Malware Analysis Report

2024-11-16 13:01

Sample ID 240519-t9avmsgb8w
Target f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe
SHA256 892b63b4b9488cc1c62d418da8b427719e392547338f175a9be072fd8bc2c619
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

892b63b4b9488cc1c62d418da8b427719e392547338f175a9be072fd8bc2c619

Threat Level: Known bad

The file f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-19 16:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 16:44

Reported

2024-05-19 16:47

Platform

win7-20240508-en

Max time kernel

145s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2892 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe
PID 2892 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe
PID 2892 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe
PID 2892 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe
PID 2892 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe
PID 2892 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe
PID 2032 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2032 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2032 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2032 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2992 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2992 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2992 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2992 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2992 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2992 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2804 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2804 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2804 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2804 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2408 wrote to memory of 572 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2408 wrote to memory of 572 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2408 wrote to memory of 572 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2408 wrote to memory of 572 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2408 wrote to memory of 572 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2408 wrote to memory of 572 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 572 wrote to memory of 1000 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 572 wrote to memory of 1000 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 572 wrote to memory of 1000 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 572 wrote to memory of 1000 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1000 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1000 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1000 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1000 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1000 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1000 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2892-0-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2892-6-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2032-10-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2032-8-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2032-5-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2032-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2032-1-0x0000000000400000-0x0000000000429000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 d4c6cd7c0b7cc06520db971df2b61b4c
SHA1 5843adf3b35e97e44e43f04c3341300119f67d90
SHA256 50c03ddc511cda534cac111ef1f3cd3cc944ff67bfc9a31ac6d1879259b92f7c
SHA512 6955708588efeca0e881e10e219d95f506fb8cca16370becfd234bca853b29bf0a7ee4ccd93252560377d37c39af092388ff25d543ad8c93f906bbca34d59f78

memory/2032-13-0x00000000002C0000-0x00000000002E4000-memory.dmp

memory/2032-19-0x00000000002C0000-0x00000000002E4000-memory.dmp

memory/2992-22-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2992-30-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2804-34-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2804-37-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2804-40-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2804-43-0x0000000000400000-0x0000000000429000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 29de4db7e3822e6f31930cbe173a01c7
SHA1 b7562f22537eb25af5b2215431544ad34559bd6d
SHA256 a18d66c3a027e0cb8117fbdbe4ddb62f5a02f623dca0a2fd0a786c360e8ffcbe
SHA512 cb586d18869d3b0534aea19ecd2a51b56b48ee35b8f3e0569b31dc6e4b54e04245c26fe96860fed14b12854a4f3cd2fe5ab95bc15a4c4f315f517b38c3c15a28

memory/2804-46-0x00000000007A0000-0x00000000007C4000-memory.dmp

memory/2804-54-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2408-56-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2408-64-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 839554688e674750501bb4ee37ce4485
SHA1 97e21fe732e00a5453b2c81cdaf0e443eca2087c
SHA256 af21b58c5fb636d935414c4cd6bc5ad8a81b64806e82e557bdfa1283572df08e
SHA512 bfb27907d93f7e56f77d299f4187d9d29a3914fd7ba3b70db99ce9e96caf77135aa90c0d523f8b6e37edbc342164ccbb2561afd7f77d3d70a7829d160a96e5e0

memory/1000-77-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1000-84-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2240-86-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2240-89-0x0000000000400000-0x0000000000429000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 16:44

Reported

2024-05-19 16:47

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2184 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe
PID 2184 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe
PID 2184 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe
PID 2184 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe
PID 2184 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe
PID 4236 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4236 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4236 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 404 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 404 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 404 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 404 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 404 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4772 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4772 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4772 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3104 wrote to memory of 1076 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3104 wrote to memory of 1076 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3104 wrote to memory of 1076 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3104 wrote to memory of 1076 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3104 wrote to memory of 1076 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1076 wrote to memory of 1492 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1076 wrote to memory of 1492 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1076 wrote to memory of 1492 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1492 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1492 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1492 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1492 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1492 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2184 -ip 2184

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 404 -ip 404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 288

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4036,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4196 /prefetch:8

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3104 -ip 3104

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 292

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1492 -ip 1492

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 256

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 95.16.208.104.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2184-0-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4236-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4236-2-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4236-3-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4236-5-0x0000000000400000-0x0000000000429000-memory.dmp

memory/404-10-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 d4c6cd7c0b7cc06520db971df2b61b4c
SHA1 5843adf3b35e97e44e43f04c3341300119f67d90
SHA256 50c03ddc511cda534cac111ef1f3cd3cc944ff67bfc9a31ac6d1879259b92f7c
SHA512 6955708588efeca0e881e10e219d95f506fb8cca16370becfd234bca853b29bf0a7ee4ccd93252560377d37c39af092388ff25d543ad8c93f906bbca34d59f78

memory/4772-14-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4772-15-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2184-16-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4772-17-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4772-20-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4772-23-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4772-24-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4772-27-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 92238cad262c15ca6e3b989b4f904901
SHA1 2d9debcd11c0ac6faaaf1996669cbe854237ca47
SHA256 351aa293a0808228de3116b6572a082b507928637f4f61ce590a5f8c4ad7bc1b
SHA512 95af30f15f7a521bb64235456b9b0ade084531de438debea62915a41356d7369c09b8188dc7731ca5de67db35c463d2b438752b18abb2437bbacae3391b2a355

memory/3104-29-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1076-40-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1076-35-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1076-34-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 aafd1724bc43e9a08389314b5d844e14
SHA1 fa2bf1876ee3a05611e96ee1dffacac472bc2792
SHA256 9d7c686545f4172665a6372000c92b9a3a74073ae6f7c08d25c1a681c50f3d4a
SHA512 c9f745cf32017cc1c9e956b6a71e10c2713f88b00293ab9fe680febc5cadebd3bb8745cc010089e40526e4b18ed8d5e9542e39a23340ba902a4509e2191f0e56

memory/1492-42-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4584-46-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4584-47-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3104-48-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4584-49-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4584-52-0x0000000000400000-0x0000000000429000-memory.dmp