Malware Analysis Report

2025-06-16 06:59

Sample ID 241104-j6he7sxjhv
Target 27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N
SHA256 27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730
Tags
neconyd discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730

Threat Level: Known bad

The file 27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N was found to be: Known bad.

Malicious Activity Summary

neconyd discovery trojan

Neconyd

Neconyd family

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Suspicious use of SetThreadContext

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 08:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 08:16

Reported

2024-11-04 08:19

Platform

win7-20241010-en

Max time kernel

148s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe"

Signatures

Neconyd

trojan neconyd

Neconyd family

neconyd

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2744 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe
PID 2744 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe
PID 2744 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe
PID 2744 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe
PID 2744 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe
PID 2744 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe
PID 2392 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2392 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2392 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2392 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2912 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2912 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2912 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2912 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2912 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2912 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1848 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1848 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1848 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1848 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2072 wrote to memory of 2960 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2072 wrote to memory of 2960 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2072 wrote to memory of 2960 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2072 wrote to memory of 2960 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2072 wrote to memory of 2960 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2072 wrote to memory of 2960 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2960 wrote to memory of 1632 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2960 wrote to memory of 1632 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2960 wrote to memory of 1632 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2960 wrote to memory of 1632 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1632 wrote to memory of 332 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1632 wrote to memory of 332 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1632 wrote to memory of 332 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1632 wrote to memory of 332 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1632 wrote to memory of 332 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1632 wrote to memory of 332 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe

"C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe"

C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe

C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 3.33.243.145:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 3.33.243.145:80 mkkuei4kdsz.com tcp

Files

memory/2744-0-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2392-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2392-5-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2744-7-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2392-10-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2392-8-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2392-1-0x0000000000400000-0x0000000000429000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 fd29e3ec0adbe41ec0dde8fcd181fbfd
SHA1 8e25cb8af3c2c6593da992f1c0ac5db70878700e
SHA256 f520ba7918e49c64bf627b4f17073694e0657348c2f2c4f06e30d4cdea4aac7a
SHA512 351ce623d44933e9f02c15c3cf7c3933200457ee56a300a02a15250cc9aa2392a55d3f974ddcde7317c3de4b87c34c7ac5f566face55bfd91c73c42304112fc3

memory/2912-20-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2912-29-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1848-31-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1848-34-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1848-37-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1848-40-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1848-43-0x00000000002B0000-0x00000000002D4000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 592458d3ca974a55d54d915129518415
SHA1 46cb162d598226076478a839f5a3e65e35e87890
SHA256 8a34ab8ea2f67798a0758b98d8eede86e0420864f7a60ecf114f0f9cfc2b9edb
SHA512 7a4928d65a76db1768f6a380e33e7f0781aebc0c5f1918ae8e7783005cecae27623ee500f91de533d3148af3ec36513b874f7412f2feba929ff6b8db2947fc4e

memory/1848-50-0x00000000002B0000-0x00000000002D4000-memory.dmp

memory/2072-54-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1848-53-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2072-63-0x0000000000400000-0x0000000000424000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 783be9f53f8739747f523040fe3d4a5c
SHA1 8ca46ba5c49e685d13d73b77d38dc9d3cacc504f
SHA256 c36cfdc109a6123703fcd7863df6a0e2b9fcdc0458961f3c3fa831b57ea525eb
SHA512 002bb3abdb67772c779efe74d1c1287b9cc38b2922ff5aa214fb57a2f9d846e2daceca5c192cee84969710e20dc761757f99513aac0c7c793c16c2456a16b46b

memory/1632-76-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2960-68-0x00000000003B0000-0x00000000003D4000-memory.dmp

memory/1632-83-0x0000000000400000-0x0000000000424000-memory.dmp

memory/332-85-0x0000000000400000-0x0000000000429000-memory.dmp

memory/332-88-0x0000000000400000-0x0000000000429000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-04 08:16

Reported

2024-11-04 08:20

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe"

Signatures

Neconyd

trojan neconyd

Neconyd family

neconyd

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4356 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe
PID 4356 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe
PID 4356 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe
PID 4356 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe
PID 4356 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe
PID 3952 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3952 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3952 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2152 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2152 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2152 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2152 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2152 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2728 wrote to memory of 492 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2728 wrote to memory of 492 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2728 wrote to memory of 492 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 492 wrote to memory of 4952 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 492 wrote to memory of 4952 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 492 wrote to memory of 4952 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 492 wrote to memory of 4952 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 492 wrote to memory of 4952 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4952 wrote to memory of 4848 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4952 wrote to memory of 4848 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4952 wrote to memory of 4848 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4848 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4848 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4848 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4848 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4848 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe

"C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe"

C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe

C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4356 -ip 4356

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2152 -ip 2152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 276

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 288

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 492 -ip 492

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 492 -s 292

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4848 -ip 4848

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 260

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 3.33.243.145:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 145.243.33.3.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/4356-0-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3952-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3952-2-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3952-3-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 fd29e3ec0adbe41ec0dde8fcd181fbfd
SHA1 8e25cb8af3c2c6593da992f1c0ac5db70878700e
SHA256 f520ba7918e49c64bf627b4f17073694e0657348c2f2c4f06e30d4cdea4aac7a
SHA512 351ce623d44933e9f02c15c3cf7c3933200457ee56a300a02a15250cc9aa2392a55d3f974ddcde7317c3de4b87c34c7ac5f566face55bfd91c73c42304112fc3

memory/2152-8-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3952-11-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2728-15-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2728-14-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4356-16-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2152-17-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2728-18-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2728-21-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2728-24-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2728-25-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 b327fd67ef32a48c000590090f56b74e
SHA1 b80c17390e9852a0dff1a56376eca86f25f24d7e
SHA256 13311b523cc417d9d62fc81a82982dbc68f125e4ca9a85edbe1ef19123b5dc58
SHA512 c5c81ca96e204bbb227895ff917410d5bc342894425f278f684ec08bab54ecb547d132de4392015b72f73088a31342bcf9c8ea20144aa646ea6f1e95dda2cd4a

memory/492-30-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2728-29-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4952-35-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4952-36-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 f5a469f906b30de607ca24694ae3c1dd
SHA1 929c446f2e726e08ba4b8a3700fe14cb4ec5479d
SHA256 c9633beffc2b7a83295b5b98dcbdf48824ffe64fbc14707471e2b4025c148e3b
SHA512 ab05562f2a6ba43ed2ce065338674505298643f338c47caa1bcb97870be7447e6019f2bedaf3c7e33cb7a19bfc23aed25831bddfd899d4d3aa032f06f561fb94

memory/4848-42-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4952-38-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4812-47-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4812-48-0x0000000000400000-0x0000000000429000-memory.dmp

memory/492-49-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4848-50-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4812-51-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4812-54-0x0000000000400000-0x0000000000429000-memory.dmp