Malware Analysis Report

2024-11-16 13:01

Sample ID 240519-zzeczaaa45
Target 3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe
SHA256 a47c73c19b4e5f5f7206a46a5adef98372d9e624387c17a398b5d4e4306a10ab
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a47c73c19b4e5f5f7206a46a5adef98372d9e624387c17a398b5d4e4306a10ab

Threat Level: Known bad

The file 3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-19 21:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 21:09

Reported

2024-05-19 21:11

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2284 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe
PID 2284 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe
PID 2284 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe
PID 2284 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe
PID 2284 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe
PID 2696 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2696 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2696 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 460 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 460 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 460 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 460 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 460 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1204 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1204 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1204 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4328 wrote to memory of 2492 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4328 wrote to memory of 2492 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4328 wrote to memory of 2492 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4328 wrote to memory of 2492 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4328 wrote to memory of 2492 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2492 wrote to memory of 4508 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2492 wrote to memory of 4508 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2492 wrote to memory of 4508 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4508 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4508 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4508 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4508 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4508 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2284 -ip 2284

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 288

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 460 -ip 460

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 460 -s 288

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4328 -ip 4328

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 292

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4508 -ip 4508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 268

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 151.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 214.143.182.52.in-addr.arpa udp

Files

memory/2284-0-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2696-3-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2696-2-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2696-1-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 246495e2b032733d47da73322aa83799
SHA1 15e5b29c3d0bfc625b4154a8eef5e2495d575139
SHA256 b30c27317c0c30ca5cde48f96ac29db1dca289e2d2281cd9d2fd98e5a1a88e83
SHA512 18be84fc666dfbdf0256b8bcb8c4f3d3733fe3922de5f00d1841817e6db0ac7c85393417752e459639f511f7695668a205d97fe3d46feab2777028ad1128625d

memory/460-11-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2696-7-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1204-14-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1204-15-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2284-18-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1204-19-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1204-22-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1204-25-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1204-26-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 f7d6a671395ea3d10088b54b156371fd
SHA1 240c751abaab5abc4e04478a9f73056681d29320
SHA256 f004f4232409cb1b9e4e24bfe22219ca2e3f5277b7ede23fcbdcb47144cc2d60
SHA512 c84d8f4be7b18563a176051a4424112bd2b60c34a91e56032855313e19a782f3a2a9726eee353481e7ae73def7d3bcf56acc39c27c65d2ec2267d9782ecd3e28

memory/1204-33-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4328-34-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2492-37-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2492-40-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2492-38-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 59a6c6ae10124b37fa2f120f4685694f
SHA1 130dcb6a8fc36faaa976dbaeb6e4d7e196f81afd
SHA256 b2f6bc73d254db4a4f23a120c90f81b5b5434d5b67e4b5255f4e3f9ebcbeaa5d
SHA512 6d227da9aff340982a79b7a3b6e6a1e6803d6095ee12ba351f240b50a8ed3904e9dcbc3cd42d86a61474fd46ae4eab6c35d2573c3d003d450605dcd5e2c25ab1

memory/4508-44-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1560-49-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1560-50-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4328-52-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1560-54-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1560-57-0x0000000000400000-0x0000000000429000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 21:09

Reported

2024-05-19 21:11

Platform

win7-20240220-en

Max time kernel

146s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2916 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe
PID 2916 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe
PID 2916 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe
PID 2916 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe
PID 2916 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe
PID 2916 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe
PID 1920 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1920 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1920 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1920 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2508 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2508 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2508 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2508 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2508 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2508 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2620 wrote to memory of 112 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2620 wrote to memory of 112 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2620 wrote to memory of 112 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2620 wrote to memory of 112 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 112 wrote to memory of 2016 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 112 wrote to memory of 2016 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 112 wrote to memory of 2016 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 112 wrote to memory of 2016 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 112 wrote to memory of 2016 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 112 wrote to memory of 2016 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2016 wrote to memory of 2216 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2016 wrote to memory of 2216 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2016 wrote to memory of 2216 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2016 wrote to memory of 2216 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2216 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2216 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2216 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2216 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2216 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2216 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2916-0-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2916-1-0x0000000000260000-0x0000000000283000-memory.dmp

memory/1920-2-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1920-10-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2916-8-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1920-6-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1920-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 246495e2b032733d47da73322aa83799
SHA1 15e5b29c3d0bfc625b4154a8eef5e2495d575139
SHA256 b30c27317c0c30ca5cde48f96ac29db1dca289e2d2281cd9d2fd98e5a1a88e83
SHA512 18be84fc666dfbdf0256b8bcb8c4f3d3733fe3922de5f00d1841817e6db0ac7c85393417752e459639f511f7695668a205d97fe3d46feab2777028ad1128625d

memory/1920-15-0x0000000000230000-0x0000000000253000-memory.dmp

memory/1920-14-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2508-35-0x0000000000230000-0x0000000000253000-memory.dmp

memory/2508-32-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2620-36-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2620-39-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2620-42-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2620-45-0x0000000000400000-0x0000000000429000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 902e8a198640715bc9651d927e6c6eaf
SHA1 4708079473117e57591d92d8f77e96bbfceb4a2e
SHA256 5d019fb49fe66cacc2c1656788e4f7a1b1305d9008b3efcae86ce03a12ae66fb
SHA512 262562993ba6186c35d5e0eb87d92484cf1afb92d62e83ea7115224c48ffe83b6e101950e5928f7576bf4532d8354dd675963255a56db043b00c5379817736ec

memory/2620-48-0x0000000000310000-0x0000000000333000-memory.dmp

memory/2620-57-0x0000000000400000-0x0000000000429000-memory.dmp

memory/112-58-0x0000000000400000-0x0000000000423000-memory.dmp

memory/112-66-0x0000000000400000-0x0000000000423000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 085a0ccac905e875fcb379ce3954a59d
SHA1 78239949710489636aff48bcb1e81bd2498da98d
SHA256 6b58e0aac00ccb99a8b8084ffabf56ae7cbb795c80c4c14625a2327b8b7a6000
SHA512 bb296b947c77b8434536479fb92a9abd707a28fd1aa877bfea4cf6b1606616a16d6c4b46f4e0a4468f9db3d8b74892d8bdafa8a78bf847fdbc865423b6601707

memory/2016-73-0x0000000000230000-0x0000000000253000-memory.dmp

memory/2216-81-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2216-88-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1896-91-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1896-94-0x0000000000400000-0x0000000000429000-memory.dmp