Malware Analysis Report

2024-09-11 08:22

Sample ID 240619-f2qn8syhkm
Target f91bc899edac228033129fd629e3624ceba3e71eb760fb2ec9691e98c6cd95eb
SHA256 f91bc899edac228033129fd629e3624ceba3e71eb760fb2ec9691e98c6cd95eb
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f91bc899edac228033129fd629e3624ceba3e71eb760fb2ec9691e98c6cd95eb

Threat Level: Known bad

The file f91bc899edac228033129fd629e3624ceba3e71eb760fb2ec9691e98c6cd95eb was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd

Detects executables built or packed with MPress PE compressor

Detects executables built or packed with MPress PE compressor

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-19 05:22

Signatures

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 05:22

Reported

2024-06-19 05:24

Platform

win7-20240221-en

Max time kernel

146s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f91bc899edac228033129fd629e3624ceba3e71eb760fb2ec9691e98c6cd95eb.exe"

Signatures

Neconyd

trojan neconyd

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f91bc899edac228033129fd629e3624ceba3e71eb760fb2ec9691e98c6cd95eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f91bc899edac228033129fd629e3624ceba3e71eb760fb2ec9691e98c6cd95eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2124 set thread context of 1512 N/A C:\Users\Admin\AppData\Local\Temp\f91bc899edac228033129fd629e3624ceba3e71eb760fb2ec9691e98c6cd95eb.exe C:\Users\Admin\AppData\Local\Temp\f91bc899edac228033129fd629e3624ceba3e71eb760fb2ec9691e98c6cd95eb.exe
PID 2984 set thread context of 2676 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1716 set thread context of 2228 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1696 set thread context of 2304 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2124 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\f91bc899edac228033129fd629e3624ceba3e71eb760fb2ec9691e98c6cd95eb.exe C:\Users\Admin\AppData\Local\Temp\f91bc899edac228033129fd629e3624ceba3e71eb760fb2ec9691e98c6cd95eb.exe
PID 2124 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\f91bc899edac228033129fd629e3624ceba3e71eb760fb2ec9691e98c6cd95eb.exe C:\Users\Admin\AppData\Local\Temp\f91bc899edac228033129fd629e3624ceba3e71eb760fb2ec9691e98c6cd95eb.exe
PID 2124 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\f91bc899edac228033129fd629e3624ceba3e71eb760fb2ec9691e98c6cd95eb.exe C:\Users\Admin\AppData\Local\Temp\f91bc899edac228033129fd629e3624ceba3e71eb760fb2ec9691e98c6cd95eb.exe
PID 2124 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\f91bc899edac228033129fd629e3624ceba3e71eb760fb2ec9691e98c6cd95eb.exe C:\Users\Admin\AppData\Local\Temp\f91bc899edac228033129fd629e3624ceba3e71eb760fb2ec9691e98c6cd95eb.exe
PID 2124 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\f91bc899edac228033129fd629e3624ceba3e71eb760fb2ec9691e98c6cd95eb.exe C:\Users\Admin\AppData\Local\Temp\f91bc899edac228033129fd629e3624ceba3e71eb760fb2ec9691e98c6cd95eb.exe
PID 2124 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\f91bc899edac228033129fd629e3624ceba3e71eb760fb2ec9691e98c6cd95eb.exe C:\Users\Admin\AppData\Local\Temp\f91bc899edac228033129fd629e3624ceba3e71eb760fb2ec9691e98c6cd95eb.exe
PID 1512 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\f91bc899edac228033129fd629e3624ceba3e71eb760fb2ec9691e98c6cd95eb.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1512 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\f91bc899edac228033129fd629e3624ceba3e71eb760fb2ec9691e98c6cd95eb.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1512 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\f91bc899edac228033129fd629e3624ceba3e71eb760fb2ec9691e98c6cd95eb.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1512 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\f91bc899edac228033129fd629e3624ceba3e71eb760fb2ec9691e98c6cd95eb.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2984 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2984 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2984 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2984 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2984 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2984 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2676 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2676 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2676 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2676 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1716 wrote to memory of 2228 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1716 wrote to memory of 2228 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1716 wrote to memory of 2228 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1716 wrote to memory of 2228 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1716 wrote to memory of 2228 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1716 wrote to memory of 2228 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2228 wrote to memory of 1696 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2228 wrote to memory of 1696 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2228 wrote to memory of 1696 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2228 wrote to memory of 1696 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1696 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1696 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1696 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1696 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1696 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1696 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f91bc899edac228033129fd629e3624ceba3e71eb760fb2ec9691e98c6cd95eb.exe

