Malware Analysis Report

2024-09-11 08:28

Sample ID 240619-zbn79szgrd
Target 363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796
SHA256 363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796

Threat Level: Known bad

The file 363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796 was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Detects executables built or packed with MPress PE compressor

Neconyd

Detects executables built or packed with MPress PE compressor

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-19 20:32

Signatures

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 20:32

Reported

2024-06-19 20:35

Platform

win7-20231129-en

Max time kernel

146s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe"

Signatures

Neconyd

trojan neconyd

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2884 set thread context of 2960 N/A C:\Users\Admin\AppData\Local\Temp\363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe C:\Users\Admin\AppData\Local\Temp\363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe
PID 3008 set thread context of 2996 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2660 set thread context of 1600 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1308 set thread context of 2300 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2884 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe C:\Users\Admin\AppData\Local\Temp\363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe
PID 2884 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe C:\Users\Admin\AppData\Local\Temp\363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe
PID 2884 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe C:\Users\Admin\AppData\Local\Temp\363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe
PID 2884 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe C:\Users\Admin\AppData\Local\Temp\363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe
PID 2884 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe C:\Users\Admin\AppData\Local\Temp\363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe
PID 2884 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe C:\Users\Admin\AppData\Local\Temp\363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe
PID 2960 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2960 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2960 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2960 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3008 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3008 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3008 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3008 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3008 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3008 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2996 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2996 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2996 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2996 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2660 wrote to memory of 1600 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2660 wrote to memory of 1600 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2660 wrote to memory of 1600 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2660 wrote to memory of 1600 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2660 wrote to memory of 1600 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2660 wrote to memory of 1600 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1600 wrote to memory of 1308 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1600 wrote to memory of 1308 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1600 wrote to memory of 1308 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1600 wrote to memory of 1308 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1308 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1308 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1308 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1308 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1308 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1308 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe

"C:\Users\Admin\AppData\Local\Temp\363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe"

C:\Users\Admin\AppData\Local\Temp\363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe

C:\Users\Admin\AppData\Local\Temp\363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2884-0-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2960-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2960-5-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2884-7-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2960-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2960-8-0x0000000000400000-0x0000000000429000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 6edf1945c3296c6f87680e8bb518f7f5
SHA1 7f7414a27b3a2774a90219f9c3dd40d13fffb0db
SHA256 e36bddcb580a9183a39b202060b32f699aa4a7c30149716c7e7b9f73da2013bc
SHA512 df41dd39b797ffc8cae4fbe8c82533199cc8b30dc969a8b9e751a630c9d35691db27f8e10e02bc04db9deb204124cab24efccb1c1663506273d6d386c5789770

memory/3008-20-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2960-18-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3008-29-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2996-32-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2996-36-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2996-39-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2996-42-0x0000000000400000-0x0000000000429000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 f279d2dca58828722dccc662d0ec798f
SHA1 4604816d0de17e90d6e54be7f8c6274baf668606
SHA256 2200907c6a0824cea6c3e298cd5eaff87c59a262da8dee5d9d34c6075e758580
SHA512 7d66ecf215aeaa84b11cf90b2b95eb2f6175cddad1b2ef62b99301cf3cecc1bf6e9ff2b174f45a70b73c650a46b7393f66cf2ba4aa4163a3652fdd3851a0deac

memory/2996-45-0x0000000001F50000-0x0000000001F74000-memory.dmp

memory/2996-54-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2660-55-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2660-63-0x0000000000400000-0x0000000000424000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 797b7b1fb417f7c0aaa894ef2a8a17e0
SHA1 33e26be7beddf15d0a745c13a7f03ebd5a2ac437
SHA256 19949127139a6f786cc601b578b6f9994f142e0e0bc050d71064473be17efc0f
SHA512 b01a5b42d63583689a7e4d3de219598b92ef7a66b2103d4caa45e3891eaa465f4affeee22df2411be1a2e9ba4539cdf02b7915732e8ed254e83545136228176b

memory/1308-76-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1308-83-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2300-85-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2300-88-0x0000000000400000-0x0000000000429000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 20:32

