Malware Analysis Report

2024-11-16 12:59

Sample ID 240816-2eb38a1dpb
Target a432c44ea86711317d6d0ba15f9e6d70N.exe
SHA256 2a617dc021cd609d5875d5829d186f24267d509a625102e45ef5bcf82fe2c02f
Tags
neconyd discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2a617dc021cd609d5875d5829d186f24267d509a625102e45ef5bcf82fe2c02f

Threat Level: Known bad

The file a432c44ea86711317d6d0ba15f9e6d70N.exe was found to be: Known bad.

Malicious Activity Summary

neconyd discovery trojan

Neconyd

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

Drops file in System32 directory

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-16 22:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-16 22:29

Reported

2024-08-16 22:31

Platform

win7-20240705-en

Max time kernel

119s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a432c44ea86711317d6d0ba15f9e6d70N.exe"

Signatures

Neconyd

trojan neconyd

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a432c44ea86711317d6d0ba15f9e6d70N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a432c44ea86711317d6d0ba15f9e6d70N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2840 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\a432c44ea86711317d6d0ba15f9e6d70N.exe C:\Users\Admin\AppData\Local\Temp\a432c44ea86711317d6d0ba15f9e6d70N.exe
PID 2840 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\a432c44ea86711317d6d0ba15f9e6d70N.exe C:\Users\Admin\AppData\Local\Temp\a432c44ea86711317d6d0ba15f9e6d70N.exe
PID 2840 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\a432c44ea86711317d6d0ba15f9e6d70N.exe C:\Users\Admin\AppData\Local\Temp\a432c44ea86711317d6d0ba15f9e6d70N.exe
PID 2840 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\a432c44ea86711317d6d0ba15f9e6d70N.exe C:\Users\Admin\AppData\Local\Temp\a432c44ea86711317d6d0ba15f9e6d70N.exe
PID 2840 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\a432c44ea86711317d6d0ba15f9e6d70N.exe C:\Users\Admin\AppData\Local\Temp\a432c44ea86711317d6d0ba15f9e6d70N.exe
PID 2840 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\a432c44ea86711317d6d0ba15f9e6d70N.exe C:\Users\Admin\AppData\Local\Temp\a432c44ea86711317d6d0ba15f9e6d70N.exe
PID 1940 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\a432c44ea86711317d6d0ba15f9e6d70N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1940 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\a432c44ea86711317d6d0ba15f9e6d70N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1940 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\a432c44ea86711317d6d0ba15f9e6d70N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1940 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\a432c44ea86711317d6d0ba15f9e6d70N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2780 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2780 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2780 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2780 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2780 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2780 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2788 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2788 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2788 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2788 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1128 wrote to memory of 2040 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1128 wrote to memory of 2040 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1128 wrote to memory of 2040 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1128 wrote to memory of 2040 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1128 wrote to memory of 2040 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1128 wrote to memory of 2040 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2040 wrote to memory of 2728 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2040 wrote to memory of 2728 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2040 wrote to memory of 2728 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2040 wrote to memory of 2728 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2728 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2728 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2728 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2728 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2728 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2728 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a432c44ea86711317d6d0ba15f9e6d70N.exe

"C:\Users\Admin\AppData\Local\Temp\a432c44ea86711317d6d0ba15f9e6d70N.exe"

C:\Users\Admin\AppData\Local\Temp\a432c44ea86711317d6d0ba15f9e6d70N.exe

C:\Users\Admin\AppData\Local\Temp\a432c44ea86711317d6d0ba15f9e6d70N.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/2840-0-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2840-6-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1940-5-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1940-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1940-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1940-8-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1940-10-0x0000000000400000-0x0000000000429000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 78534387d4a4e061810e9d48cf6384c5
SHA1 b4a0a63e6a7e6e08ec68fa1a3107d61549067cae
SHA256 5c4bfa0fb9d3c722aea9e8277d6f19d337b28f74f63d6d66ebd0d19f957cefec
SHA512 2f33af5acb01af4c2afa3f34626c2ad1a50d0397d406604007001bec7f8f3eb86fb2e437fec6457635d6307cde71fc7f87bc054c1d87e91cca1d71253613dab4

memory/1940-20-0x0000000000230000-0x0000000000254000-memory.dmp

memory/1940-17-0x0000000000230000-0x0000000000254000-memory.dmp

memory/2780-22-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2780-30-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2788-34-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2788-35-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2788-40-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2788-44-0x0000000000400000-0x0000000000429000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 c2b9b8ab8a105e23137d37714fe2bc62
SHA1 a1a7ecfd70e5aa63d9af24d886b3563dd679c6fa
SHA256 4194e5a1b6f0e99b2e39bf754a0add2d2b904b8b39f86bdd83561bef235a5941
SHA512 9776abd195ed9e17c3b47349919184cf7d0530854039cd5497212b4018cca10e925b1649ee525942983781d9e3eccaed5bd92e14afe637beb476ecf6cae69906

memory/2788-47-0x00000000020A0000-0x00000000020C4000-memory.dmp

memory/2788-55-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2728-77-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 ddcbd22a7817d78846f1f3c8a9276780
SHA1 43a110e1f25ebc1961b3c090f8f37994c188c1a5
SHA256 8ef44acd4ed852d4962cb06bebb3c0f41293fbdb7b9354dc001d5860a2cf611d
SHA512 46a3a8cf1c41889d1a0d5e7a11adb6ec79d59d64b9bca1753dd802419dc95562ec2361ce9aa4bbb6306f77ac323b49c3c9a37f20d9cbff71f6ab7746d576a1c8

memory/1128-64-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2728-84-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1724-86-0x0000000000400000-0x0000000000429000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-16 22:29

