Malware Analysis Report

2024-09-11 08:34

Sample ID 240610-vzzxfsvbmq
Target cc50812272f08a06b7f5b9c625e8b235abeedf595a1ab123e5a1e7c9cec67fd9
SHA256 cc50812272f08a06b7f5b9c625e8b235abeedf595a1ab123e5a1e7c9cec67fd9
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cc50812272f08a06b7f5b9c625e8b235abeedf595a1ab123e5a1e7c9cec67fd9

Threat Level: Known bad

The file cc50812272f08a06b7f5b9c625e8b235abeedf595a1ab123e5a1e7c9cec67fd9 was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd

Detects executables built or packed with MPress PE compressor

Detects executables built or packed with MPress PE compressor

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-10 17:26

Signatures

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 17:26

Reported

2024-06-10 17:28

Platform

win7-20240508-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cc50812272f08a06b7f5b9c625e8b235abeedf595a1ab123e5a1e7c9cec67fd9.exe"

Signatures

Neconyd

trojan neconyd

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc50812272f08a06b7f5b9c625e8b235abeedf595a1ab123e5a1e7c9cec67fd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc50812272f08a06b7f5b9c625e8b235abeedf595a1ab123e5a1e7c9cec67fd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2436 set thread context of 2116 N/A C:\Users\Admin\AppData\Local\Temp\cc50812272f08a06b7f5b9c625e8b235abeedf595a1ab123e5a1e7c9cec67fd9.exe C:\Users\Admin\AppData\Local\Temp\cc50812272f08a06b7f5b9c625e8b235abeedf595a1ab123e5a1e7c9cec67fd9.exe
PID 2360 set thread context of 2616 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2496 set thread context of 1284 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2248 set thread context of 2900 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2436 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\cc50812272f08a06b7f5b9c625e8b235abeedf595a1ab123e5a1e7c9cec67fd9.exe C:\Users\Admin\AppData\Local\Temp\cc50812272f08a06b7f5b9c625e8b235abeedf595a1ab123e5a1e7c9cec67fd9.exe
PID 2436 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\cc50812272f08a06b7f5b9c625e8b235abeedf595a1ab123e5a1e7c9cec67fd9.exe C:\Users\Admin\AppData\Local\Temp\cc50812272f08a06b7f5b9c625e8b235abeedf595a1ab123e5a1e7c9cec67fd9.exe
PID 2436 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\cc50812272f08a06b7f5b9c625e8b235abeedf595a1ab123e5a1e7c9cec67fd9.exe C:\Users\Admin\AppData\Local\Temp\cc50812272f08a06b7f5b9c625e8b235abeedf595a1ab123e5a1e7c9cec67fd9.exe
PID 2436 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\cc50812272f08a06b7f5b9c625e8b235abeedf595a1ab123e5a1e7c9cec67fd9.exe C:\Users\Admin\AppData\Local\Temp\cc50812272f08a06b7f5b9c625e8b235abeedf595a1ab123e5a1e7c9cec67fd9.exe
PID 2436 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\cc50812272f08a06b7f5b9c625e8b235abeedf595a1ab123e5a1e7c9cec67fd9.exe C:\Users\Admin\AppData\Local\Temp\cc50812272f08a06b7f5b9c625e8b235abeedf595a1ab123e5a1e7c9cec67fd9.exe
PID 2436 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\cc50812272f08a06b7f5b9c625e8b235abeedf595a1ab123e5a1e7c9cec67fd9.exe C:\Users\Admin\AppData\Local\Temp\cc50812272f08a06b7f5b9c625e8b235abeedf595a1ab123e5a1e7c9cec67fd9.exe
PID 2116 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\cc50812272f08a06b7f5b9c625e8b235abeedf595a1ab123e5a1e7c9cec67fd9.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2116 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\cc50812272f08a06b7f5b9c625e8b235abeedf595a1ab123e5a1e7c9cec67fd9.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2116 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\cc50812272f08a06b7f5b9c625e8b235abeedf595a1ab123e5a1e7c9cec67fd9.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2116 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\cc50812272f08a06b7f5b9c625e8b235abeedf595a1ab123e5a1e7c9cec67fd9.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2360 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2360 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2360 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2360 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2360 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2360 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2616 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2616 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2616 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2616 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2496 wrote to memory of 1284 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2496 wrote to memory of 1284 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2496 wrote to memory of 1284 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2496 wrote to memory of 1284 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2496 wrote to memory of 1284 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2496 wrote to memory of 1284 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1284 wrote to memory of 2248 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1284 wrote to memory of 2248 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1284 wrote to memory of 2248 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1284 wrote to memory of 2248 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2248 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2248 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2248 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2248 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2248 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2248 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cc50812272f08a06b7f5b9c625e8b235abeedf595a1ab123e5a1e7c9cec67fd9.exe

