Malware Analysis Report

2024-11-16 13:01

Sample ID 240520-avds7sbd3s
Target 6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe
SHA256 371e71a4f6c3ebe555ed82cc36b31867c3e8b04cd464295b2137c4770fdbaa18
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

371e71a4f6c3ebe555ed82cc36b31867c3e8b04cd464295b2137c4770fdbaa18

Threat Level: Known bad

The file 6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

Drops file in System32 directory

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-20 00:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-20 00:31

Reported

2024-05-20 00:34

Platform

win7-20231129-en

Max time kernel

141s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2244 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe
PID 2244 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe
PID 2244 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe
PID 2244 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe
PID 2244 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe
PID 2244 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe
PID 2352 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2352 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2352 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2352 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2564 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2564 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2564 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2564 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2564 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2564 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2672 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2672 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2672 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2672 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1540 wrote to memory of 2796 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1540 wrote to memory of 2796 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1540 wrote to memory of 2796 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1540 wrote to memory of 2796 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1540 wrote to memory of 2796 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1540 wrote to memory of 2796 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2796 wrote to memory of 2012 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2796 wrote to memory of 2012 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2796 wrote to memory of 2012 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2796 wrote to memory of 2012 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2012 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2012 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2012 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2012 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2012 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2012 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/2244-0-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2352-2-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2352-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2352-5-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2352-9-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2352-11-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2244-7-0x0000000000400000-0x0000000000423000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 e3a599ec10fab6201e487e0e03b7eded
SHA1 7a91e83115ba8e4d0154847f41540458aab3af04
SHA256 c41c378f356b796115fc0be17d1ba03df82deb0453c9d4c8c87bfee49f6c2411
SHA512 0a4bac34d268b6782f6367d3d1908309431f4999a6854ca97b7d96983ffc955816f1643d850fa96f3191564934a22ac1efb1185a1c9d77b0c728f331f0e7e432

memory/2564-21-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2564-31-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2672-34-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2672-37-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2672-40-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2672-41-0x0000000000400000-0x0000000000429000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 a29d1b26a8b53d1783c61b98df5eef57
SHA1 335cd0d9aaa7ffb0757eb16242067968bf84376b
SHA256 37e3578530e7c43cab1026b10d228e3c747047adc3cbb73c5852b2ee5866ae82
SHA512 566040985de597d99397c22c845d97c15b71626d23f9ed554fb88431ae65dacbabb76f568ac7f1bf6ce43797b244785f742237cccfbe16d64168f58fa347b448

memory/2672-44-0x00000000005A0000-0x00000000005C3000-memory.dmp

memory/2672-52-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1540-54-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1540-63-0x0000000000400000-0x0000000000423000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 de0ff6bacd0eb160161f33683042c393
SHA1 4fe33cc108df6fbc4c4ccf75d289289ad4839433
SHA256 d8894572f8b917635f3d0464a5552e8a97f652624de91e4f13c354a2f121cd21
SHA512 7e7b99068a64470606ce02663ce04ec2af36010335f55ba7dd27c7d2351c142d33310797ba88f1d0cb793503d96556dfe61ad920579d39241f9658284389d1df

memory/2796-69-0x0000000000230000-0x0000000000253000-memory.dmp

memory/2012-77-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2012-85-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1504-87-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1504-90-0x0000000000400000-0x0000000000429000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-20 00:31

Reported

2024-05-20 00:34

Platform

win10v2004-20240426-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3344 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe
PID 3344 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe
PID 3344 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe
PID 3344 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe
PID 3344 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe
PID 3792 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3792 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3792 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4232 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4232 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4232 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4232 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4232 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1540 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1540 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1540 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3300 wrote to memory of 3644 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3300 wrote to memory of 3644 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3300 wrote to memory of 3644 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3300 wrote to memory of 3644 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3300 wrote to memory of 3644 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3644 wrote to memory of 4664 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3644 wrote to memory of 4664 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3644 wrote to memory of 4664 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4664 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4664 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4664 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4664 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4664 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3344 -ip 3344

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 288

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4232 -ip 4232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 288

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3300 -ip 3300

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 292

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4664 -ip 4664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 256

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/3344-0-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3792-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3792-3-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3792-7-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 e3a599ec10fab6201e487e0e03b7eded
SHA1 7a91e83115ba8e4d0154847f41540458aab3af04
SHA256 c41c378f356b796115fc0be17d1ba03df82deb0453c9d4c8c87bfee49f6c2411
SHA512 0a4bac34d268b6782f6367d3d1908309431f4999a6854ca97b7d96983ffc955816f1643d850fa96f3191564934a22ac1efb1185a1c9d77b0c728f331f0e7e432

memory/4232-11-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3792-2-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1540-14-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1540-15-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3344-18-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1540-19-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1540-22-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1540-25-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1540-26-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1540-33-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 6cba678ca333e8d4a7747bce41cf4467
SHA1 7b90ea72ed78383c657397c4eeb50825cb4eeef2
SHA256 a415b494f55434c8423884d7ee296d49706bc7754933131b6fd6eb53d340cf61
SHA512 c17f1a16f45b910f1e5bc5fd0715e1b62356bca26d9aeef0210d35ed07324fb3dd4226d2349b8c61e013b82f1e62c8331b5df1582247053cc98827033b13762e

memory/3300-34-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3644-37-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3644-43-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 9c72da8eb0229b5bd6fb47bfd8caa6a5
SHA1 ab7e932e83179b17fab5d1e1715e43c509b362f6
SHA256 9547b2e6477c6204113a57a072e02e421f16c082a0bb424be0ce34a1bbbe7263
SHA512 26d6a33c1a959f3ac64a9de36825cc9ff6fb95841c828a0d37194b53db0bbcbd24b77d558e5da908b2359f5c4da03dc446b0f3af856461fd7f08c1be0ed437b8

memory/3644-38-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4664-45-0x0000000000400000-0x0000000000423000-memory.dmp

memory/5104-50-0x0000000000400000-0x0000000000429000-memory.dmp

memory/5104-49-0x0000000000400000-0x0000000000429000-memory.dmp

memory/5104-53-0x0000000000400000-0x0000000000429000-memory.dmp

memory/5104-56-0x0000000000400000-0x0000000000429000-memory.dmp