Reported

2024-08-16 22:31

Platform

win10v2004-20240802-en

Max time kernel

117s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a432c44ea86711317d6d0ba15f9e6d70N.exe"

Signatures

Neconyd

trojan neconyd

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a432c44ea86711317d6d0ba15f9e6d70N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a432c44ea86711317d6d0ba15f9e6d70N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2888 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\a432c44ea86711317d6d0ba15f9e6d70N.exe C:\Users\Admin\AppData\Local\Temp\a432c44ea86711317d6d0ba15f9e6d70N.exe
PID 2888 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\a432c44ea86711317d6d0ba15f9e6d70N.exe C:\Users\Admin\AppData\Local\Temp\a432c44ea86711317d6d0ba15f9e6d70N.exe
PID 2888 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\a432c44ea86711317d6d0ba15f9e6d70N.exe C:\Users\Admin\AppData\Local\Temp\a432c44ea86711317d6d0ba15f9e6d70N.exe
PID 2888 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\a432c44ea86711317d6d0ba15f9e6d70N.exe C:\Users\Admin\AppData\Local\Temp\a432c44ea86711317d6d0ba15f9e6d70N.exe
PID 2888 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\a432c44ea86711317d6d0ba15f9e6d70N.exe C:\Users\Admin\AppData\Local\Temp\a432c44ea86711317d6d0ba15f9e6d70N.exe
PID 2004 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\a432c44ea86711317d6d0ba15f9e6d70N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2004 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\a432c44ea86711317d6d0ba15f9e6d70N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2004 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\a432c44ea86711317d6d0ba15f9e6d70N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1440 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1440 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1440 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1440 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1440 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4804 wrote to memory of 640 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4804 wrote to memory of 640 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4804 wrote to memory of 640 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 640 wrote to memory of 4300 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 640 wrote to memory of 4300 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 640 wrote to memory of 4300 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 640 wrote to memory of 4300 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 640 wrote to memory of 4300 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4300 wrote to memory of 4432 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4300 wrote to memory of 4432 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4300 wrote to memory of 4432 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4432 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4432 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4432 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4432 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4432 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a432c44ea86711317d6d0ba15f9e6d70N.exe

"C:\Users\Admin\AppData\Local\Temp\a432c44ea86711317d6d0ba15f9e6d70N.exe"

C:\Users\Admin\AppData\Local\Temp\a432c44ea86711317d6d0ba15f9e6d70N.exe

C:\Users\Admin\AppData\Local\Temp\a432c44ea86711317d6d0ba15f9e6d70N.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2888 -ip 2888

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1440 -ip 1440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 292

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 300

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 640 -ip 640

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 292

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4432 -ip 4432

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 256

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/2888-0-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2004-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2004-2-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2004-3-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2004-5-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1440-11-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 78534387d4a4e061810e9d48cf6384c5
SHA1 b4a0a63e6a7e6e08ec68fa1a3107d61549067cae
SHA256 5c4bfa0fb9d3c722aea9e8277d6f19d337b28f74f63d6d66ebd0d19f957cefec
SHA512 2f33af5acb01af4c2afa3f34626c2ad1a50d0397d406604007001bec7f8f3eb86fb2e437fec6457635d6307cde71fc7f87bc054c1d87e91cca1d71253613dab4

memory/4804-15-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4804-14-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1440-16-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2888-17-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4804-18-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4804-21-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4804-24-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4804-25-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 cfeddad418d6b80e1b190d77cba5f1e2
SHA1 ee4012b153682412790b3fb4decaf5021a75b450
SHA256 a7b126166e8fe135f2d9381d4db4e8376bda1738c618b4eba48e15e744922d10
SHA512 66a54c5aa97569cad403b3a24a14c96c0fa3efdecb5a88c2a59bd97e6d07ebf8479db6d5fdddaec35742d77a543128cafb9a8aca30d151a446ac46cd749ee2cb

memory/4804-33-0x0000000000400000-0x0000000000429000-memory.dmp

memory/640-30-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4300-37-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4300-39-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4300-36-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 c42b0d063882355a87a840c8f0aabaff
SHA1 38c87e47382e0f464e2e85d31a5edb9f7f10cbd5
SHA256 142a5048ada24171dd0436d01a3c3faff268d58e7d9f5740f6485b8baf9230ed
SHA512 125806216b789e5cf5ba531678b9fe2646db8e0d9bbda0e837a949c0fb45f985214652f87879ea85969e166abe8cf3fabfdbd95ffc9cc2450842cde9edd9105d

memory/4432-44-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4536-49-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4536-48-0x0000000000400000-0x0000000000429000-memory.dmp

memory/640-50-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4536-51-0x0000000000400000-0x0000000000429000-memory.dmp