Malware Analysis Report

2024-09-11 08:31

Sample ID 240614-fh5n2swamc
Target dbe1092d078bae4902cdaf0fbc98824ef391d054a67db0aaeeb5be82b7784d93
SHA256 dbe1092d078bae4902cdaf0fbc98824ef391d054a67db0aaeeb5be82b7784d93
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dbe1092d078bae4902cdaf0fbc98824ef391d054a67db0aaeeb5be82b7784d93

Threat Level: Known bad

The file dbe1092d078bae4902cdaf0fbc98824ef391d054a67db0aaeeb5be82b7784d93 was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Detects executables built or packed with MPress PE compressor

Neconyd

Detects executables built or packed with MPress PE compressor

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 04:53

Signatures

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 04:53

Reported

2024-06-14 04:55

Platform

win10v2004-20240611-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dbe1092d078bae4902cdaf0fbc98824ef391d054a67db0aaeeb5be82b7784d93.exe"

Signatures

Neconyd

trojan neconyd

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4728 set thread context of 2424 N/A C:\Users\Admin\AppData\Local\Temp\dbe1092d078bae4902cdaf0fbc98824ef391d054a67db0aaeeb5be82b7784d93.exe C:\Users\Admin\AppData\Local\Temp\dbe1092d078bae4902cdaf0fbc98824ef391d054a67db0aaeeb5be82b7784d93.exe
PID 5092 set thread context of 3544 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 5004 set thread context of 784 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4308 set thread context of 3088 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\dbe1092d078bae4902cdaf0fbc98824ef391d054a67db0aaeeb5be82b7784d93.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\omsecor.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4728 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\dbe1092d078bae4902cdaf0fbc98824ef391d054a67db0aaeeb5be82b7784d93.exe C:\Users\Admin\AppData\Local\Temp\dbe1092d078bae4902cdaf0fbc98824ef391d054a67db0aaeeb5be82b7784d93.exe
PID 4728 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\dbe1092d078bae4902cdaf0fbc98824ef391d054a67db0aaeeb5be82b7784d93.exe C:\Users\Admin\AppData\Local\Temp\dbe1092d078bae4902cdaf0fbc98824ef391d054a67db0aaeeb5be82b7784d93.exe
PID 4728 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\dbe1092d078bae4902cdaf0fbc98824ef391d054a67db0aaeeb5be82b7784d93.exe C:\Users\Admin\AppData\Local\Temp\dbe1092d078bae4902cdaf0fbc98824ef391d054a67db0aaeeb5be82b7784d93.exe
PID 4728 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\dbe1092d078bae4902cdaf0fbc98824ef391d054a67db0aaeeb5be82b7784d93.exe C:\Users\Admin\AppData\Local\Temp\dbe1092d078bae4902cdaf0fbc98824ef391d054a67db0aaeeb5be82b7784d93.exe
PID 4728 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\dbe1092d078bae4902cdaf0fbc98824ef391d054a67db0aaeeb5be82b7784d93.exe C:\Users\Admin\AppData\Local\Temp\dbe1092d078bae4902cdaf0fbc98824ef391d054a67db0aaeeb5be82b7784d93.exe
PID 2424 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\dbe1092d078bae4902cdaf0fbc98824ef391d054a67db0aaeeb5be82b7784d93.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2424 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\dbe1092d078bae4902cdaf0fbc98824ef391d054a67db0aaeeb5be82b7784d93.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2424 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\dbe1092d078bae4902cdaf0fbc98824ef391d054a67db0aaeeb5be82b7784d93.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 5092 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 5092 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 5092 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 5092 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 5092 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3544 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3544 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3544 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 5004 wrote to memory of 784 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 5004 wrote to memory of 784 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 5004 wrote to memory of 784 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 5004 wrote to memory of 784 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 5004 wrote to memory of 784 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 784 wrote to memory of 4308 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 784 wrote to memory of 4308 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 784 wrote to memory of 4308 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4308 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4308 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4308 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4308 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4308 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dbe1092d078bae4902cdaf0fbc98824ef391d054a67db0aaeeb5be82b7784d93.exe

"C:\Users\Admin\AppData\Local\Temp\dbe1092d078bae4902cdaf0fbc98824ef391d054a67db0aaeeb5be82b7784d93.exe"

C:\Users\Admin\AppData\Local\Temp\dbe1092d078bae4902cdaf0fbc98824ef391d054a67db0aaeeb5be82b7784d93.exe

C:\Users\Admin\AppData\Local\Temp\dbe1092d078bae4902cdaf0fbc98824ef391d054a67db0aaeeb5be82b7784d93.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5092 -ip 5092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4728 -ip 4728

