Malware Analysis Report

2024-11-16 12:57

Sample ID 240816-btdmgsxdmc
Target a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea
SHA256 a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea
Tags
neconyd discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea

Threat Level: Known bad

The file a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea was found to be: Known bad.

Malicious Activity Summary

neconyd discovery trojan

Neconyd

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Suspicious use of SetThreadContext

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-16 01:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-16 01:25

Reported

2024-08-16 01:28

Platform

win7-20240708-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe"

Signatures

Neconyd

trojan neconyd

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2636 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe
PID 2636 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe
PID 2636 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe
PID 2636 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe
PID 2636 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe
PID 2636 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe
PID 2632 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2632 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2632 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2632 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2800 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2800 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2800 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2800 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2800 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2800 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2688 wrote to memory of 468 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2688 wrote to memory of 468 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2688 wrote to memory of 468 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2688 wrote to memory of 468 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 468 wrote to memory of 536 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 468 wrote to memory of 536 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 468 wrote to memory of 536 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 468 wrote to memory of 536 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 468 wrote to memory of 536 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 468 wrote to memory of 536 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 536 wrote to memory of 2708 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 536 wrote to memory of 2708 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 536 wrote to memory of 2708 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 536 wrote to memory of 2708 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2708 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2708 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2708 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2708 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2708 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2708 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe

"C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe"

C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe

C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2636-0-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2632-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2632-13-0x0000000000230000-0x0000000000254000-memory.dmp

memory/2632-8-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2636-7-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2632-5-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2632-12-0x0000000000400000-0x0000000000429000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 21e7b0a03be7c0784f8332a2b526a504
SHA1 cac4acebab8a65c41c3d1879033b572f4049a490
SHA256 0130b299404ca0d7c564a2fc7c702e114356e25fd81d413be6cee5e394fdabfb
SHA512 2d8450e2e2e302ce01631bf973104510dbc0f1fcb0bf699cdc36b485c36db326d7254f54fba75cf3015b36b503a96ba887736bc5ec7a101c077e60700d2e3472

memory/2632-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2800-21-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2800-31-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2688-33-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2688-36-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2688-39-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2688-42-0x0000000000400000-0x0000000000429000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 3324215b696a04741aecfc4d672a0fc2
SHA1 050243072772cb3e3c9b9720c1eb50915f51b2f9
SHA256 cd766933f30232126cbcb85632f1e65fb482e6449fc79fa04ff24b1213b89f98
SHA512 744213908381a190a641d9be29139d46b56f25fecc03d65f799d61007ad4755e2bfd63cea962ed1d0700942daca24d189387628a3f4a624f6116fa16385038e5

memory/2688-45-0x0000000002290000-0x00000000022B4000-memory.dmp

memory/2688-53-0x0000000000400000-0x0000000000429000-memory.dmp

memory/468-62-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 a315b96d00a6ab6a5586805238075909
SHA1 b99794e26652ca057619018107951a0bf4122ae3
SHA256 15fd6ac46b0db87342c964f5a660e4b5fbe7933a4bebde17062a46863a0ed1ee
SHA512 308f99e92d31f2b21cf53fabd757f24b8c27f95b8df3b1cd0cda6fb8ee11a38c93aafb2993c845a5d838e15712331a67c4f21d9edfa30f3d14bdf91c806f3e68

memory/2708-75-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2708-82-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2308-84-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2308-87-0x0000000000400000-0x0000000000429000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-16 01:25

Reported

2024-08-16 01:28

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe"

Signatures

Neconyd

trojan neconyd

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4512 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe
PID 4512 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe
PID 4512 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe
PID 4512 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe
PID 4512 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe
PID 2632 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2632 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2632 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2696 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2696 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2696 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2696 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2696 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3732 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3732 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3732 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3312 wrote to memory of 2348 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3312 wrote to memory of 2348 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3312 wrote to memory of 2348 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3312 wrote to memory of 2348 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3312 wrote to memory of 2348 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2348 wrote to memory of 3512 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2348 wrote to memory of 3512 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2348 wrote to memory of 3512 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3512 wrote to memory of 208 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3512 wrote to memory of 208 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3512 wrote to memory of 208 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3512 wrote to memory of 208 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3512 wrote to memory of 208 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe

"C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe"

C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe

C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4512 -ip 4512

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 288

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2696 -ip 2696

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 292

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3312 -ip 3312

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 292

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3512 -ip 3512

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 256

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/4512-0-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2632-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2632-2-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2632-3-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2632-5-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2696-10-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 21e7b0a03be7c0784f8332a2b526a504
SHA1 cac4acebab8a65c41c3d1879033b572f4049a490
SHA256 0130b299404ca0d7c564a2fc7c702e114356e25fd81d413be6cee5e394fdabfb
SHA512 2d8450e2e2e302ce01631bf973104510dbc0f1fcb0bf699cdc36b485c36db326d7254f54fba75cf3015b36b503a96ba887736bc5ec7a101c077e60700d2e3472

memory/3732-15-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3732-14-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4512-16-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3732-17-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3732-20-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3732-23-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3732-25-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3732-29-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3312-30-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 6a7675252c3e0ca1b16a42c772602417
SHA1 5342da921243ae550032e576c158f9fd3660cb7f
SHA256 9475a1b7797ae241ab1e369acfdf207484848df26014759af743f58b25483d6f
SHA512 9cc920dc4fdc36e5951dd4f816b4a8fbe654745b3f1b15fa68631a8ec9723b1d5be410ab99716e93ce1d6f3c67e3443366d21766d7a183903192804b89d13088

memory/2348-36-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 b64d4ad6d375545dd147ceb51b97d34c
SHA1 2b4eeb6a84766ac0d293e4c7afeebe399824b7cd
SHA256 bae33c80109e82cf03c2627134682a0922c9c990a28d8b8db40fb5a1ee119b2f
SHA512 81d1d7223e9a575181843d4aa85beb8a0ec4f1908b806fccc559540dca81156ef20e9352a5342ee26767b66c7bcb2f6aff336eac7e0e1ff43eff6985566d3d78

memory/2348-38-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2348-35-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3512-43-0x0000000000400000-0x0000000000424000-memory.dmp

memory/208-47-0x0000000000400000-0x0000000000429000-memory.dmp

memory/208-48-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3312-49-0x0000000000400000-0x0000000000424000-memory.dmp

memory/208-50-0x0000000000400000-0x0000000000429000-memory.dmp

memory/208-53-0x0000000000400000-0x0000000000429000-memory.dmp