Malware Analysis Report

2024-11-16 12:57

Sample ID 240816-dw5j4awhlk
Target efa4fc3052b2ebfa8734041bd700b540N.exe
SHA256 a81da101dada6a966c91f846c342cd26f61fbc4271bd4428af369bcb40305500
Tags
neconyd discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a81da101dada6a966c91f846c342cd26f61fbc4271bd4428af369bcb40305500

Threat Level: Known bad

The file efa4fc3052b2ebfa8734041bd700b540N.exe was found to be: Known bad.

Malicious Activity Summary

neconyd discovery trojan

Neconyd

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Suspicious use of SetThreadContext

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-16 03:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-16 03:22

Reported

2024-08-16 03:24

Platform

win7-20240704-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe"

Signatures

Neconyd

trojan neconyd

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2176 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe
PID 2176 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe
PID 2176 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe
PID 2176 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe
PID 2176 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe
PID 2176 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe
PID 2196 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2196 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2196 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2196 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3028 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3028 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3028 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3028 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3028 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3028 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2628 wrote to memory of 584 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2628 wrote to memory of 584 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2628 wrote to memory of 584 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2628 wrote to memory of 584 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 584 wrote to memory of 1932 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 584 wrote to memory of 1932 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 584 wrote to memory of 1932 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 584 wrote to memory of 1932 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 584 wrote to memory of 1932 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 584 wrote to memory of 1932 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1932 wrote to memory of 636 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1932 wrote to memory of 636 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1932 wrote to memory of 636 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1932 wrote to memory of 636 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 636 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 636 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 636 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 636 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 636 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 636 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe

"C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe"

C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe

C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/2176-0-0x0000000000400000-0x0000000000423000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 df60ecfe7e04fadb083f36923e02606c
SHA1 743c5eb0057bbfd0bce93ade4aa762cec4cecf20
SHA256 e51cb7af47b47c2e65b23f65b0def2a94ec4e383355feb8749323733db5f85e7
SHA512 237b8dc660080819d78430d5a0ed4f0ff2496e6ac4ea10158572a555b20ace18036a03c6368a5e451f04c96d9c58b63d2e7b95e12d6ca170ccbd68c2a1958252

memory/2176-7-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2196-9-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2196-5-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2196-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2196-14-0x0000000000230000-0x0000000000253000-memory.dmp

memory/2196-13-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2196-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3028-22-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3028-31-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2628-35-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2628-38-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2628-41-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2628-44-0x0000000000400000-0x0000000000429000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 8ec1629f26be79609bac85b123335ce4
SHA1 d3e893f8b0da3787078450b4031aa2013fdea1b6
SHA256 cbe6d4743bb71166278eb7f592a83a5a47df6808c0b0478e7781815283851419
SHA512 f017ff14ed8dbb1a0037ea1627dc62b95b941c952fbcdaf085d27bb1b5061be2ca54fe0aac3d0a657a1658cf68190068f750b52341c34e989504d679193d5967

memory/2628-47-0x0000000000780000-0x00000000007A3000-memory.dmp

memory/2628-55-0x0000000000400000-0x0000000000429000-memory.dmp

memory/584-57-0x0000000000400000-0x0000000000423000-memory.dmp

memory/584-67-0x0000000000400000-0x0000000000423000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 b0fd1940ed1231863295227f9beaad0c
SHA1 1b00ba4a9adaede3f53674a6459c9e9f4dd03c2c
SHA256 72ebc0f2372da772ccee636eeb8a662cee2647944bac2fa55f901b4002bb4f73
SHA512 f06e81f1b0dd8e3e9a91bb757953c002caf23e7da02043bd303642f682eb7e57e3bf325d2daa3e49977bad4a8b31f2808b7ba9b26129e0e53963c1d97de6536f

memory/1932-78-0x0000000000230000-0x0000000000253000-memory.dmp

memory/636-80-0x0000000000400000-0x0000000000423000-memory.dmp

memory/636-88-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1932-90-0x0000000000230000-0x0000000000253000-memory.dmp

memory/1828-91-0x0000000000400000-0x0000000000429000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-16 03:22

Reported

2024-08-16 03:24

Platform

win10v2004-20240802-en

Max time kernel

115s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe"

Signatures

Neconyd

trojan neconyd

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 544 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe
PID 544 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe
PID 544 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe
PID 544 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe
PID 544 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe
PID 2920 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2920 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2920 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 696 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 696 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 696 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 696 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 696 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1816 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1816 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1816 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1356 wrote to memory of 1248 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1356 wrote to memory of 1248 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1356 wrote to memory of 1248 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1356 wrote to memory of 1248 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1356 wrote to memory of 1248 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1248 wrote to memory of 5028 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1248 wrote to memory of 5028 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1248 wrote to memory of 5028 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 5028 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 5028 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 5028 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 5028 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 5028 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe

"C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe"

C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe

C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 544 -ip 544

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 256

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 696 -ip 696

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 696 -s 288

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1356 -ip 1356

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 292

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5028 -ip 5028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 256

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/544-0-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2920-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2920-2-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2920-3-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 df60ecfe7e04fadb083f36923e02606c
SHA1 743c5eb0057bbfd0bce93ade4aa762cec4cecf20
SHA256 e51cb7af47b47c2e65b23f65b0def2a94ec4e383355feb8749323733db5f85e7
SHA512 237b8dc660080819d78430d5a0ed4f0ff2496e6ac4ea10158572a555b20ace18036a03c6368a5e451f04c96d9c58b63d2e7b95e12d6ca170ccbd68c2a1958252

memory/696-7-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2920-8-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1816-14-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1816-13-0x0000000000400000-0x0000000000429000-memory.dmp

memory/544-16-0x0000000000400000-0x0000000000423000-memory.dmp

memory/696-17-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1816-18-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1816-21-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1816-24-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1816-25-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1816-29-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1356-30-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 d4476fdeeaafeba33846c6cc08b8f03d
SHA1 ce03ea4d470f1aaec2a4c6cbe289afcbedddb821
SHA256 08a7fd032fa0cb1172433bfd9ccf5585eabcf27b6e8fe894c803dabf939b975b
SHA512 3337a466d4dfb1a6c83048cebeb81878c6d5a43652a4992d77039fd91de2c8552cbaf21fb4be46fabaf7fbbea8777bd60dadb4e50e854535525579a5bcc2f6ec

memory/1248-35-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1248-36-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1248-41-0x0000000000400000-0x0000000000429000-memory.dmp

memory/5028-43-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 2bc34dda4d90dbb944c31c3185768ac8
SHA1 ee24d474e73d49d25f3bae4751ea5e717f52d38f
SHA256 3e88e3ebc47f922e6071179da3a873797ab14ff25ed6c4d4ec6305ca3f8ef319
SHA512 a79732a672b1c562b454716f0e591cea541c64bbecc76a47b028cafd088a42a1acb247fce817a042924f09df84970211c522ca1299ce9858cdbf7d59f2db2895

memory/1600-47-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1600-48-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1356-50-0x0000000000400000-0x0000000000423000-memory.dmp

memory/5028-52-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1600-53-0x0000000000400000-0x0000000000429000-memory.dmp