Malware Analysis Report

2024-09-11 08:29

Sample ID 240620-yvqd1azcln
Target 0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe
SHA256 0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712

Threat Level: Known bad

The file 0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-20 20:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 20:06

Reported

2024-06-20 20:09

Platform

win7-20240221-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2528 set thread context of 1648 N/A C:\Users\Admin\AppData\Local\Temp\0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe
PID 2540 set thread context of 2692 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1532 set thread context of 684 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1504 set thread context of 1852 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2528 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe
PID 2528 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe
PID 2528 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe
PID 2528 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe
PID 2528 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe
PID 2528 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe
PID 1648 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1648 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1648 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1648 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2540 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2540 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2540 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2540 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2540 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2540 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2692 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2692 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2692 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2692 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1532 wrote to memory of 684 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1532 wrote to memory of 684 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1532 wrote to memory of 684 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1532 wrote to memory of 684 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1532 wrote to memory of 684 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1532 wrote to memory of 684 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 684 wrote to memory of 1504 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 684 wrote to memory of 1504 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 684 wrote to memory of 1504 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 684 wrote to memory of 1504 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1504 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1504 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1504 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1504 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1504 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1504 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2528-0-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1648-8-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1648-10-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2528-6-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1648-5-0x0000000000400000-0x0000000000429000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 1d70056766471cbe20b90aaa2679535b
SHA1 1a872b735c5f6a562618cf3a10a194876711f300
SHA256 06e22d72a342fb7dc228caf3f452d9de0eebc4ef5c056268135487cc3a3c133e
SHA512 b7e9b545c99a921999b7c69fd803da8cefdadf8ad2fd9cb3f4821bf100c7bf1f80c3f58ef11e28b4070a28ef54e6b6f7345057e0238c72cb1037a30637a35ddd

memory/1648-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1648-13-0x0000000000430000-0x0000000000454000-memory.dmp

memory/1648-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2540-21-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2540-29-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2692-33-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2692-39-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2692-42-0x0000000000400000-0x0000000000429000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 801b4def57ebc571d486412be137b09e
SHA1 c7b2d2c9e628d46fa1fb5d93b1c0146f5cbe289e
SHA256 a12a155219e8722cd08fa5d3ba01bd82f413c7f798f9214effa7913412efb8e9
SHA512 f0913557d33a3b29116075214fe174ef40fd25ac6fa177c906cbc8a74f689b977a7c518e7fd43977ebf63908727c6653cf1266f56edbb659e07b584e0d72d6ed

memory/2692-45-0x0000000000390000-0x00000000003B4000-memory.dmp

memory/1532-55-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2692-54-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1532-63-0x0000000000400000-0x0000000000424000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 d8616b63a7914f91b878f2a37b369827
SHA1 7cba1c028a8bec3a37a03a78329c57a81504dd1f
SHA256 ec31b349584d3468cb5a917b355b16a102ab1542d8aaa291f67e7bdd3e6500fa
SHA512 6e2079c161e86934f185724ae501f14b5a2e28d73dfed4835453062c8cbfa0e5944973672eb47b818bb75f478a3b4f3172fd6267093d1d5dee8001121cdfcb51

memory/1504-76-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1504-83-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1852-85-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1852-88-0x0000000000400000-0x0000000000429000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 20:06

Reported

2024-06-20 20:09

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4420 set thread context of 2872 N/A C:\Users\Admin\AppData\Local\Temp\0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe
PID 1808 set thread context of 4920 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4748 set thread context of 4604 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3892 set thread context of 3804 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\omsecor.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4420 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe
PID 4420 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe
PID 4420 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe
PID 4420 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe
PID 4420 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe
PID 2872 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2872 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2872 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1808 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1808 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1808 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1808 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1808 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4920 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4920 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4920 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4748 wrote to memory of 4604 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4748 wrote to memory of 4604 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4748 wrote to memory of 4604 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4748 wrote to memory of 4604 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4748 wrote to memory of 4604 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4604 wrote to memory of 3892 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4604 wrote to memory of 3892 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4604 wrote to memory of 3892 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3892 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3892 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3892 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3892 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3892 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4420 -ip 4420

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1808 -ip 1808

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 296

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 292

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4748 -ip 4748

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4748 -s 292

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3892 -ip 3892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 268

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp

Files

memory/4420-0-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1808-11-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 1d70056766471cbe20b90aaa2679535b
SHA1 1a872b735c5f6a562618cf3a10a194876711f300
SHA256 06e22d72a342fb7dc228caf3f452d9de0eebc4ef5c056268135487cc3a3c133e
SHA512 b7e9b545c99a921999b7c69fd803da8cefdadf8ad2fd9cb3f4821bf100c7bf1f80c3f58ef11e28b4070a28ef54e6b6f7345057e0238c72cb1037a30637a35ddd

memory/2872-9-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4920-15-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4920-14-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2872-3-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2872-2-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2872-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1808-17-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4420-16-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4920-18-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4920-20-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4920-22-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4920-23-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 9289cb9a89dee541fa644e4e42a205dc
SHA1 310425c7d036779442687c719bb0b59e0d3f499e
SHA256 12428ef21052e8a099831804ddc9c38c636b0811320a29999ff49c6295572157
SHA512 1de14ce1afc6a14dea422fec1ca47cc3a96326271fd3a5870ac3659e36cba5ae4daa3b0d0e9ba0ec5a2dc151ed49b950134e6bac76cef1111eafcb246b9d1bfa

memory/4920-26-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4748-30-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4604-34-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4604-36-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4604-33-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 bd0ed18ae07c6561166cb812b786003d
SHA1 6fddd95aa756366892fce50fda6d8ec7c004316f
SHA256 82af52c9e585409fd030e0a2a034bc42619f40f47e46a1e7306c9f7712fb7f35
SHA512 74e15c419e7de5c90319c876bea51466bb71d2c0d60f3be055837ecb45d33d0d472bdb7cbdc7dae2447f268cb5cc6bdb2f726afdabb1a5578307a47f85488477

memory/3892-41-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3804-46-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3804-45-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3804-47-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3804-49-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3804-51-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3804-53-0x0000000000400000-0x0000000000429000-memory.dmp