"C:\Users\Admin\AppData\Local\Temp\f91bc899edac228033129fd629e3624ceba3e71eb760fb2ec9691e98c6cd95eb.exe"

C:\Users\Admin\AppData\Local\Temp\f91bc899edac228033129fd629e3624ceba3e71eb760fb2ec9691e98c6cd95eb.exe

C:\Users\Admin\AppData\Local\Temp\f91bc899edac228033129fd629e3624ceba3e71eb760fb2ec9691e98c6cd95eb.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2124-0-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1512-2-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1512-8-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2124-6-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1512-10-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1512-5-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1512-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 c48713cff88e472f1f0a11be58a44fc4
SHA1 d4fe43352855c6b20433b12f771b4f4c19db2cd4
SHA256 3b9558440e6f555493e1108c30126e8f6857b97b70e7936a142a1569a43de54f
SHA512 308f68fa93a2752107b138602c4080eff3877a59df150219fc45b59a6aef402ca18958b3cad8d1e81b92ff01a7cc880231da6e873645a4257237ff614b6ecbd6

memory/2984-20-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2984-29-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2676-32-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2676-35-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2676-38-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2676-41-0x0000000000400000-0x0000000000429000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 014ab068b09ab78f766726d652c72b91
SHA1 fc711810c282f510aaa85c414caa9982e0b2a89d
SHA256 9068829301ee2dfaf7bf055b668b1122a0d42d254e3b58b0c87f4f393f843e30
SHA512 7da6b19b684cd0c401f292d7ed4287a395ecdadf5e797d913d2c22d9f6dfd3dcb33b74fbeb617f91674f2a9d4e05d871ee629249eb7b3dc5d5d351109ab3af4b

memory/2676-44-0x0000000002120000-0x0000000002144000-memory.dmp

memory/2676-52-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1716-60-0x0000000000400000-0x0000000000424000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 44be7c81045e6f7de093ead48b6a707a
SHA1 ec3b1efcf3a60bfdf1b39d33b36558acd3d1c67f
SHA256 027eed108ae935e1dda49959b8ddbfe46cce31468cc5d0fd9807726beb62e59a
SHA512 5e94a3df7cd704ee10a7189ec5b34a7b5c053a9577966cc885c35947fced05f8012ef9556899fad3401c03750c22bd170dc2a495b276e182b1a68c99484c062c

memory/2228-67-0x0000000000230000-0x0000000000254000-memory.dmp

memory/1696-75-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1696-81-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2304-84-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2304-87-0x0000000000400000-0x0000000000429000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 05:22

Reported

2024-06-19 05:24

Platform

win10v2004-20240611-en

Max time kernel

146s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f91bc899edac228033129fd629e3624ceba3e71eb760fb2ec9691e98c6cd95eb.exe"

