Malware Analysis Report

2024-09-11 08:25

Sample ID 240617-a39wlswdpf
Target a7c4f6008b758ac75af05bccfe287b7a08de5dec396bc98b692c9e319462de41
SHA256 a7c4f6008b758ac75af05bccfe287b7a08de5dec396bc98b692c9e319462de41
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a7c4f6008b758ac75af05bccfe287b7a08de5dec396bc98b692c9e319462de41

Threat Level: Known bad

The file a7c4f6008b758ac75af05bccfe287b7a08de5dec396bc98b692c9e319462de41 was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Detects executables built or packed with MPress PE compressor

Neconyd

Detects executables built or packed with MPress PE compressor

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-17 00:45

Signatures

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 00:45

Reported

2024-06-17 00:48

Platform

win7-20240611-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a7c4f6008b758ac75af05bccfe287b7a08de5dec396bc98b692c9e319462de41.exe"

Signatures

Neconyd

trojan neconyd

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7c4f6008b758ac75af05bccfe287b7a08de5dec396bc98b692c9e319462de41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7c4f6008b758ac75af05bccfe287b7a08de5dec396bc98b692c9e319462de41.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1760 set thread context of 1756 N/A C:\Users\Admin\AppData\Local\Temp\a7c4f6008b758ac75af05bccfe287b7a08de5dec396bc98b692c9e319462de41.exe C:\Users\Admin\AppData\Local\Temp\a7c4f6008b758ac75af05bccfe287b7a08de5dec396bc98b692c9e319462de41.exe
PID 2300 set thread context of 2760 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2256 set thread context of 1072 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1644 set thread context of 2904 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1760 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\a7c4f6008b758ac75af05bccfe287b7a08de5dec396bc98b692c9e319462de41.exe C:\Users\Admin\AppData\Local\Temp\a7c4f6008b758ac75af05bccfe287b7a08de5dec396bc98b692c9e319462de41.exe
PID 1760 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\a7c4f6008b758ac75af05bccfe287b7a08de5dec396bc98b692c9e319462de41.exe C:\Users\Admin\AppData\Local\Temp\a7c4f6008b758ac75af05bccfe287b7a08de5dec396bc98b692c9e319462de41.exe
PID 1760 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\a7c4f6008b758ac75af05bccfe287b7a08de5dec396bc98b692c9e319462de41.exe C:\Users\Admin\AppData\Local\Temp\a7c4f6008b758ac75af05bccfe287b7a08de5dec396bc98b692c9e319462de41.exe
PID 1760 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\a7c4f6008b758ac75af05bccfe287b7a08de5dec396bc98b692c9e319462de41.exe C:\Users\Admin\AppData\Local\Temp\a7c4f6008b758ac75af05bccfe287b7a08de5dec396bc98b692c9e319462de41.exe
PID 1760 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\a7c4f6008b758ac75af05bccfe287b7a08de5dec396bc98b692c9e319462de41.exe C:\Users\Admin\AppData\Local\Temp\a7c4f6008b758ac75af05bccfe287b7a08de5dec396bc98b692c9e319462de41.exe
PID 1760 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\a7c4f6008b758ac75af05bccfe287b7a08de5dec396bc98b692c9e319462de41.exe C:\Users\Admin\AppData\Local\Temp\a7c4f6008b758ac75af05bccfe287b7a08de5dec396bc98b692c9e319462de41.exe
PID 1756 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\a7c4f6008b758ac75af05bccfe287b7a08de5dec396bc98b692c9e319462de41.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1756 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\a7c4f6008b758ac75af05bccfe287b7a08de5dec396bc98b692c9e319462de41.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1756 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\a7c4f6008b758ac75af05bccfe287b7a08de5dec396bc98b692c9e319462de41.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1756 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\a7c4f6008b758ac75af05bccfe287b7a08de5dec396bc98b692c9e319462de41.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2300 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2300 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2300 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2300 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2300 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2300 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2760 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2760 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2760 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2760 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2256 wrote to memory of 1072 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2256 wrote to memory of 1072 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2256 wrote to memory of 1072 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2256 wrote to memory of 1072 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2256 wrote to memory of 1072 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2256 wrote to memory of 1072 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1072 wrote to memory of 1644 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1072 wrote to memory of 1644 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1072 wrote to memory of 1644 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1072 wrote to memory of 1644 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1644 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1644 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1644 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1644 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1644 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1644 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a7c4f6008b758ac75af05bccfe287b7a08de5dec396bc98b692c9e319462de41.exe

