Malware Analysis Report

2025-08-10 19:49

Sample ID 250702-xhcrpszve1
Target 2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop
SHA256 8a4a20ba21a370e20c081007d18a921c4a7a856af338d8ce172b05dd43397d18
Tags
neconyd discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8a4a20ba21a370e20c081007d18a921c4a7a856af338d8ce172b05dd43397d18

Threat Level: Known bad

The file 2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop was found to be: Known bad.

Malicious Activity Summary

neconyd discovery trojan

Neconyd family

Neconyd

Executes dropped EXE

Suspicious use of SetThreadContext

Drops file in System32 directory

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-02 18:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-02 18:50

Reported

2025-07-02 18:53

Platform

win10v2004-20250619-en

Max time kernel

144s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe"

Signatures

Neconyd

trojan neconyd

Neconyd family

neconyd

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1284 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe
PID 1284 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe
PID 1284 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe
PID 1284 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe
PID 1284 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe
PID 2672 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2672 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2672 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4396 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4396 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4396 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4396 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4396 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3740 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3740 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3740 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1380 wrote to memory of 3644 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1380 wrote to memory of 3644 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1380 wrote to memory of 3644 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1380 wrote to memory of 3644 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1380 wrote to memory of 3644 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3644 wrote to memory of 3952 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3644 wrote to memory of 3952 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3644 wrote to memory of 3952 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3952 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3952 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3952 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3952 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3952 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe

"C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe"

C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe

C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1284 -ip 1284

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 272

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 288

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1380 -ip 1380

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 292

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3952 -ip 3952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 256

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.27.79.221:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/1284-0-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2672-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2672-2-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2672-3-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2672-5-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 93c5ac954f5c6b394ad101b3f70bedaf
SHA1 57b1816c79a1d97feb5a04191d7323c11ff383bf
SHA256 e57c367ca78e0a90104270c269363520a821dcce73ac294bfe2fea427e463ec3
SHA512 0f5494dcb58c17b67d0c7489fffe4808d5148cfdce4ff02c2fe6ca09305fd55b38b678f2cb29be56d6a253e361b907b19af2290db0ed92e153fc2c36f2695b52

memory/4396-9-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3740-15-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3740-14-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4396-16-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1284-17-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3740-19-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3740-22-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3740-25-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3740-26-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3740-31-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 68cd8abdf5f9afdfb6feb74d41829e82
SHA1 36a9ccd78f4b1f4d8493902e7c612a53a329dd4e
SHA256 4b7bfd94aecf18a4470a73e986efb3b9ceb6492c50f7f1a2e9ac54feb1d6a8cc
SHA512 427c413d8fda132d18b413fb144c2ca40fd7c0d8386dcf42c8d022926a68c912a14d92e162a469142b88408b67bd0a8df5b708be3653d2c1015fb77dd3e9f7eb

memory/1380-34-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3644-39-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3644-44-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 376d87085276e46fc8f94221fcefb8ec
SHA1 e245815e78c8e3a7a22fe5149376fd98f008d2d0
SHA256 cce8f4b2b0515ed3c65e8adcb552ad05a9e365b4badbabf818b59a45b3a219f3
SHA512 c3907a20260b55c8074d6d704ef4c86f870c7a705026fd18dea0bedb49de6430f8b6338d27f006ea4ad716baf426d78f1f99955cbcdab027dd6b6acbf053a8db

memory/3952-46-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3644-38-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3248-51-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3248-50-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1380-52-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3248-53-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3248-56-0x0000000000400000-0x0000000000429000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-07-02 18:50

Reported

2025-07-02 18:53

Platform

win11-20250619-en

Max time kernel

144s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe"

Signatures

Neconyd

trojan neconyd

Neconyd family

neconyd

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5216 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe
PID 5216 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe
PID 5216 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe
PID 5216 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe
PID 5216 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe
PID 1660 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1660 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1660 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3720 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3720 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3720 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3720 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3720 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3532 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3532 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3532 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 5068 wrote to memory of 3688 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 5068 wrote to memory of 3688 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 5068 wrote to memory of 3688 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 5068 wrote to memory of 3688 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 5068 wrote to memory of 3688 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3688 wrote to memory of 5180 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3688 wrote to memory of 5180 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3688 wrote to memory of 5180 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 5180 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 5180 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 5180 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 5180 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 5180 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe

"C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe"

C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe

C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5216 -ip 5216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5216 -s 300

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3720 -ip 3720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 288

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5068 -ip 5068

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 304

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5180 -ip 5180

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5180 -s 252

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 52.27.79.221:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/5216-0-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1660-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1660-2-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1660-3-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1660-6-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 93c5ac954f5c6b394ad101b3f70bedaf
SHA1 57b1816c79a1d97feb5a04191d7323c11ff383bf
SHA256 e57c367ca78e0a90104270c269363520a821dcce73ac294bfe2fea427e463ec3
SHA512 0f5494dcb58c17b67d0c7489fffe4808d5148cfdce4ff02c2fe6ca09305fd55b38b678f2cb29be56d6a253e361b907b19af2290db0ed92e153fc2c36f2695b52

memory/3720-11-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3532-14-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3532-16-0x0000000000400000-0x0000000000429000-memory.dmp

memory/5216-17-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3532-18-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3532-21-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3532-24-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3532-25-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 80fdb5c82d127003f24373a3f62e1b42
SHA1 7c9b9daa9b5d2df6721fc2411a115312dadda5e4
SHA256 b96ef610a989c2cbf689fda5e7d584720a3a7ef79620b837731cd2f728414757
SHA512 a6f562ee0a03dc0709f9953ee0928aa40e01702e634674717c8733da83f4e5d5f6d9f2f166b10b58a981e07c892d16f52dbc2df6db49d2ca1726a8c3b7bfdc2a

memory/5068-31-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3532-32-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3688-38-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3688-37-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 964e5cc9192ca696d50be0a6c21d4e5b
SHA1 877fe7495c54824edfb021dc3e3ca580a1e0ad40
SHA256 2ca2e4df490328349c72112e2665f61920d38b6f921b169c10c1cfb46dbe3f62
SHA512 7b03bd44f472d406814b2103ce4a01af91beb2058333b827cc3a8ae2a14c1111a75aa4442571f9958d5e335e5de6230de149e8c19d0ba278fafb64965288ef40

memory/5180-45-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3688-43-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3584-49-0x0000000000400000-0x0000000000429000-memory.dmp

memory/5068-50-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3584-51-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3584-54-0x0000000000400000-0x0000000000429000-memory.dmp