"C:\Users\Admin\AppData\Local\Temp\cc50812272f08a06b7f5b9c625e8b235abeedf595a1ab123e5a1e7c9cec67fd9.exe"

C:\Users\Admin\AppData\Local\Temp\cc50812272f08a06b7f5b9c625e8b235abeedf595a1ab123e5a1e7c9cec67fd9.exe

C:\Users\Admin\AppData\Local\Temp\cc50812272f08a06b7f5b9c625e8b235abeedf595a1ab123e5a1e7c9cec67fd9.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp

Files

memory/2436-0-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2436-2-0x0000000000240000-0x0000000000263000-memory.dmp

memory/2436-8-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2116-10-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2116-6-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2116-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2116-12-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2116-1-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 6910f7986957e357465c590a984f4a79
SHA1 b0ccb2c48d9ad3e8caeebc1de040220fb1760344
SHA256 645a87f8fbdd27c797dff68cce97548392faecb84d2a1e194cbd61b7115dffed
SHA512 f9b19f6c931b896d6e134d8c91f5d4361cbab23637e41aa65e727535e72bc9dc903067f64e7c882b4fd14331be9282c5e07171f7029010bd269d8c5065878e78

memory/2360-22-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2360-25-0x0000000000230000-0x0000000000253000-memory.dmp

memory/2360-33-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2616-36-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2616-38-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2616-40-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2616-43-0x0000000000400000-0x0000000000429000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 465ffff45832e870b0303e14cb765911
SHA1 30603fc8a678fa1bcbd2d16226368913731fc936
SHA256 25fef60d9bc49af290a2908d6f85c9f484c1bf20e1c220e9a410977d8cdcb11c
SHA512 59bbcc69e7c618b453cacaad4e6881a36e11e27f171ec674d4391d3037e18038771e5ca77dfca962fab11d6f1ec7d87060f2e9cf8fba71646b5a0a034e14c02c

memory/2616-47-0x0000000000310000-0x0000000000333000-memory.dmp

memory/2616-55-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2496-65-0x0000000000400000-0x0000000000423000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 b9f93b48d588c9d3cb16c877a6e64359
SHA1 3ce3380e4a837ef6dd84d33f6555cfd5ce07ef74
SHA256 d8ed6cbd80f09a076067deafed7ab62960a65d3ebe51e40eed9b6a4ad0efe6d9
SHA512 c67a9a894b2104d7d88d720d9084c8f95e0a297113a08d9738e0c6206bfc9e14727daa76e4a7bfe00c0767d0f810eafaffb892aa341d0d9fe7803d44ea1e09de

memory/2248-78-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2248-86-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2900-88-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2900-90-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2900-92-0x0000000000400000-0x0000000000429000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 17:26

Reported

2024-06-10 17:28

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cc50812272f08a06b7f5b9c625e8b235abeedf595a1ab123e5a1e7c9cec67fd9.exe"

