-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2804-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2804-10-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2736-20-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 99c68eea6fc316f2506ec4a4a7f99812
SHA1 0e93ef9fb76acfdb6c2e04a378dc25a7e2611ba4
SHA256 479a22c1f22723baca34fbc9264fe81d1be49ee8ad6edeb36259df9111bdcd71
SHA512 5b7e52ab6da168eb0b4d9b5c890e9db71abe2bc6684d828c1a6931edd2d6617951da6dd6c932ff8b3d029678637e5db4d053991e89cc1f60d0d5dccf22fe21ba

memory/2736-29-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2636-32-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2636-35-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2636-38-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2636-41-0x0000000000400000-0x0000000000429000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 517e93448a84852f0a1293370b34f939
SHA1 54951d1c61cfe20a58754eae67bbc38268b6ad43
SHA256 b07bf7db15850bc57e391e0f5c565075d4cfc82271f0a9540536a2109897c474
SHA512 134a85e72127637b51fc56cbe68e0eb0cc83d50ffd4ebd6a87ea87aafd90787d7eb4e6f9a5183d68ad0041590da9e7bcc12961c046756d22fdc3e08293450979

memory/2636-44-0x0000000000570000-0x0000000000594000-memory.dmp

memory/1608-60-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2636-52-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1608-63-0x0000000000400000-0x0000000000424000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 7f82d7768e5afe5095681c9df353e150
SHA1 3a9adc03c3f8b6ecbba8daa4cafa58ce72c48b10
SHA256 60ab219386f3fc7647105013586e0777a6ea5c4d229bc8a4a999b2b63e34f449
SHA512 7a3849a7b12a1f2aac3d48e286f6e03b5499b0d846ab59aab18a09a0f970d880ef1b46ddc0a641b853a278624408c8e165c50d3a1546b7f2d51dda13d5db7361

memory/2684-67-0x0000000000230000-0x0000000000254000-memory.dmp

memory/884-76-0x0000000000400000-0x0000000000424000-memory.dmp

memory/884-82-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2320-85-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2320-88-0x0000000000400000-0x0000000000429000-memory.dmp