Malware Analysis Report

2024-09-11 08:40

Sample ID 240612-fra6ss1glf
Target dbf53dbc8eb25d006a59e9b5c1073f47991c3e665f7bdafcd28c1ed92be8d6c1
SHA256 dbf53dbc8eb25d006a59e9b5c1073f47991c3e665f7bdafcd28c1ed92be8d6c1
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dbf53dbc8eb25d006a59e9b5c1073f47991c3e665f7bdafcd28c1ed92be8d6c1

Threat Level: Known bad

The file dbf53dbc8eb25d006a59e9b5c1073f47991c3e665f7bdafcd28c1ed92be8d6c1 was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Detects executables built or packed with MPress PE compressor

Neconyd

Detects executables built or packed with MPress PE compressor

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-12 05:05

Signatures

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 05:05

Reported

2024-06-12 05:08

Platform

win7-20240220-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dbf53dbc8eb25d006a59e9b5c1073f47991c3e665f7bdafcd28c1ed92be8d6c1.exe"

Signatures

Neconyd

trojan neconyd

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbf53dbc8eb25d006a59e9b5c1073f47991c3e665f7bdafcd28c1ed92be8d6c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbf53dbc8eb25d006a59e9b5c1073f47991c3e665f7bdafcd28c1ed92be8d6c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2916 set thread context of 3068 N/A C:\Users\Admin\AppData\Local\Temp\dbf53dbc8eb25d006a59e9b5c1073f47991c3e665f7bdafcd28c1ed92be8d6c1.exe C:\Users\Admin\AppData\Local\Temp\dbf53dbc8eb25d006a59e9b5c1073f47991c3e665f7bdafcd28c1ed92be8d6c1.exe
PID 2492 set thread context of 2552 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 816 set thread context of 2108 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2012 set thread context of 2764 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2916 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\dbf53dbc8eb25d006a59e9b5c1073f47991c3e665f7bdafcd28c1ed92be8d6c1.exe C:\Users\Admin\AppData\Local\Temp\dbf53dbc8eb25d006a59e9b5c1073f47991c3e665f7bdafcd28c1ed92be8d6c1.exe
PID 2916 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\dbf53dbc8eb25d006a59e9b5c1073f47991c3e665f7bdafcd28c1ed92be8d6c1.exe C:\Users\Admin\AppData\Local\Temp\dbf53dbc8eb25d006a59e9b5c1073f47991c3e665f7bdafcd28c1ed92be8d6c1.exe
PID 2916 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\dbf53dbc8eb25d006a59e9b5c1073f47991c3e665f7bdafcd28c1ed92be8d6c1.exe C:\Users\Admin\AppData\Local\Temp\dbf53dbc8eb25d006a59e9b5c1073f47991c3e665f7bdafcd28c1ed92be8d6c1.exe
PID 2916 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\dbf53dbc8eb25d006a59e9b5c1073f47991c3e665f7bdafcd28c1ed92be8d6c1.exe C:\Users\Admin\AppData\Local\Temp\dbf53dbc8eb25d006a59e9b5c1073f47991c3e665f7bdafcd28c1ed92be8d6c1.exe
PID 2916 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\dbf53dbc8eb25d006a59e9b5c1073f47991c3e665f7bdafcd28c1ed92be8d6c1.exe C:\Users\Admin\AppData\Local\Temp\dbf53dbc8eb25d006a59e9b5c1073f47991c3e665f7bdafcd28c1ed92be8d6c1.exe
PID 2916 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\dbf53dbc8eb25d006a59e9b5c1073f47991c3e665f7bdafcd28c1ed92be8d6c1.exe C:\Users\Admin\AppData\Local\Temp\dbf53dbc8eb25d006a59e9b5c1073f47991c3e665f7bdafcd28c1ed92be8d6c1.exe
PID 3068 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\dbf53dbc8eb25d006a59e9b5c1073f47991c3e665f7bdafcd28c1ed92be8d6c1.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3068 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\dbf53dbc8eb25d006a59e9b5c1073f47991c3e665f7bdafcd28c1ed92be8d6c1.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3068 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\dbf53dbc8eb25d006a59e9b5c1073f47991c3e665f7bdafcd28c1ed92be8d6c1.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3068 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\dbf53dbc8eb25d006a59e9b5c1073f47991c3e665f7bdafcd28c1ed92be8d6c1.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2492 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2492 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2492 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2492 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2492 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2492 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2552 wrote to memory of 816 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2552 wrote to memory of 816 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2552 wrote to memory of 816 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2552 wrote to memory of 816 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 816 wrote to memory of 2108 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 816 wrote to memory of 2108 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 816 wrote to memory of 2108 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 816 wrote to memory of 2108 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 816 wrote to memory of 2108 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 816 wrote to memory of 2108 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2108 wrote to memory of 2012 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2108 wrote to memory of 2012 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2108 wrote to memory of 2012 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2108 wrote to memory of 2012 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2012 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2012 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2012 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2012 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2012 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2012 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dbf53dbc8eb25d006a59e9b5c1073f47991c3e665f7bdafcd28c1ed92be8d6c1.exe

