Malware Analysis Report

2024-09-11 08:18

Sample ID 240614-yv2r2axgjq
Target 2f874704125e6ebc5f1841ae41b41cc3e80f801a72c33415d17a686635bd66a2
SHA256 2f874704125e6ebc5f1841ae41b41cc3e80f801a72c33415d17a686635bd66a2
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2f874704125e6ebc5f1841ae41b41cc3e80f801a72c33415d17a686635bd66a2

Threat Level: Known bad

The file 2f874704125e6ebc5f1841ae41b41cc3e80f801a72c33415d17a686635bd66a2 was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd

Detects executables built or packed with MPress PE compressor

Detects executables built or packed with MPress PE compressor

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

Drops file in System32 directory

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 20:07

Signatures

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 20:07

Reported

2024-06-14 20:09

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2f874704125e6ebc5f1841ae41b41cc3e80f801a72c33415d17a686635bd66a2.exe"

Signatures

Neconyd

trojan neconyd

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3628 set thread context of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2f874704125e6ebc5f1841ae41b41cc3e80f801a72c33415d17a686635bd66a2.exe C:\Users\Admin\AppData\Local\Temp\2f874704125e6ebc5f1841ae41b41cc3e80f801a72c33415d17a686635bd66a2.exe
PID 3352 set thread context of 3484 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2272 set thread context of 2668 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3160 set thread context of 1700 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\2f874704125e6ebc5f1841ae41b41cc3e80f801a72c33415d17a686635bd66a2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\omsecor.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3628 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2f874704125e6ebc5f1841ae41b41cc3e80f801a72c33415d17a686635bd66a2.exe C:\Users\Admin\AppData\Local\Temp\2f874704125e6ebc5f1841ae41b41cc3e80f801a72c33415d17a686635bd66a2.exe
PID 3628 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2f874704125e6ebc5f1841ae41b41cc3e80f801a72c33415d17a686635bd66a2.exe C:\Users\Admin\AppData\Local\Temp\2f874704125e6ebc5f1841ae41b41cc3e80f801a72c33415d17a686635bd66a2.exe
PID 3628 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2f874704125e6ebc5f1841ae41b41cc3e80f801a72c33415d17a686635bd66a2.exe C:\Users\Admin\AppData\Local\Temp\2f874704125e6ebc5f1841ae41b41cc3e80f801a72c33415d17a686635bd66a2.exe
PID 3628 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2f874704125e6ebc5f1841ae41b41cc3e80f801a72c33415d17a686635bd66a2.exe C:\Users\Admin\AppData\Local\Temp\2f874704125e6ebc5f1841ae41b41cc3e80f801a72c33415d17a686635bd66a2.exe
PID 3628 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2f874704125e6ebc5f1841ae41b41cc3e80f801a72c33415d17a686635bd66a2.exe C:\Users\Admin\AppData\Local\Temp\2f874704125e6ebc5f1841ae41b41cc3e80f801a72c33415d17a686635bd66a2.exe
PID 2852 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\2f874704125e6ebc5f1841ae41b41cc3e80f801a72c33415d17a686635bd66a2.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2852 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\2f874704125e6ebc5f1841ae41b41cc3e80f801a72c33415d17a686635bd66a2.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2852 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\2f874704125e6ebc5f1841ae41b41cc3e80f801a72c33415d17a686635bd66a2.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3352 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3352 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3352 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3352 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3352 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3484 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3484 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3484 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2272 wrote to memory of 2668 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2272 wrote to memory of 2668 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2272 wrote to memory of 2668 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2272 wrote to memory of 2668 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2272 wrote to memory of 2668 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2668 wrote to memory of 3160 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2668 wrote to memory of 3160 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2668 wrote to memory of 3160 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3160 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3160 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3160 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3160 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3160 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2f874704125e6ebc5f1841ae41b41cc3e80f801a72c33415d17a686635bd66a2.exe

"C:\Users\Admin\AppData\Local\Temp\2f874704125e6ebc5f1841ae41b41cc3e80f801a72c33415d17a686635bd66a2.exe"

C:\Users\Admin\AppData\Local\Temp\2f874704125e6ebc5f1841ae41b41cc3e80f801a72c33415d17a686635bd66a2.exe

C:\Users\Admin\AppData\Local\Temp\2f874704125e6ebc5f1841ae41b41cc3e80f801a72c33415d17a686635bd66a2.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3628 -ip 3628

