Malware Analysis Report

2024-09-11 08:24

Sample ID 240618-wyafvayanp
Target 080a8bcba732d54143cc73e3a1aef4efacd2103b019c315488c195d11958920e
SHA256 080a8bcba732d54143cc73e3a1aef4efacd2103b019c315488c195d11958920e
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

080a8bcba732d54143cc73e3a1aef4efacd2103b019c315488c195d11958920e

Threat Level: Known bad

The file 080a8bcba732d54143cc73e3a1aef4efacd2103b019c315488c195d11958920e was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd

Detects executables built or packed with MPress PE compressor

Detects executables built or packed with MPress PE compressor

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-18 18:19

Signatures

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 18:19

Reported

2024-06-18 18:21

Platform

win7-20240220-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\080a8bcba732d54143cc73e3a1aef4efacd2103b019c315488c195d11958920e.exe"

Signatures

Neconyd

trojan neconyd

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\080a8bcba732d54143cc73e3a1aef4efacd2103b019c315488c195d11958920e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\080a8bcba732d54143cc73e3a1aef4efacd2103b019c315488c195d11958920e.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1028 set thread context of 2972 N/A C:\Users\Admin\AppData\Local\Temp\080a8bcba732d54143cc73e3a1aef4efacd2103b019c315488c195d11958920e.exe C:\Users\Admin\AppData\Local\Temp\080a8bcba732d54143cc73e3a1aef4efacd2103b019c315488c195d11958920e.exe
PID 1332 set thread context of 2564 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 292 set thread context of 1568 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2868 set thread context of 2468 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1028 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\080a8bcba732d54143cc73e3a1aef4efacd2103b019c315488c195d11958920e.exe C:\Users\Admin\AppData\Local\Temp\080a8bcba732d54143cc73e3a1aef4efacd2103b019c315488c195d11958920e.exe
PID 1028 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\080a8bcba732d54143cc73e3a1aef4efacd2103b019c315488c195d11958920e.exe C:\Users\Admin\AppData\Local\Temp\080a8bcba732d54143cc73e3a1aef4efacd2103b019c315488c195d11958920e.exe
PID 1028 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\080a8bcba732d54143cc73e3a1aef4efacd2103b019c315488c195d11958920e.exe C:\Users\Admin\AppData\Local\Temp\080a8bcba732d54143cc73e3a1aef4efacd2103b019c315488c195d11958920e.exe
PID 1028 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\080a8bcba732d54143cc73e3a1aef4efacd2103b019c315488c195d11958920e.exe C:\Users\Admin\AppData\Local\Temp\080a8bcba732d54143cc73e3a1aef4efacd2103b019c315488c195d11958920e.exe
PID 1028 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\080a8bcba732d54143cc73e3a1aef4efacd2103b019c315488c195d11958920e.exe C:\Users\Admin\AppData\Local\Temp\080a8bcba732d54143cc73e3a1aef4efacd2103b019c315488c195d11958920e.exe
PID 1028 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\080a8bcba732d54143cc73e3a1aef4efacd2103b019c315488c195d11958920e.exe C:\Users\Admin\AppData\Local\Temp\080a8bcba732d54143cc73e3a1aef4efacd2103b019c315488c195d11958920e.exe
PID 2972 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\080a8bcba732d54143cc73e3a1aef4efacd2103b019c315488c195d11958920e.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2972 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\080a8bcba732d54143cc73e3a1aef4efacd2103b019c315488c195d11958920e.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2972 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\080a8bcba732d54143cc73e3a1aef4efacd2103b019c315488c195d11958920e.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2972 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\080a8bcba732d54143cc73e3a1aef4efacd2103b019c315488c195d11958920e.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1332 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1332 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1332 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1332 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1332 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1332 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2564 wrote to memory of 292 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2564 wrote to memory of 292 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2564 wrote to memory of 292 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2564 wrote to memory of 292 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 292 wrote to memory of 1568 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 292 wrote to memory of 1568 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 292 wrote to memory of 1568 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 292 wrote to memory of 1568 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 292 wrote to memory of 1568 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 292 wrote to memory of 1568 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1568 wrote to memory of 2868 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1568 wrote to memory of 2868 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1568 wrote to memory of 2868 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1568 wrote to memory of 2868 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2868 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2868 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2868 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2868 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2868 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2868 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\080a8bcba732d54143cc73e3a1aef4efacd2103b019c315488c195d11958920e.exe

