Malware Analysis Report

2024-11-16 13:00

Sample ID 240519-sxtasada57
Target e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe
SHA256 e4d80583e99b1a56c5b4029c7403eddd1aeb098378337e297892d17b7436219e
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e4d80583e99b1a56c5b4029c7403eddd1aeb098378337e297892d17b7436219e

Threat Level: Known bad

The file e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

Drops file in System32 directory

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-19 15:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 15:30

Reported

2024-05-19 15:33

Platform

win7-20240221-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2348 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe
PID 2348 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe
PID 2348 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe
PID 2348 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe
PID 2348 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe
PID 2348 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe
PID 2008 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2008 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2008 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2008 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2340 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2340 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2340 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2340 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2340 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2340 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2392 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2392 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2392 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2392 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2336 wrote to memory of 2736 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2336 wrote to memory of 2736 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2336 wrote to memory of 2736 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2336 wrote to memory of 2736 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2336 wrote to memory of 2736 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2336 wrote to memory of 2736 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2736 wrote to memory of 2316 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2736 wrote to memory of 2316 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2736 wrote to memory of 2316 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2736 wrote to memory of 2316 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2316 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2316 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2316 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2316 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2316 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2316 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2348-0-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2008-2-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2008-8-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2008-10-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2348-7-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2008-5-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2008-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 ebff5912f487cc7e8043af0b5faaf6d8
SHA1 d3b9cec1654186356d365fb12ea2f51757ebaa27
SHA256 e0a350f734b2f31399610bcf6d1c2df7e1a688b108a272484ab801c24f9680d8
SHA512 40cc008fbdb0dd16b5667d0ddb51ad04bbd1644ffc1e58108fffe1ce34bce59645eeb1f4189f0458cfa9f122e5fc0d1e1c4eadaa3d7fe91c1151a4f09fda54f1

memory/2008-13-0x0000000000230000-0x0000000000254000-memory.dmp

memory/2340-21-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2340-30-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2392-33-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2392-37-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2392-40-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2392-43-0x0000000000400000-0x0000000000429000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 c1094d6d09679c1dc736197caffcd561
SHA1 cae01aaa7f6ab91a86f6033e50c921f6bc60afae
SHA256 79534e61998ab5234b03021774dda379976ce64729bf17a7e0f9e007fc581bc8
SHA512 d887c7e7e85e7ff584641a40186f554665961ad7129a7887e7594d781b9bad42b75b24812eaf1a8d8c376fc556a7822b62ab864634d6fdce68d1af6a0522d47e

memory/2392-46-0x00000000020D0000-0x00000000020F4000-memory.dmp

memory/2392-55-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2336-56-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2336-63-0x0000000000400000-0x0000000000424000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 793639c796fb24909caabea9a4bce7b3
SHA1 e6b83345985ffd053fd8e42848dbb55bc5f18904
SHA256 8eba1c25c82682945b78366c25fbc40567c592866a5003d22c0499191ef0f174
SHA512 d0b184668b7bf662e6cf804fce8668e2f5f6759a7674112badd409b1530e09d3727b0563285b1cf6fb8c980a51fb86e01260a8016af9c3f19db89e4babce23d8

memory/2736-69-0x0000000000230000-0x0000000000254000-memory.dmp

memory/2316-78-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2316-84-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1748-87-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1748-90-0x0000000000400000-0x0000000000429000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 15:30

Reported

2024-05-19 15:33

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1692 wrote to memory of 100 N/A C:\Users\Admin\AppData\Local\Temp\e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe
PID 1692 wrote to memory of 100 N/A C:\Users\Admin\AppData\Local\Temp\e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe
PID 1692 wrote to memory of 100 N/A C:\Users\Admin\AppData\Local\Temp\e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe
PID 1692 wrote to memory of 100 N/A C:\Users\Admin\AppData\Local\Temp\e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe
PID 1692 wrote to memory of 100 N/A C:\Users\Admin\AppData\Local\Temp\e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe
PID 100 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 100 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 100 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4088 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4088 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4088 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4088 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4088 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1032 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1032 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1032 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3704 wrote to memory of 2908 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3704 wrote to memory of 2908 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3704 wrote to memory of 2908 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3704 wrote to memory of 2908 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3704 wrote to memory of 2908 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2908 wrote to memory of 612 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2908 wrote to memory of 612 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2908 wrote to memory of 612 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 612 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 612 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 612 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 612 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 612 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1692 -ip 1692

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4088 -ip 4088

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 300

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3704 -ip 3704

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 292

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 612 -ip 612

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 612 -s 256

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/1692-0-0x0000000000400000-0x0000000000424000-memory.dmp

memory/100-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/100-2-0x0000000000400000-0x0000000000429000-memory.dmp

memory/100-3-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4088-9-0x0000000000400000-0x0000000000424000-memory.dmp

memory/100-8-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 ebff5912f487cc7e8043af0b5faaf6d8
SHA1 d3b9cec1654186356d365fb12ea2f51757ebaa27
SHA256 e0a350f734b2f31399610bcf6d1c2df7e1a688b108a272484ab801c24f9680d8
SHA512 40cc008fbdb0dd16b5667d0ddb51ad04bbd1644ffc1e58108fffe1ce34bce59645eeb1f4189f0458cfa9f122e5fc0d1e1c4eadaa3d7fe91c1151a4f09fda54f1

memory/1032-15-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1032-14-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4088-16-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1032-17-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1032-20-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1032-23-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1032-24-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 587936a000a0e3afd4c1e5065fddfdc3
SHA1 736404da9138778268c7f78c3e60f2243afb791b
SHA256 5482ad467d66a648b500de9ab6621be5f74b175c07081e00a42bd32f7967ccac
SHA512 c8addec36b69cf80cf9ef733e86de25a9e70d944e057cfad50116153d0fbacb1e18c602f5ac667cad9cecafce808678cb3b7d345408b6f6e5ecfa128eac08ddd

memory/1032-30-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3704-32-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2908-35-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2908-38-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2908-36-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 0f154eced2a2b23e12ecb237fe45871f
SHA1 f69e3d5e98acaeea58bb00b29d841daf800cc14f
SHA256 bb39e083cb60b1a7265ca8567f3f9db7c3d41d352f463099f052ae4c2915b9a7
SHA512 7912e164bc90c79ce9b8088c8145cd0031796a6eca14264ef9ae07b5babdf97bf4ebb1725f655aa3547e6af1adb8479906aaeb74935b46ced2eb577ed41b1774

memory/612-43-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2328-47-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2328-49-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2328-50-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2328-53-0x0000000000400000-0x0000000000429000-memory.dmp