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3352 -ip 3352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 288

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 284

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2272 -ip 2272

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 292

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3160 -ip 3160

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 268

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 197.121.18.2.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 71.121.18.2.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 37.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

memory/3628-0-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2852-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2852-2-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2852-3-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 6acb5f7ea91071a1ecbaf96e612e4388
SHA1 40f84b895fda318d10c07df47114a2564bf855c4
SHA256 7c0373ee0b70f937fba275164ec57b7806f381561a7daaa7a0339de9da0f46d0
SHA512 685bec75d8323c32d49da2631e3a989965be64ea6e6a0da260ad58ca1a79b44f9cd1766f293810fb626a81d761f9e31df7f1110cc442946b6bcbdae423c13148

memory/3352-11-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2852-5-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3484-14-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3484-16-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3628-17-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3484-18-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3484-21-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3484-24-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3484-25-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 f3d44e5f5bd2c256a9fd4491bc6ad699
SHA1 c6726d9d75cab49789f2742967a6114dfd1c10d9
SHA256 f35dd3dc25027ca67fc7126daac5f5b8de898625afe63462de3141df4c8624e4
SHA512 2b17689d839e389ce0ca76796dff123ebdea31a24f1e57753ce28e9f79a23257fa337aea109b32ebcdc33bd5665f25b7c89fbe26185e6e78ec0af3e00651e3f7

memory/3484-29-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2272-32-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2668-35-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2668-36-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 c152d4e65cb3cf6ecc3e3b4021d6624a
SHA1 0f7f68633d59762804bc9a6bcb65a14ff564a565
SHA256 f532806ad8602e9d966f5fcb437b6daded6772efe1527f72cc41b7c02826ab3b
SHA512 b775df26501b807ef8d297b3fafe9593081f9f1b129d2428e23dd41f3a26c67a7474e667813c61ad35827b88c34eb792f8361bf2c4d75f53eef3fa50e879c5a6

memory/3160-41-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2668-39-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1700-47-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1700-46-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2272-48-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3160-49-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1700-50-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1700-53-0x0000000000400000-0x0000000000429000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 20:07

Reported

2024-06-14 20:09

Platform

win7-20240221-en

Max time kernel

146s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2f874704125e6ebc5f1841ae41b41cc3e80f801a72c33415d17a686635bd66a2.exe"

Signatures

Neconyd

trojan neconyd

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f874704125e6ebc5f1841ae41b41cc3e80f801a72c33415d17a686635bd66a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f874704125e6ebc5f1841ae41b41cc3e80f801a72c33415d17a686635bd66a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2248 set thread context of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2f874704125e6ebc5f1841ae41b41cc3e80f801a72c33415d17a686635bd66a2.exe C:\Users\Admin\AppData\Local\Temp\2f874704125e6ebc5f1841ae41b41cc3e80f801a72c33415d17a686635bd66a2.exe
PID 2576 set thread context of 2596 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2468 set thread context of 992 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1444 set thread context of 3048 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2248 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2f874704125e6ebc5f1841ae41b41cc3e80f801a72c33415d17a686635bd66a2.exe C:\Users\Admin\AppData\Local\Temp\2f874704125e6ebc5f1841ae41b41cc3e80f801a72c33415d17a686635bd66a2.exe
PID 2248 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2f874704125e6ebc5f1841ae41b41cc3e80f801a72c33415d17a686635bd66a2.exe C:\Users\Admin\AppData\Local\Temp\2f874704125e6ebc5f1841ae41b41cc3e80f801a72c33415d17a686635bd66a2.exe
PID 2248 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2f874704125e6ebc5f1841ae41b41cc3e80f801a72c33415d17a686635bd66a2.exe C:\Users\Admin\AppData\Local\Temp\2f874704125e6ebc5f1841ae41b41cc3e80f801a72c33415d17a686635bd66a2.exe
PID 2248 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2f874704125e6ebc5f1841ae41b41cc3e80f801a72c33415d17a686635bd66a2.exe C:\Users\Admin\AppData\Local\Temp\2f874704125e6ebc5f1841ae41b41cc3e80f801a72c33415d17a686635bd66a2.exe
PID 2248 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2f874704125e6ebc5f1841ae41b41cc3e80f801a72c33415d17a686635bd66a2.exe C:\Users\Admin\AppData\Local\Temp\2f874704125e6ebc5f1841ae41b41cc3e80f801a72c33415d17a686635bd66a2.exe
PID 2248 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2f874704125e6ebc5f1841ae41b41cc3e80f801a72c33415d17a686635bd66a2.exe C:\Users\Admin\AppData\Local\Temp\2f874704125e6ebc5f1841ae41b41cc3e80f801a72c33415d17a686635bd66a2.exe
PID 2228 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2f874704125e6ebc5f1841ae41b41cc3e80f801a72c33415d17a686635bd66a2.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2228 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2f874704125e6ebc5f1841ae41b41cc3e80f801a72c33415d17a686635bd66a2.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2228 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2f874704125e6ebc5f1841ae41b41cc3e80f801a72c33415d17a686635bd66a2.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2228 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2f874704125e6ebc5f1841ae41b41cc3e80f801a72c33415d17a686635bd66a2.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2576 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2576 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2576 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2576 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2576 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2576 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2596 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2596 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2596 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2596 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2468 wrote to memory of 992 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2468 wrote to memory of 992 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2468 wrote to memory of 992 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2468 wrote to memory of 992 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2468 wrote to memory of 992 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2468 wrote to memory of 992 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 992 wrote to memory of 1444 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 992 wrote to memory of 1444 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 992 wrote to memory of 1444 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 992 wrote to memory of 1444 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1444 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1444 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1444 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1444 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1444 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1444 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2f874704125e6ebc5f1841ae41b41cc3e80f801a72c33415d17a686635bd66a2.exe