"C:\Users\Admin\AppData\Local\Temp\a7c4f6008b758ac75af05bccfe287b7a08de5dec396bc98b692c9e319462de41.exe"

C:\Users\Admin\AppData\Local\Temp\a7c4f6008b758ac75af05bccfe287b7a08de5dec396bc98b692c9e319462de41.exe

C:\Users\Admin\AppData\Local\Temp\a7c4f6008b758ac75af05bccfe287b7a08de5dec396bc98b692c9e319462de41.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/1760-0-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1760-7-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1756-9-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1756-5-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1756-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1756-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1756-19-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 d80f9c294c4ec2c1edf61fbbcf0e19dc
SHA1 681d672921cbe9ff265a95fe60d31df84b975d92
SHA256 0d46f535b140158e63167b1f8cf856526c86981583139b4e255c4a2942b51997
SHA512 0abb3e6d6a6bf455f7cbed9e42bbe7b85c06337cc03f838e7428e8213354e34aa04f224a7fa804034af64434b203767ca66c3b427d5f65924df15d6b0c0d3abc

memory/2300-21-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2300-24-0x00000000003C0000-0x00000000003E3000-memory.dmp

memory/2300-33-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2760-35-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2760-38-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2760-41-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2760-44-0x0000000000400000-0x0000000000429000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 4be1fbc4a8de5b2829127bf56bc95e88
SHA1 6a9ba6cdf7e214cf0a31a4a7b33b517f75790c20
SHA256 3b12ace81e363cf1d402e3d73c37160c9012d1671ec8972852a72096abcd9d2b
SHA512 78ad9fb74806519e80604293601c3f7a1e53487a7a66c5d4ea7b88c3d8d989cdec29e2be206141417f0ba0ce59a8371af3ce5b3965ddf0a33d804adeeef45e68

memory/2760-47-0x0000000000290000-0x00000000002B3000-memory.dmp

memory/2760-55-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2256-57-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2256-65-0x0000000000400000-0x0000000000423000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 30b134b6d5d949661ace44a255d64f78
SHA1 2fe90e230b68778d55882c530cc94f176a1f18c6
SHA256 840049a26d06a29f0e7e6ec59e107e53c401a043ed5803755f9b5aadd1780b22
SHA512 99d0a599755ea7e5a219b664fc385275d4867ae34b89ef0b065a70f5dd094935bb106709a2eec415aa0f94a9c207dda2e304221b488f67e042e1ff879d1060e6

memory/1072-72-0x0000000000230000-0x0000000000253000-memory.dmp

memory/1644-80-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1644-87-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2904-90-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2904-93-0x0000000000400000-0x0000000000429000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 00:45

Reported

2024-06-17 00:48

Platform

win10v2004-20240611-en

Max time kernel

146s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a7c4f6008b758ac75af05bccfe287b7a08de5dec396bc98b692c9e319462de41.exe"