"C:\Users\Admin\AppData\Local\Temp\080a8bcba732d54143cc73e3a1aef4efacd2103b019c315488c195d11958920e.exe"

C:\Users\Admin\AppData\Local\Temp\080a8bcba732d54143cc73e3a1aef4efacd2103b019c315488c195d11958920e.exe

C:\Users\Admin\AppData\Local\Temp\080a8bcba732d54143cc73e3a1aef4efacd2103b019c315488c195d11958920e.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/1028-0-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2972-2-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2972-10-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2972-8-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1028-6-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2972-5-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2972-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1332-20-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 2c342e556dfb38dfc0e807a40ffdd746
SHA1 39ceea853a2651d7eec48281335f97cfb74e3e5b
SHA256 6493f8232d3220984b8028fcb57e953af46674aa06555b6d013734e643db0bdc
SHA512 b702f5b7e82c5f354aaefca1077aa38a5b600b0302ceee5a4450751c67effd27a5538279439a930e079f9ba99fed77e8885fbb688bb29f837d1716ea7a187f74

memory/1332-23-0x0000000000230000-0x0000000000254000-memory.dmp

memory/1332-30-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2564-33-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2564-37-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2564-40-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2564-43-0x0000000000400000-0x0000000000429000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 1b69b2171b405cee296e88609cd05638
SHA1 9393f9b0c07cced9de108b67ddc91ba36b2b5ddf
SHA256 9ea2fc2b9d73f199f84842d827b5d1b86187500d52069e6c7ede313c5e6d604b
SHA512 40a042a1afeb06f8f0924d6c2d97bb312ecdff7db32dd678bf8144617f859da7cbf958a579c243529579e11829e446f68807dfacdc516a7cbe0053543ff77804

memory/2564-46-0x00000000007A0000-0x00000000007C4000-memory.dmp

memory/2564-54-0x0000000000400000-0x0000000000429000-memory.dmp

memory/292-56-0x0000000000400000-0x0000000000424000-memory.dmp

memory/292-64-0x0000000000400000-0x0000000000424000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 cb06984217fcfecd5d2028827cad5e78
SHA1 40c64cc14035045c458d963b158ae0b0cf7d4306
SHA256 a3ccde7ca2ad4cb8ec704129df7f078876dcf26df1aadbeb011b5888bde9e241
SHA512 1e4d1f4310a8a03ba155adfe8f0e3e1d83066cbe083cab7d63fd0d754f63de8d1c26599ed7ba26ff2d19b7e31a8b608c0d1d028d44b609d00f52c9e3e86ada3a

memory/1568-70-0x0000000000230000-0x0000000000254000-memory.dmp

memory/2868-78-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2868-85-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2468-87-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2468-90-0x0000000000400000-0x0000000000429000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 18:19

Reported

2024-06-18 18:21

Platform

win10v2004-20240611-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\080a8bcba732d54143cc73e3a1aef4efacd2103b019c315488c195d11958920e.exe"

Signatures

Neconyd

trojan neconyd

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5040 set thread context of 1680 N/A C:\Users\Admin\AppData\Local\Temp\080a8bcba732d54143cc73e3a1aef4efacd2103b019c315488c195d11958920e.exe C:\Users\Admin\AppData\Local\Temp\080a8bcba732d54143cc73e3a1aef4efacd2103b019c315488c195d11958920e.exe
PID 1196 set thread context of 892 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2036 set thread context of 1016 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4160 set thread context of 4532 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\080a8bcba732d54143cc73e3a1aef4efacd2103b019c315488c195d11958920e.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\omsecor.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5040 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\080a8bcba732d54143cc73e3a1aef4efacd2103b019c315488c195d11958920e.exe C:\Users\Admin\AppData\Local\Temp\080a8bcba732d54143cc73e3a1aef4efacd2103b019c315488c195d11958920e.exe
PID 5040 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\080a8bcba732d54143cc73e3a1aef4efacd2103b019c315488c195d11958920e.exe C:\Users\Admin\AppData\Local\Temp\080a8bcba732d54143cc73e3a1aef4efacd2103b019c315488c195d11958920e.exe
PID 5040 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\080a8bcba732d54143cc73e3a1aef4efacd2103b019c315488c195d11958920e.exe C:\Users\Admin\AppData\Local\Temp\080a8bcba732d54143cc73e3a1aef4efacd2103b019c315488c195d11958920e.exe
PID 5040 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\080a8bcba732d54143cc73e3a1aef4efacd2103b019c315488c195d11958920e.exe C:\Users\Admin\AppData\Local\Temp\080a8bcba732d54143cc73e3a1aef4efacd2103b019c315488c195d11958920e.exe
PID 5040 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\080a8bcba732d54143cc73e3a1aef4efacd2103b019c315488c195d11958920e.exe C:\Users\Admin\AppData\Local\Temp\080a8bcba732d54143cc73e3a1aef4efacd2103b019c315488c195d11958920e.exe
PID 1680 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\080a8bcba732d54143cc73e3a1aef4efacd2103b019c315488c195d11958920e.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1680 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\080a8bcba732d54143cc73e3a1aef4efacd2103b019c315488c195d11958920e.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1680 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\080a8bcba732d54143cc73e3a1aef4efacd2103b019c315488c195d11958920e.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1196 wrote to memory of 892 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1196 wrote to memory of 892 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1196 wrote to memory of 892 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1196 wrote to memory of 892 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1196 wrote to memory of 892 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 892 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 892 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 892 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2036 wrote to memory of 1016 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2036 wrote to memory of 1016 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2036 wrote to memory of 1016 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2036 wrote to memory of 1016 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2036 wrote to memory of 1016 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1016 wrote to memory of 4160 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1016 wrote to memory of 4160 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1016 wrote to memory of 4160 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4160 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4160 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4160 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4160 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4160 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\080a8bcba732d54143cc73e3a1aef4efacd2103b019c315488c195d11958920e.exe