"C:\Users\Admin\AppData\Local\Temp\2f874704125e6ebc5f1841ae41b41cc3e80f801a72c33415d17a686635bd66a2.exe"

C:\Users\Admin\AppData\Local\Temp\2f874704125e6ebc5f1841ae41b41cc3e80f801a72c33415d17a686635bd66a2.exe

C:\Users\Admin\AppData\Local\Temp\2f874704125e6ebc5f1841ae41b41cc3e80f801a72c33415d17a686635bd66a2.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2248-0-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2228-5-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2228-10-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2248-6-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2228-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2228-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2228-8-0x0000000000400000-0x0000000000429000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 6acb5f7ea91071a1ecbaf96e612e4388
SHA1 40f84b895fda318d10c07df47114a2564bf855c4
SHA256 7c0373ee0b70f937fba275164ec57b7806f381561a7daaa7a0339de9da0f46d0
SHA512 685bec75d8323c32d49da2631e3a989965be64ea6e6a0da260ad58ca1a79b44f9cd1766f293810fb626a81d761f9e31df7f1110cc442946b6bcbdae423c13148

memory/2228-17-0x00000000003B0000-0x00000000003D4000-memory.dmp

memory/2228-20-0x00000000003B0000-0x00000000003D4000-memory.dmp

memory/2576-22-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2576-30-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2596-34-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2596-37-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2596-40-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2596-43-0x0000000000400000-0x0000000000429000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 559ff0e703d39b5611ff36d0a4459a3e
SHA1 906ce21f20bcaa483e6dbf749eac1becbc31c43c
SHA256 f4cdbcb2b7d6daeaabc1f0f60d6805ef9924c3dd7cad220d6e1424fc8de5389e
SHA512 453622a4c6c3443ff3f72a0ac92edd40c2d51c4d5719d1ecd8ffe0fad99d535eadc5a489253786c6f25a7a9dfe23b9b0a1588188cb76bba697f464c2de8a3383

memory/2596-46-0x0000000000390000-0x00000000003B4000-memory.dmp

memory/2596-54-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2468-63-0x0000000000400000-0x0000000000424000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 7490c83fe8afe2b3783752685e397e25
SHA1 e3e75bf8d977d1e2b6ebe0f04e53f0cac24f02a0
SHA256 533c11f44b2005297a4334359ad95bd652286dbadfe4379cf75d3feb72696834
SHA512 a0213ff89d0573f2efc8080e7bb775e3dfffd066f978f3348d52c8e58e13a3873b6574ff5cbb3fd993fd0b0fa6aecd2c8e0e2c58aba9032a37d06fa08cbd18d3

memory/1444-76-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1444-83-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3048-85-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3048-88-0x0000000000400000-0x0000000000429000-memory.dmp