Signatures

Neconyd

trojan neconyd

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1420 set thread context of 3576 N/A C:\Users\Admin\AppData\Local\Temp\f91bc899edac228033129fd629e3624ceba3e71eb760fb2ec9691e98c6cd95eb.exe C:\Users\Admin\AppData\Local\Temp\f91bc899edac228033129fd629e3624ceba3e71eb760fb2ec9691e98c6cd95eb.exe
PID 2484 set thread context of 1212 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 344 set thread context of 3944 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3720 set thread context of 1312 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\f91bc899edac228033129fd629e3624ceba3e71eb760fb2ec9691e98c6cd95eb.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\omsecor.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1420 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\f91bc899edac228033129fd629e3624ceba3e71eb760fb2ec9691e98c6cd95eb.exe C:\Users\Admin\AppData\Local\Temp\f91bc899edac228033129fd629e3624ceba3e71eb760fb2ec9691e98c6cd95eb.exe
PID 1420 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\f91bc899edac228033129fd629e3624ceba3e71eb760fb2ec9691e98c6cd95eb.exe C:\Users\Admin\AppData\Local\Temp\f91bc899edac228033129fd629e3624ceba3e71eb760fb2ec9691e98c6cd95eb.exe
PID 1420 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\f91bc899edac228033129fd629e3624ceba3e71eb760fb2ec9691e98c6cd95eb.exe C:\Users\Admin\AppData\Local\Temp\f91bc899edac228033129fd629e3624ceba3e71eb760fb2ec9691e98c6cd95eb.exe
PID 1420 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\f91bc899edac228033129fd629e3624ceba3e71eb760fb2ec9691e98c6cd95eb.exe C:\Users\Admin\AppData\Local\Temp\f91bc899edac228033129fd629e3624ceba3e71eb760fb2ec9691e98c6cd95eb.exe
PID 1420 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\f91bc899edac228033129fd629e3624ceba3e71eb760fb2ec9691e98c6cd95eb.exe C:\Users\Admin\AppData\Local\Temp\f91bc899edac228033129fd629e3624ceba3e71eb760fb2ec9691e98c6cd95eb.exe
PID 3576 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\f91bc899edac228033129fd629e3624ceba3e71eb760fb2ec9691e98c6cd95eb.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3576 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\f91bc899edac228033129fd629e3624ceba3e71eb760fb2ec9691e98c6cd95eb.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3576 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\f91bc899edac228033129fd629e3624ceba3e71eb760fb2ec9691e98c6cd95eb.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2484 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2484 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2484 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2484 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2484 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1212 wrote to memory of 344 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1212 wrote to memory of 344 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1212 wrote to memory of 344 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 344 wrote to memory of 3944 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 344 wrote to memory of 3944 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 344 wrote to memory of 3944 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 344 wrote to memory of 3944 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 344 wrote to memory of 3944 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3944 wrote to memory of 3720 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3944 wrote to memory of 3720 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3944 wrote to memory of 3720 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3720 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3720 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3720 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3720 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3720 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f91bc899edac228033129fd629e3624ceba3e71eb760fb2ec9691e98c6cd95eb.exe

"C:\Users\Admin\AppData\Local\Temp\f91bc899edac228033129fd629e3624ceba3e71eb760fb2ec9691e98c6cd95eb.exe"

C:\Users\Admin\AppData\Local\Temp\f91bc899edac228033129fd629e3624ceba3e71eb760fb2ec9691e98c6cd95eb.exe

C:\Users\Admin\AppData\Local\Temp\f91bc899edac228033129fd629e3624ceba3e71eb760fb2ec9691e98c6cd95eb.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1420 -ip 1420

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2484 -ip 2484

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 288

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 300

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 344 -ip 344

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 344 -s 292

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3720 -ip 3720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 256

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/1420-0-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3576-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3576-2-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3576-4-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 c48713cff88e472f1f0a11be58a44fc4
SHA1 d4fe43352855c6b20433b12f771b4f4c19db2cd4
SHA256 3b9558440e6f555493e1108c30126e8f6857b97b70e7936a142a1569a43de54f
SHA512 308f68fa93a2752107b138602c4080eff3877a59df150219fc45b59a6aef402ca18958b3cad8d1e81b92ff01a7cc880231da6e873645a4257237ff614b6ecbd6

memory/2484-12-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3576-11-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1212-15-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1212-16-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1212-17-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1212-20-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1212-23-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1212-24-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1212-31-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 85b1600a6a4d9173e38bfa81c6b9d692
SHA1 35839b70e003548c688d3bece0df12703b2e64dd
SHA256 bf7b2f5eb515c73d4db86da04eecdcea5cd9b37887ecc9f36bd11d98382f79d2
SHA512 0f04426b584906ef6e1ce875e79d4f94213b96aafd7e9398836c455f21002d2f3713077db306da01cb15a87b008a25d9b7b7a4d5585b3086d52764289b52fdc4

memory/344-32-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3944-38-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3944-36-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3944-35-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3720-42-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 11b68e41b65188d2fa1040d74dc8cb20
SHA1 60e7d54c9891b634ad7e0e1b0d800c18a2fc7b08
SHA256 cf7817232a7182db968d8ab8771cf8689ef31e63a62722dcc56b6bcb637754a5
SHA512 12c35f42f47b98de5cb46f75fd144ecab79f552f9b4e1bdb602287d8cf0d2ab015ae3837da47becfc9a1a09d7451fee7a1a18a5d42de018b356d2ea378b135bf

memory/1312-49-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1312-47-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1312-50-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1312-53-0x0000000000400000-0x0000000000429000-memory.dmp