Signatures

Neconyd

trojan neconyd

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4796 set thread context of 2612 N/A C:\Users\Admin\AppData\Local\Temp\a7c4f6008b758ac75af05bccfe287b7a08de5dec396bc98b692c9e319462de41.exe C:\Users\Admin\AppData\Local\Temp\a7c4f6008b758ac75af05bccfe287b7a08de5dec396bc98b692c9e319462de41.exe
PID 4540 set thread context of 2728 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3744 set thread context of 3460 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2524 set thread context of 2816 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\a7c4f6008b758ac75af05bccfe287b7a08de5dec396bc98b692c9e319462de41.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\omsecor.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4796 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\a7c4f6008b758ac75af05bccfe287b7a08de5dec396bc98b692c9e319462de41.exe C:\Users\Admin\AppData\Local\Temp\a7c4f6008b758ac75af05bccfe287b7a08de5dec396bc98b692c9e319462de41.exe
PID 4796 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\a7c4f6008b758ac75af05bccfe287b7a08de5dec396bc98b692c9e319462de41.exe C:\Users\Admin\AppData\Local\Temp\a7c4f6008b758ac75af05bccfe287b7a08de5dec396bc98b692c9e319462de41.exe
PID 4796 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\a7c4f6008b758ac75af05bccfe287b7a08de5dec396bc98b692c9e319462de41.exe C:\Users\Admin\AppData\Local\Temp\a7c4f6008b758ac75af05bccfe287b7a08de5dec396bc98b692c9e319462de41.exe
PID 4796 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\a7c4f6008b758ac75af05bccfe287b7a08de5dec396bc98b692c9e319462de41.exe C:\Users\Admin\AppData\Local\Temp\a7c4f6008b758ac75af05bccfe287b7a08de5dec396bc98b692c9e319462de41.exe
PID 4796 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\a7c4f6008b758ac75af05bccfe287b7a08de5dec396bc98b692c9e319462de41.exe C:\Users\Admin\AppData\Local\Temp\a7c4f6008b758ac75af05bccfe287b7a08de5dec396bc98b692c9e319462de41.exe
PID 2612 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\a7c4f6008b758ac75af05bccfe287b7a08de5dec396bc98b692c9e319462de41.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2612 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\a7c4f6008b758ac75af05bccfe287b7a08de5dec396bc98b692c9e319462de41.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2612 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\a7c4f6008b758ac75af05bccfe287b7a08de5dec396bc98b692c9e319462de41.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4540 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4540 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4540 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4540 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4540 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2728 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2728 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2728 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3744 wrote to memory of 3460 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3744 wrote to memory of 3460 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3744 wrote to memory of 3460 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3744 wrote to memory of 3460 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3744 wrote to memory of 3460 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3460 wrote to memory of 2524 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3460 wrote to memory of 2524 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3460 wrote to memory of 2524 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2524 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2524 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2524 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2524 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2524 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a7c4f6008b758ac75af05bccfe287b7a08de5dec396bc98b692c9e319462de41.exe

"C:\Users\Admin\AppData\Local\Temp\a7c4f6008b758ac75af05bccfe287b7a08de5dec396bc98b692c9e319462de41.exe"

C:\Users\Admin\AppData\Local\Temp\a7c4f6008b758ac75af05bccfe287b7a08de5dec396bc98b692c9e319462de41.exe

C:\Users\Admin\AppData\Local\Temp\a7c4f6008b758ac75af05bccfe287b7a08de5dec396bc98b692c9e319462de41.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4796 -ip 4796

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4540 -ip 4540

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 288

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 300

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3744 -ip 3744

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 292

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2524 -ip 2524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 256

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/4796-0-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2612-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2612-3-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2612-2-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2612-5-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4540-11-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 d80f9c294c4ec2c1edf61fbbcf0e19dc
SHA1 681d672921cbe9ff265a95fe60d31df84b975d92
SHA256 0d46f535b140158e63167b1f8cf856526c86981583139b4e255c4a2942b51997
SHA512 0abb3e6d6a6bf455f7cbed9e42bbe7b85c06337cc03f838e7428e8213354e34aa04f224a7fa804034af64434b203767ca66c3b427d5f65924df15d6b0c0d3abc

memory/2728-15-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2728-14-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4796-17-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2728-19-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2728-22-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2728-25-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2728-26-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2728-29-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 a87c526306ea64040d2f0b3e69066cd2
SHA1 16a5f0580d5f504799b1a859807146f1c5704de9
SHA256 ab33a0063224061143109d882620da776f3f9e4edcd824723b9087ab50def93d
SHA512 15402ac054383fa76b609c8c3c5f00b613d69fe65466270a4fcdfb7526b52cfb9bee6586444cadb2fff484a630d1e037cba8a09bdf9ae47348cefcd911e0fba1

memory/3744-33-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3460-37-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3460-39-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3460-36-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 c4ff2cf630a00abba5f2dc28116ddb41
SHA1 bfbe763c34733011f6750debe5ce3e3443e00aad
SHA256 7b088606b05db138a722260261bc726dd3c5282184803e7b4049cf815b65e432
SHA512 b9bf3d42ddb78b8d26491566cc1a66ce1a6f59983c18104c9be8412fb11ad535a420eb790882c222e3e3b40b4c868f99ad02140139e757ff3080f76621ccb125

memory/2524-44-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2816-49-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2816-48-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2816-52-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2816-55-0x0000000000400000-0x0000000000429000-memory.dmp