Analysis Overview
SHA256
8a4a20ba21a370e20c081007d18a921c4a7a856af338d8ce172b05dd43397d18
Threat Level: Known bad
The file 2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Suspicious use of SetThreadContext
Drops file in System32 directory
Unsigned PE
Program crash
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-07-02 18:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-07-02 18:50
Reported
2025-07-02 18:53
Platform
win10v2004-20250619-en
Max time kernel
144s
Max time network
143s
Command Line
Signatures
Neconyd
Neconyd family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1284 set thread context of 2672 | N/A | C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe |
| PID 4396 set thread context of 3740 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1380 set thread context of 3644 | N/A | C:\Windows\SysWOW64\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 3952 set thread context of 3248 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe
"C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe"
C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe
C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1284 -ip 1284
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 272
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 288
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1380 -ip 1380
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 292
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3952 -ip 3952
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 256
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.179.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.27.79.221:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/1284-0-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2672-1-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2672-2-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2672-3-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2672-5-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 93c5ac954f5c6b394ad101b3f70bedaf |
| SHA1 | 57b1816c79a1d97feb5a04191d7323c11ff383bf |
| SHA256 | e57c367ca78e0a90104270c269363520a821dcce73ac294bfe2fea427e463ec3 |
| SHA512 | 0f5494dcb58c17b67d0c7489fffe4808d5148cfdce4ff02c2fe6ca09305fd55b38b678f2cb29be56d6a253e361b907b19af2290db0ed92e153fc2c36f2695b52 |
memory/4396-9-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3740-15-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3740-14-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4396-16-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1284-17-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3740-19-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3740-22-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3740-25-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3740-26-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3740-31-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 68cd8abdf5f9afdfb6feb74d41829e82 |
| SHA1 | 36a9ccd78f4b1f4d8493902e7c612a53a329dd4e |
| SHA256 | 4b7bfd94aecf18a4470a73e986efb3b9ceb6492c50f7f1a2e9ac54feb1d6a8cc |
| SHA512 | 427c413d8fda132d18b413fb144c2ca40fd7c0d8386dcf42c8d022926a68c912a14d92e162a469142b88408b67bd0a8df5b708be3653d2c1015fb77dd3e9f7eb |
memory/1380-34-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3644-39-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3644-44-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 376d87085276e46fc8f94221fcefb8ec |
| SHA1 | e245815e78c8e3a7a22fe5149376fd98f008d2d0 |
| SHA256 | cce8f4b2b0515ed3c65e8adcb552ad05a9e365b4badbabf818b59a45b3a219f3 |
| SHA512 | c3907a20260b55c8074d6d704ef4c86f870c7a705026fd18dea0bedb49de6430f8b6338d27f006ea4ad716baf426d78f1f99955cbcdab027dd6b6acbf053a8db |
memory/3952-46-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3644-38-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3248-51-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3248-50-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1380-52-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3248-53-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3248-56-0x0000000000400000-0x0000000000429000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-07-02 18:50
Reported
2025-07-02 18:53
Platform
win11-20250619-en
Max time kernel
144s
Max time network
143s
Command Line
Signatures
Neconyd
Neconyd family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5216 set thread context of 1660 | N/A | C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe |
| PID 3720 set thread context of 3532 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 5068 set thread context of 3688 | N/A | C:\Windows\SysWOW64\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 5180 set thread context of 3584 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe
"C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe"
C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe
C:\Users\Admin\AppData\Local\Temp\2025-07-02_c0449747a0d7a18ab7e6e93f3cd3a115_amadey_elex_rhadamanthys_smoke-loader_stop.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5216 -ip 5216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5216 -s 300
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3720 -ip 3720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 288
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5068 -ip 5068
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 304
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5180 -ip 5180
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5180 -s 252
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 52.27.79.221:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/5216-0-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1660-1-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1660-2-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1660-3-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1660-6-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 93c5ac954f5c6b394ad101b3f70bedaf |
| SHA1 | 57b1816c79a1d97feb5a04191d7323c11ff383bf |
| SHA256 | e57c367ca78e0a90104270c269363520a821dcce73ac294bfe2fea427e463ec3 |
| SHA512 | 0f5494dcb58c17b67d0c7489fffe4808d5148cfdce4ff02c2fe6ca09305fd55b38b678f2cb29be56d6a253e361b907b19af2290db0ed92e153fc2c36f2695b52 |
memory/3720-11-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3532-14-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3532-16-0x0000000000400000-0x0000000000429000-memory.dmp
memory/5216-17-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3532-18-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3532-21-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3532-24-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3532-25-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 80fdb5c82d127003f24373a3f62e1b42 |
| SHA1 | 7c9b9daa9b5d2df6721fc2411a115312dadda5e4 |
| SHA256 | b96ef610a989c2cbf689fda5e7d584720a3a7ef79620b837731cd2f728414757 |
| SHA512 | a6f562ee0a03dc0709f9953ee0928aa40e01702e634674717c8733da83f4e5d5f6d9f2f166b10b58a981e07c892d16f52dbc2df6db49d2ca1726a8c3b7bfdc2a |
memory/5068-31-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3532-32-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3688-38-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3688-37-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 964e5cc9192ca696d50be0a6c21d4e5b |
| SHA1 | 877fe7495c54824edfb021dc3e3ca580a1e0ad40 |
| SHA256 | 2ca2e4df490328349c72112e2665f61920d38b6f921b169c10c1cfb46dbe3f62 |
| SHA512 | 7b03bd44f472d406814b2103ce4a01af91beb2058333b827cc3a8ae2a14c1111a75aa4442571f9958d5e335e5de6230de149e8c19d0ba278fafb64965288ef40 |
memory/5180-45-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3688-43-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3584-49-0x0000000000400000-0x0000000000429000-memory.dmp
memory/5068-50-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3584-51-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3584-54-0x0000000000400000-0x0000000000429000-memory.dmp