"C:\Users\Admin\AppData\Local\Temp\dbf53dbc8eb25d006a59e9b5c1073f47991c3e665f7bdafcd28c1ed92be8d6c1.exe"

C:\Users\Admin\AppData\Local\Temp\dbf53dbc8eb25d006a59e9b5c1073f47991c3e665f7bdafcd28c1ed92be8d6c1.exe

C:\Users\Admin\AppData\Local\Temp\dbf53dbc8eb25d006a59e9b5c1073f47991c3e665f7bdafcd28c1ed92be8d6c1.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2916-0-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3068-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3068-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2916-7-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3068-11-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3068-5-0x0000000000400000-0x0000000000429000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 809853ed6722a0443f0955ec6cf7a208
SHA1 7d1f5a9c1047b04754906a23598087c074b75a13
SHA256 f5aeae073c1f3b32747a1aad80151af27560d827dfe2fe7a1ab6b2aa0015843b
SHA512 91c21c8ace33a2df1d256cb1f91c36d2482d9d25832c23a46a34730c9afa766ddd2c336f5876aa0325e04e6506586fe17573167026f299fa908bce09821d0e1b

memory/3068-9-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2492-21-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2492-31-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2552-34-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2552-37-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2552-40-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2552-43-0x0000000000400000-0x0000000000429000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 53526d336707c4c808934cb71152bcce
SHA1 6bd6c97e28f19e619fee4b9dfc389c9e1b642f6d
SHA256 3584b5d99015839d742d553d7f8dfbbcdb026e2850be5061e2e27b3e72659ff0
SHA512 73a874605b0678fb414cb3be8c33492423d503c70cb2880ab96a211d5a1f1135b874f28cc531e2d7b5a026afb2f10ed53e8e9d7f65052863959232b94875cab1

memory/2552-46-0x0000000000290000-0x00000000002B3000-memory.dmp

memory/2552-54-0x0000000000400000-0x0000000000429000-memory.dmp

memory/816-65-0x0000000000400000-0x0000000000423000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 d5ab27d9f05ee40149b5b88fd4805d00
SHA1 424f686fbf3d54cb1b77b0f14bd58948c8f83dfb
SHA256 f2ef497b553bc592bc246a31fb2d3bb0602a365b17d14069322a50413e81894e
SHA512 5f9497ee99458d9894b311e476ced4c0b48a4268c045152adda93ce7ac720852175ac4cc9ae23885b0b1123e3a2b109bc889fd50a085fadaf00af5a774ad00aa

memory/2108-70-0x0000000000230000-0x0000000000253000-memory.dmp

memory/2012-78-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2012-86-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2764-88-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2764-91-0x0000000000400000-0x0000000000429000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 05:05

Reported

2024-06-12 05:08

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dbf53dbc8eb25d006a59e9b5c1073f47991c3e665f7bdafcd28c1ed92be8d6c1.exe"