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 288

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 288

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5004 -ip 5004

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 292

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4308 -ip 4308

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 256

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 102.144.22.2.in-addr.arpa udp
GB 92.123.142.91:443 www.bing.com tcp
US 8.8.8.8:53 91.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/4728-0-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2424-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2424-2-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2424-3-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2424-5-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 1ca46b910477a54f2e1849450bb7b469
SHA1 b855673f3d8c29d055afcc9bb96c6b272d857ef1
SHA256 77494d6872653d761626216368bfbced553450f2089dfbe9aafd276d4964706a
SHA512 afa5e49b3ca9156e8ac2562abc90302b0dace243704c2f831b7476342ef44e48b1ecbb8f34ca713fee0e614d6c0bb853ae413e237a051df62e7774a49a9258b0

memory/5092-11-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3544-15-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3544-14-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4728-16-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3544-18-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3544-21-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3544-24-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3544-25-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3544-28-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 d7150aae65af0f67f42dd5fe6212f76b
SHA1 72861a42da1551ec6c83696c08b63747a0f85563
SHA256 32216105b45e8420edf7ac0daa2dadb512988baf1be97a828727f084ccce8624
SHA512 6d4c5532a3493c6be4eaa5d5f3b377c46060e420e34202381c9f546caa23c5defbe34c522a8ff8432ab085151e7612c7fab8bc0146ce265d9ec9aedf76a0c85e

memory/5004-31-0x0000000000400000-0x0000000000423000-memory.dmp

memory/784-35-0x0000000000400000-0x0000000000429000-memory.dmp

memory/784-36-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 ffbe159e42907c4e78eb66d8d97be635
SHA1 30a481daee8c99890736848962eecca05f5186fb
SHA256 77ef93fe667066f528ab80ecf3a525ec46e44531917a3687c48393bfc0607805
SHA512 bcf73da280629502e4e2664fef9d6d9b4ec0f34842bc209937f0acd1189fc7fa2ef6b29acdfdc3681a27128909ae5ec914e9ca78242cf4f5eec255b6b5b36bfa

memory/4308-43-0x0000000000400000-0x0000000000423000-memory.dmp

memory/784-42-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3088-47-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3088-48-0x0000000000400000-0x0000000000429000-memory.dmp

memory/5004-50-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3088-52-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3088-55-0x0000000000400000-0x0000000000429000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 04:53

Reported

2024-06-14 04:55

Platform

win7-20231129-en

Max time kernel

146s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dbe1092d078bae4902cdaf0fbc98824ef391d054a67db0aaeeb5be82b7784d93.exe"