"C:\Users\Admin\AppData\Local\Temp\080a8bcba732d54143cc73e3a1aef4efacd2103b019c315488c195d11958920e.exe"

C:\Users\Admin\AppData\Local\Temp\080a8bcba732d54143cc73e3a1aef4efacd2103b019c315488c195d11958920e.exe

C:\Users\Admin\AppData\Local\Temp\080a8bcba732d54143cc73e3a1aef4efacd2103b019c315488c195d11958920e.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5040 -ip 5040

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1196 -ip 1196

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 288

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 288

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2036 -ip 2036

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 300

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4160 -ip 4160

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 256

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/5040-0-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1680-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1680-2-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1680-3-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1680-5-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 2c342e556dfb38dfc0e807a40ffdd746
SHA1 39ceea853a2651d7eec48281335f97cfb74e3e5b
SHA256 6493f8232d3220984b8028fcb57e953af46674aa06555b6d013734e643db0bdc
SHA512 b702f5b7e82c5f354aaefca1077aa38a5b600b0302ceee5a4450751c67effd27a5538279439a930e079f9ba99fed77e8885fbb688bb29f837d1716ea7a187f74

memory/1196-10-0x0000000000400000-0x0000000000424000-memory.dmp

memory/892-14-0x0000000000400000-0x0000000000429000-memory.dmp

memory/892-15-0x0000000000400000-0x0000000000429000-memory.dmp

memory/5040-16-0x0000000000400000-0x0000000000424000-memory.dmp

memory/892-17-0x0000000000400000-0x0000000000429000-memory.dmp

memory/892-20-0x0000000000400000-0x0000000000429000-memory.dmp

memory/892-23-0x0000000000400000-0x0000000000429000-memory.dmp

memory/892-24-0x0000000000400000-0x0000000000429000-memory.dmp

memory/892-27-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 b6bd14d5802fa42b343eaa0e44e66135
SHA1 d470e53cc05d6b549ac737fc72382cef960016e9
SHA256 8080f26f25eea4acb83ee74696050a464065249092436d46230068fb8632ed2a
SHA512 327cd31f4ba3c2ab8aaad899b9738339443a0efe4f4e2701ca4bb5728a30feb7e0031861a8560443bb6f0071fbbafedf0e7d8636faf766d8c584a958428f135b

memory/2036-31-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1016-34-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1016-35-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1016-37-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4160-42-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 4e26e1c60e0561fdfd2a4dee3cb1dddc
SHA1 d36dd1c968528e9cfd4b6576836dae3bab1f8847
SHA256 5c98de8dfd46ae4f8fb986b904fae41c494f824bd4203112dcee31fc809fd215
SHA512 97e2974e93adab4857a0b0a04ee23ea537e2a7733795247a7024dc06a4e4183848818d9b41a5d207108bdfd300c18a6600f9c1cf3279420b4ce5eb6ab1502866

memory/4532-46-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4532-47-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2036-48-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4160-49-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4532-50-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4532-53-0x0000000000400000-0x0000000000429000-memory.dmp