Malware Analysis Report

2024-11-16 12:58

Sample ID 240817-axsedawhnb
Target 5d17a345e856fec8a2071e09c389e040N.exe
SHA256 61432fd5dd4dc3014ff9b67f3ada5b6e0690430e6943af208677ed5cb03d5f76
Tags
neconyd discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

61432fd5dd4dc3014ff9b67f3ada5b6e0690430e6943af208677ed5cb03d5f76

Threat Level: Known bad

The file 5d17a345e856fec8a2071e09c389e040N.exe was found to be: Known bad.

Malicious Activity Summary

neconyd discovery trojan

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-17 00:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-17 00:35

Reported

2024-08-17 00:37

Platform

win7-20240729-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe"

Signatures

Neconyd

trojan neconyd

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2660 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe
PID 2660 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe
PID 2660 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe
PID 2660 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe
PID 2660 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe
PID 2660 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe
PID 2680 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2680 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2680 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2680 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2744 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2744 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2744 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2744 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2744 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2744 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2972 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2972 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2972 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2972 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1952 wrote to memory of 600 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1952 wrote to memory of 600 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1952 wrote to memory of 600 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1952 wrote to memory of 600 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1952 wrote to memory of 600 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1952 wrote to memory of 600 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 600 wrote to memory of 2436 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 600 wrote to memory of 2436 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 600 wrote to memory of 2436 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 600 wrote to memory of 2436 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2436 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2436 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2436 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2436 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2436 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2436 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe

"C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe"

C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe

C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/2660-0-0x0000000000400000-0x0000000000423000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 830f191839931124411aa22b7823c429
SHA1 13da3726f6579ea892e38978fe0d4f83d414a8b3
SHA256 66136da83767cebbbaccdc8e436f3a8e47cbf25b752b7f221a26403cdfcad638
SHA512 a9821a1a7b8a72eed72605d485149386d6e75b07fe719b190655c6a2dbe117c00fe5850acbdecced620053f349768369a4a9650c3ea0e787ac8d71187467fc8a

memory/2680-9-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2680-13-0x0000000000230000-0x0000000000253000-memory.dmp

memory/2680-12-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2680-5-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2680-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2660-7-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2680-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2744-22-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2744-25-0x0000000000230000-0x0000000000253000-memory.dmp

memory/2744-33-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2972-36-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2972-39-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2972-42-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2972-45-0x0000000000400000-0x0000000000429000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 b2fd7143ad061d97455c364d4aae99da
SHA1 9e924fb17f9e5d36d8c7a24c00b5229a5055bdc2
SHA256 94ab35526db24cfca3ad7a82278f14c515753bd1790a5390ed4e8c07e2fc6c6e
SHA512 fe9a74f5642354189aaa69f23b62dea9cd2d8889a5ac0ee2bc3bc3c269dfddc335b42ee506d216fcb4d7be98a25d44f59bbfaf06372e43171f3ccfaff1e6e09e

memory/2972-48-0x0000000000330000-0x0000000000353000-memory.dmp

memory/2972-56-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1952-66-0x0000000000400000-0x0000000000423000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 73dabb9ddeabfc23efc5fb84418c7388
SHA1 77e24e3b24a0e03ff30414e7900428d8731b17ad
SHA256 b8f9dad1bf1286c057faaad13686aa7c7a14a5beb81572ea06b870f492f85791
SHA512 69ea4bad9d176462f5eaea29f5e0564277815cf01f1fc7ab608f77ea806816ab658d0d7caf84aa7dfbbdc0482158f8da69ab01ccdde39a4d6902556a916d1f31

memory/600-72-0x0000000000230000-0x0000000000253000-memory.dmp

memory/2436-80-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2436-88-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2364-90-0x0000000000400000-0x0000000000429000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-17 00:35

Reported

2024-08-17 00:37

Platform

win10v2004-20240802-en

Max time kernel

115s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe"

Signatures

Neconyd

trojan neconyd

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1688 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe
PID 1688 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe
PID 1688 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe
PID 1688 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe
PID 1688 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe
PID 5048 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 5048 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 5048 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 640 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 640 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 640 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 640 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 640 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4272 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4272 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4272 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2920 wrote to memory of 2396 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2920 wrote to memory of 2396 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2920 wrote to memory of 2396 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2920 wrote to memory of 2396 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2920 wrote to memory of 2396 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2396 wrote to memory of 3648 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2396 wrote to memory of 3648 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2396 wrote to memory of 3648 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3648 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3648 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3648 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3648 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3648 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe

"C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe"

C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe

C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1688 -ip 1688

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 288

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 640 -ip 640

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 292

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2920 -ip 2920

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 292

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3648 -ip 3648

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 268

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/1688-0-0x0000000000400000-0x0000000000423000-memory.dmp

memory/5048-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/5048-2-0x0000000000400000-0x0000000000429000-memory.dmp

memory/5048-3-0x0000000000400000-0x0000000000429000-memory.dmp

memory/5048-5-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 830f191839931124411aa22b7823c429
SHA1 13da3726f6579ea892e38978fe0d4f83d414a8b3
SHA256 66136da83767cebbbaccdc8e436f3a8e47cbf25b752b7f221a26403cdfcad638
SHA512 a9821a1a7b8a72eed72605d485149386d6e75b07fe719b190655c6a2dbe117c00fe5850acbdecced620053f349768369a4a9650c3ea0e787ac8d71187467fc8a

memory/640-8-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4272-15-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4272-14-0x0000000000400000-0x0000000000429000-memory.dmp

memory/640-17-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1688-18-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4272-19-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4272-22-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4272-25-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4272-26-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 87c8c19a7567d640fb3461e8c4ec99aa
SHA1 c50e60559894d0d203a7625b26c821599e2ce1aa
SHA256 971cfd86e06c91c74c4027038d85cb4bca74ca2d4f611296a36c750e207492b9
SHA512 6537e3bfb673e2328965006f8f40c464bfb742cd1a99380d4d7a8e0ca122c0fbecf05a7f0afc7c32bde838f0d4f7955ac98ad4fcc7fa470357b025028a0a1ac9

memory/2920-31-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4272-30-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2396-37-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2396-39-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2396-36-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 57d651f5a395b37c360e1524f5e615b3
SHA1 87d250426fb97d5b0d68f01cb31d26e1dadcd2f0
SHA256 b9013b619fe0466fba6bc7e13252a609ad8a0a5f4988efdb004eefe347c25370
SHA512 422d61d8d2e54e547b3d1e446eee8a10d35c23ac1b1339c934454708a2d1515fc259e81b4856e92bed1678061e6abd1196056cbe93dce9bffe57f0ff09486a13

memory/3648-43-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2320-48-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2320-49-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2920-51-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2320-52-0x0000000000400000-0x0000000000429000-memory.dmp