Signatures

Neconyd

trojan neconyd

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbe1092d078bae4902cdaf0fbc98824ef391d054a67db0aaeeb5be82b7784d93.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbe1092d078bae4902cdaf0fbc98824ef391d054a67db0aaeeb5be82b7784d93.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1960 set thread context of 3056 N/A C:\Users\Admin\AppData\Local\Temp\dbe1092d078bae4902cdaf0fbc98824ef391d054a67db0aaeeb5be82b7784d93.exe C:\Users\Admin\AppData\Local\Temp\dbe1092d078bae4902cdaf0fbc98824ef391d054a67db0aaeeb5be82b7784d93.exe
PID 2976 set thread context of 1344 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2828 set thread context of 1668 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2544 set thread context of 1192 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1960 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\dbe1092d078bae4902cdaf0fbc98824ef391d054a67db0aaeeb5be82b7784d93.exe C:\Users\Admin\AppData\Local\Temp\dbe1092d078bae4902cdaf0fbc98824ef391d054a67db0aaeeb5be82b7784d93.exe
PID 1960 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\dbe1092d078bae4902cdaf0fbc98824ef391d054a67db0aaeeb5be82b7784d93.exe C:\Users\Admin\AppData\Local\Temp\dbe1092d078bae4902cdaf0fbc98824ef391d054a67db0aaeeb5be82b7784d93.exe
PID 1960 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\dbe1092d078bae4902cdaf0fbc98824ef391d054a67db0aaeeb5be82b7784d93.exe C:\Users\Admin\AppData\Local\Temp\dbe1092d078bae4902cdaf0fbc98824ef391d054a67db0aaeeb5be82b7784d93.exe
PID 1960 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\dbe1092d078bae4902cdaf0fbc98824ef391d054a67db0aaeeb5be82b7784d93.exe C:\Users\Admin\AppData\Local\Temp\dbe1092d078bae4902cdaf0fbc98824ef391d054a67db0aaeeb5be82b7784d93.exe
PID 1960 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\dbe1092d078bae4902cdaf0fbc98824ef391d054a67db0aaeeb5be82b7784d93.exe C:\Users\Admin\AppData\Local\Temp\dbe1092d078bae4902cdaf0fbc98824ef391d054a67db0aaeeb5be82b7784d93.exe
PID 1960 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\dbe1092d078bae4902cdaf0fbc98824ef391d054a67db0aaeeb5be82b7784d93.exe C:\Users\Admin\AppData\Local\Temp\dbe1092d078bae4902cdaf0fbc98824ef391d054a67db0aaeeb5be82b7784d93.exe
PID 3056 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\dbe1092d078bae4902cdaf0fbc98824ef391d054a67db0aaeeb5be82b7784d93.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3056 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\dbe1092d078bae4902cdaf0fbc98824ef391d054a67db0aaeeb5be82b7784d93.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3056 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\dbe1092d078bae4902cdaf0fbc98824ef391d054a67db0aaeeb5be82b7784d93.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3056 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\dbe1092d078bae4902cdaf0fbc98824ef391d054a67db0aaeeb5be82b7784d93.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2976 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2976 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2976 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2976 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2976 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2976 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1344 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1344 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1344 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1344 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2828 wrote to memory of 1668 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2828 wrote to memory of 1668 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2828 wrote to memory of 1668 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2828 wrote to memory of 1668 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2828 wrote to memory of 1668 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2828 wrote to memory of 1668 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1668 wrote to memory of 2544 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1668 wrote to memory of 2544 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1668 wrote to memory of 2544 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1668 wrote to memory of 2544 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2544 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2544 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2544 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2544 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2544 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2544 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dbe1092d078bae4902cdaf0fbc98824ef391d054a67db0aaeeb5be82b7784d93.exe

"C:\Users\Admin\AppData\Local\Temp\dbe1092d078bae4902cdaf0fbc98824ef391d054a67db0aaeeb5be82b7784d93.exe"

C:\Users\Admin\AppData\Local\Temp\dbe1092d078bae4902cdaf0fbc98824ef391d054a67db0aaeeb5be82b7784d93.exe

C:\Users\Admin\AppData\Local\Temp\dbe1092d078bae4902cdaf0fbc98824ef391d054a67db0aaeeb5be82b7784d93.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/1960-0-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3056-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3056-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3056-5-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3056-9-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1960-8-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3056-11-0x0000000000400000-0x0000000000429000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 1ca46b910477a54f2e1849450bb7b469
SHA1 b855673f3d8c29d055afcc9bb96c6b272d857ef1
SHA256 77494d6872653d761626216368bfbced553450f2089dfbe9aafd276d4964706a
SHA512 afa5e49b3ca9156e8ac2562abc90302b0dace243704c2f831b7476342ef44e48b1ecbb8f34ca713fee0e614d6c0bb853ae413e237a051df62e7774a49a9258b0

memory/2976-21-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2976-26-0x0000000000230000-0x0000000000253000-memory.dmp

memory/2976-33-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1344-35-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1344-39-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1344-42-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1344-45-0x0000000000400000-0x0000000000429000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 ba4f91b5e6cae63e0ab26071e864826e
SHA1 7af30d2ff77e345da22256dad3cd516866e724e9
SHA256 1ecfcd68ed7c0022685ff3ea949ed297510cbbd25c88cde85806e8d34ec67c80
SHA512 718cd2e85316f869bbe5411a910f0999dfffeca94aa640c2d018e9f3a43524b1e7c14f53a8f1963ec5c9685dacf5f2c27e8b947d0c139e481bbff5a76647a08b

memory/1344-48-0x0000000000290000-0x00000000002B3000-memory.dmp

memory/1344-54-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2828-57-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2828-65-0x0000000000400000-0x0000000000423000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 aa852986e1079407e22141cf0b01b743
SHA1 1677b8ecc789c7473c10a5a9d38f005653798c41
SHA256 d8e26997680cf54bc67604983fad29aabd59f3a57362e51b6eb7650fa5ca7a9c
SHA512 fbeef1a5029a625c1f418ff77ca62cdf0f3325438121e9567a26ded3885132e0f65c5b430488247af2f8fb7caf8d3164f016e17d542dbd8a97ca1e01d4cc2ee9

memory/1668-72-0x0000000000230000-0x0000000000253000-memory.dmp

memory/2544-80-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2544-87-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1192-90-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1192-93-0x0000000000400000-0x0000000000429000-memory.dmp