Reported

2024-06-19 20:35

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe"

Signatures

Neconyd

trojan neconyd

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3316 set thread context of 4420 N/A C:\Users\Admin\AppData\Local\Temp\363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe C:\Users\Admin\AppData\Local\Temp\363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe
PID 692 set thread context of 2660 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2736 set thread context of 4216 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1272 set thread context of 384 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\omsecor.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3316 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe C:\Users\Admin\AppData\Local\Temp\363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe
PID 3316 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe C:\Users\Admin\AppData\Local\Temp\363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe
PID 3316 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe C:\Users\Admin\AppData\Local\Temp\363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe
PID 3316 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe C:\Users\Admin\AppData\Local\Temp\363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe
PID 3316 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe C:\Users\Admin\AppData\Local\Temp\363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe
PID 4420 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4420 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4420 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 692 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 692 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 692 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 692 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 692 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2660 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2660 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2660 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2736 wrote to memory of 4216 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2736 wrote to memory of 4216 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2736 wrote to memory of 4216 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2736 wrote to memory of 4216 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2736 wrote to memory of 4216 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4216 wrote to memory of 1272 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4216 wrote to memory of 1272 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4216 wrote to memory of 1272 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1272 wrote to memory of 384 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1272 wrote to memory of 384 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1272 wrote to memory of 384 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1272 wrote to memory of 384 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1272 wrote to memory of 384 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe

"C:\Users\Admin\AppData\Local\Temp\363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe"

C:\Users\Admin\AppData\Local\Temp\363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe

C:\Users\Admin\AppData\Local\Temp\363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 692 -ip 692

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3316 -ip 3316

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 692 -s 288

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3316 -s 288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4196,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=3884 /prefetch:8

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2736 -ip 2736

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 292

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1272 -ip 1272

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 256

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/3316-0-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4420-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4420-2-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4420-3-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 6edf1945c3296c6f87680e8bb518f7f5
SHA1 7f7414a27b3a2774a90219f9c3dd40d13fffb0db
SHA256 e36bddcb580a9183a39b202060b32f699aa4a7c30149716c7e7b9f73da2013bc
SHA512 df41dd39b797ffc8cae4fbe8c82533199cc8b30dc969a8b9e751a630c9d35691db27f8e10e02bc04db9deb204124cab24efccb1c1663506273d6d386c5789770

memory/2660-15-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2660-14-0x0000000000400000-0x0000000000429000-memory.dmp

memory/692-10-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4420-9-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3316-16-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2660-17-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2660-20-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2660-23-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2660-24-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 6f853d3cb397b3798a21287e82e7a28c
SHA1 d1b8ae141a55d91d0278aafb3c3befef703c6c67
SHA256 eacb955f9557e25e57511fe29d713eea27c8155eef95730ef9225e1ffb8ca19d
SHA512 66dce3ca0eda533647370c8144585dc826176faf9be156db1e88d23cafebd0d3251a29bdff8b0a93f41be68014e4c6230178da389874201db4029404f8f0ddc7

memory/2660-28-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2736-31-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4216-35-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4216-37-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4216-34-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 7fa31b000f38dd31429b1a6115d8cba6
SHA1 7a406db4790d04968c57d61bdbd63faecc2203e8
SHA256 9d632d5741a15b7cd9cafc94563c64500c7a99a9bb15e8d0468e64a2a9831c3f
SHA512 1687e0fb2d420e9e90a236f37b3c8a65cabe0d515208941f8ec4304ddcecdad78d150a15e32efbce7c56c187af9751763034f36103c8843959388d0c3f5d3775

memory/384-47-0x0000000000400000-0x0000000000429000-memory.dmp

memory/384-46-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1272-41-0x0000000000400000-0x0000000000424000-memory.dmp

memory/384-48-0x0000000000400000-0x0000000000429000-memory.dmp

memory/384-51-0x0000000000400000-0x0000000000429000-memory.dmp