Signatures

Neconyd

trojan neconyd

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3196 set thread context of 1932 N/A C:\Users\Admin\AppData\Local\Temp\dbf53dbc8eb25d006a59e9b5c1073f47991c3e665f7bdafcd28c1ed92be8d6c1.exe C:\Users\Admin\AppData\Local\Temp\dbf53dbc8eb25d006a59e9b5c1073f47991c3e665f7bdafcd28c1ed92be8d6c1.exe
PID 2708 set thread context of 3612 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 432 set thread context of 3780 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 116 set thread context of 3884 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\dbf53dbc8eb25d006a59e9b5c1073f47991c3e665f7bdafcd28c1ed92be8d6c1.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\omsecor.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3196 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\dbf53dbc8eb25d006a59e9b5c1073f47991c3e665f7bdafcd28c1ed92be8d6c1.exe C:\Users\Admin\AppData\Local\Temp\dbf53dbc8eb25d006a59e9b5c1073f47991c3e665f7bdafcd28c1ed92be8d6c1.exe
PID 3196 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\dbf53dbc8eb25d006a59e9b5c1073f47991c3e665f7bdafcd28c1ed92be8d6c1.exe C:\Users\Admin\AppData\Local\Temp\dbf53dbc8eb25d006a59e9b5c1073f47991c3e665f7bdafcd28c1ed92be8d6c1.exe
PID 3196 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\dbf53dbc8eb25d006a59e9b5c1073f47991c3e665f7bdafcd28c1ed92be8d6c1.exe C:\Users\Admin\AppData\Local\Temp\dbf53dbc8eb25d006a59e9b5c1073f47991c3e665f7bdafcd28c1ed92be8d6c1.exe
PID 3196 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\dbf53dbc8eb25d006a59e9b5c1073f47991c3e665f7bdafcd28c1ed92be8d6c1.exe C:\Users\Admin\AppData\Local\Temp\dbf53dbc8eb25d006a59e9b5c1073f47991c3e665f7bdafcd28c1ed92be8d6c1.exe
PID 3196 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\dbf53dbc8eb25d006a59e9b5c1073f47991c3e665f7bdafcd28c1ed92be8d6c1.exe C:\Users\Admin\AppData\Local\Temp\dbf53dbc8eb25d006a59e9b5c1073f47991c3e665f7bdafcd28c1ed92be8d6c1.exe
PID 1932 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\dbf53dbc8eb25d006a59e9b5c1073f47991c3e665f7bdafcd28c1ed92be8d6c1.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1932 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\dbf53dbc8eb25d006a59e9b5c1073f47991c3e665f7bdafcd28c1ed92be8d6c1.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1932 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\dbf53dbc8eb25d006a59e9b5c1073f47991c3e665f7bdafcd28c1ed92be8d6c1.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2708 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2708 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2708 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2708 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2708 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3612 wrote to memory of 432 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3612 wrote to memory of 432 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3612 wrote to memory of 432 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 432 wrote to memory of 3780 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 432 wrote to memory of 3780 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 432 wrote to memory of 3780 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 432 wrote to memory of 3780 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 432 wrote to memory of 3780 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3780 wrote to memory of 116 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3780 wrote to memory of 116 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3780 wrote to memory of 116 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 116 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 116 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 116 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 116 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 116 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dbf53dbc8eb25d006a59e9b5c1073f47991c3e665f7bdafcd28c1ed92be8d6c1.exe

"C:\Users\Admin\AppData\Local\Temp\dbf53dbc8eb25d006a59e9b5c1073f47991c3e665f7bdafcd28c1ed92be8d6c1.exe"

C:\Users\Admin\AppData\Local\Temp\dbf53dbc8eb25d006a59e9b5c1073f47991c3e665f7bdafcd28c1ed92be8d6c1.exe

C:\Users\Admin\AppData\Local\Temp\dbf53dbc8eb25d006a59e9b5c1073f47991c3e665f7bdafcd28c1ed92be8d6c1.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3196 -ip 3196

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 288

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2708 -ip 2708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 300

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 432 -ip 432

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 292

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 116 -ip 116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 256

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp

Files

memory/3196-0-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1932-1-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 809853ed6722a0443f0955ec6cf7a208
SHA1 7d1f5a9c1047b04754906a23598087c074b75a13
SHA256 f5aeae073c1f3b32747a1aad80151af27560d827dfe2fe7a1ab6b2aa0015843b
SHA512 91c21c8ace33a2df1d256cb1f91c36d2482d9d25832c23a46a34730c9afa766ddd2c336f5876aa0325e04e6506586fe17573167026f299fa908bce09821d0e1b

memory/2708-11-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1932-10-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1932-3-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1932-2-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3612-15-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3612-14-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3196-17-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3612-19-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3612-21-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3612-23-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3612-24-0x0000000000400000-0x0000000000429000-memory.dmp

memory/432-31-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3612-30-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 7f1bfeb18bda9fb1308ffdb541327d8c
SHA1 207bfde38376f50fbeda9c30a63574122f9648fc
SHA256 7d6536beb3be64a5164080e5eba62f2f043e4ddbea6d38c050a82335a816b1af
SHA512 ff0a81d8aca9895639128faffb96ca593f04f4933123d49e2af3c0eace94d4db05a86aa396cf4fc895803a2554de8e0e4d5ab7b9874cecd30ce94db05653ebe4

memory/3780-38-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3780-36-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3780-35-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 4b42b382a13ca6b965dd5b000c1fda29
SHA1 3f7e5be1da4fa735dce2bbfd3ffb39892f57cbee
SHA256 a4273139ef9ef32af273a1366204a1e333aa454f15a7ced2ee4b222185e340cf
SHA512 dcee07d46a844fde81ee261076b1802bb5d12ac93e08c20e25e70f26a11318a14366da8d9fc2baf7fe14906dbfaa71ac37163ff2d29e988301f14eeb40130109

memory/116-43-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3884-47-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3884-48-0x0000000000400000-0x0000000000429000-memory.dmp

memory/432-50-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3884-52-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3884-54-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3884-56-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3884-58-0x0000000000400000-0x0000000000429000-memory.dmp