Signatures

Neconyd

trojan neconyd

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2120 set thread context of 2296 N/A C:\Users\Admin\AppData\Local\Temp\cc50812272f08a06b7f5b9c625e8b235abeedf595a1ab123e5a1e7c9cec67fd9.exe C:\Users\Admin\AppData\Local\Temp\cc50812272f08a06b7f5b9c625e8b235abeedf595a1ab123e5a1e7c9cec67fd9.exe
PID 2312 set thread context of 3088 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3880 set thread context of 4980 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4200 set thread context of 2376 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\cc50812272f08a06b7f5b9c625e8b235abeedf595a1ab123e5a1e7c9cec67fd9.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\omsecor.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2120 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\cc50812272f08a06b7f5b9c625e8b235abeedf595a1ab123e5a1e7c9cec67fd9.exe C:\Users\Admin\AppData\Local\Temp\cc50812272f08a06b7f5b9c625e8b235abeedf595a1ab123e5a1e7c9cec67fd9.exe
PID 2120 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\cc50812272f08a06b7f5b9c625e8b235abeedf595a1ab123e5a1e7c9cec67fd9.exe C:\Users\Admin\AppData\Local\Temp\cc50812272f08a06b7f5b9c625e8b235abeedf595a1ab123e5a1e7c9cec67fd9.exe
PID 2120 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\cc50812272f08a06b7f5b9c625e8b235abeedf595a1ab123e5a1e7c9cec67fd9.exe C:\Users\Admin\AppData\Local\Temp\cc50812272f08a06b7f5b9c625e8b235abeedf595a1ab123e5a1e7c9cec67fd9.exe
PID 2120 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\cc50812272f08a06b7f5b9c625e8b235abeedf595a1ab123e5a1e7c9cec67fd9.exe C:\Users\Admin\AppData\Local\Temp\cc50812272f08a06b7f5b9c625e8b235abeedf595a1ab123e5a1e7c9cec67fd9.exe
PID 2120 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\cc50812272f08a06b7f5b9c625e8b235abeedf595a1ab123e5a1e7c9cec67fd9.exe C:\Users\Admin\AppData\Local\Temp\cc50812272f08a06b7f5b9c625e8b235abeedf595a1ab123e5a1e7c9cec67fd9.exe
PID 2296 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\cc50812272f08a06b7f5b9c625e8b235abeedf595a1ab123e5a1e7c9cec67fd9.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2296 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\cc50812272f08a06b7f5b9c625e8b235abeedf595a1ab123e5a1e7c9cec67fd9.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2296 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\cc50812272f08a06b7f5b9c625e8b235abeedf595a1ab123e5a1e7c9cec67fd9.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2312 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2312 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2312 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2312 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2312 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3088 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3088 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3088 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3880 wrote to memory of 4980 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3880 wrote to memory of 4980 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3880 wrote to memory of 4980 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3880 wrote to memory of 4980 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3880 wrote to memory of 4980 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4980 wrote to memory of 4200 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4980 wrote to memory of 4200 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4980 wrote to memory of 4200 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4200 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4200 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4200 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4200 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4200 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cc50812272f08a06b7f5b9c625e8b235abeedf595a1ab123e5a1e7c9cec67fd9.exe

"C:\Users\Admin\AppData\Local\Temp\cc50812272f08a06b7f5b9c625e8b235abeedf595a1ab123e5a1e7c9cec67fd9.exe"

C:\Users\Admin\AppData\Local\Temp\cc50812272f08a06b7f5b9c625e8b235abeedf595a1ab123e5a1e7c9cec67fd9.exe

C:\Users\Admin\AppData\Local\Temp\cc50812272f08a06b7f5b9c625e8b235abeedf595a1ab123e5a1e7c9cec67fd9.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2120 -ip 2120

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2312 -ip 2312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 300

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3880 -ip 3880

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 292

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4200 -ip 4200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 256

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 101.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

memory/2120-0-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2296-3-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2296-2-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2296-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2296-5-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 6910f7986957e357465c590a984f4a79
SHA1 b0ccb2c48d9ad3e8caeebc1de040220fb1760344
SHA256 645a87f8fbdd27c797dff68cce97548392faecb84d2a1e194cbd61b7115dffed
SHA512 f9b19f6c931b896d6e134d8c91f5d4361cbab23637e41aa65e727535e72bc9dc903067f64e7c882b4fd14331be9282c5e07171f7029010bd269d8c5065878e78

memory/2312-9-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3088-14-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3088-15-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2312-17-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3088-18-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3088-21-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3088-24-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3088-25-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3088-29-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 492a997599c52ae04650174a22184e6f
SHA1 49c1a009bcd16bfb37f5ba0212cdfeba90fbb7e0
SHA256 d8b35869c3f2a94f6f689a69ba4282ba5c262ed151c6cb3b01dc8e83aa2586b8
SHA512 ea2c8290407bd4fe41ee48fbdb3143a23948e53eb67473160cebd92a6a4d180811be680dac98cad830240556b9c88c18e335b378cb79380a2849a9abd08e288c

memory/3880-32-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4980-36-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4980-35-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4980-38-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 5e82e53d3e3bb4e810786cab4927fe56
SHA1 c1af348e5c1cf71cb14bf753536e2ad54dfb9bb0
SHA256 a27946b7c4e11cbc88abcc80ce230742a7392200b693b74f9271e03963498e0a
SHA512 9491448244ba1a2d7c64f2ac80a89e998b1634ccb03acaa1cb25162bbbf76137f9c021e985ce5cc241b60f749ce36ef2b236ded760f5026b809a073c3a6b75f1

memory/4200-43-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2376-47-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2376-48-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3880-50-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2376-52-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2376-55-0x0000000000400000-0x0000000000429000-memory.dmp