Malware Analysis Report

2024-11-16 13:00

Sample ID 240520-b6gvnsed5s
Target 841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe
SHA256 e518b0fa3c29a91839356fd7fb53f99f8b7f6637b9678b3031dffb61f8cc207d
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e518b0fa3c29a91839356fd7fb53f99f8b7f6637b9678b3031dffb61f8cc207d

Threat Level: Known bad

The file 841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-20 01:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-20 01:45

Reported

2024-05-20 01:47

Platform

win7-20240221-en

Max time kernel

146s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2104 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe
PID 2104 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe
PID 2104 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe
PID 2104 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe
PID 2104 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe
PID 2104 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe
PID 908 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 908 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 908 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 908 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2624 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2624 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2624 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2624 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2624 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2624 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3060 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3060 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3060 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3060 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1448 wrote to memory of 2808 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1448 wrote to memory of 2808 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1448 wrote to memory of 2808 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1448 wrote to memory of 2808 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1448 wrote to memory of 2808 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1448 wrote to memory of 2808 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2808 wrote to memory of 1336 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2808 wrote to memory of 1336 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2808 wrote to memory of 1336 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2808 wrote to memory of 1336 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1336 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1336 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1336 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1336 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1336 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1336 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2104-0-0x0000000000400000-0x0000000000424000-memory.dmp

memory/908-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/908-5-0x0000000000400000-0x0000000000429000-memory.dmp

memory/908-10-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 19b6f9f15ac8df3067d54275f67c7dc3
SHA1 f38fc26b1605b14607312aaa6c99753aa1b0c182
SHA256 2e6190e313520edc485aa739208b09cd12f822a582e89926315992f3c2bed409
SHA512 aaa2c3e41e2102f8308ca55f81c9371b89a6e1e5f7af08f7efdea98bfe69b83f5ddcd3913fbbcaaf0f45a6221c668ada22c99c33ffbf7173c96a4bd2420c623a

memory/2624-23-0x0000000000230000-0x0000000000254000-memory.dmp

memory/2624-22-0x0000000000400000-0x0000000000424000-memory.dmp

memory/908-7-0x0000000000400000-0x0000000000429000-memory.dmp

memory/908-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2104-8-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2624-30-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3060-33-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3060-36-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3060-39-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3060-42-0x0000000000400000-0x0000000000429000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 2682b6085bf5224be33516bb43320476
SHA1 69245f5c013b7a684679b2c9ece7595f8e04aab4
SHA256 91d090c9cb5b85468023ddb91c8524ff2244a9e8db2720b57e4ba580976feddf
SHA512 fbf41559ae5aab0b2a45b4ba84b92c15e07cddd89034efbf1caaa8521f93bf00f7a12b80653e6e0532b4e511ed36717fc7f148fd00f88dc692fb157cba4c5d4d

memory/3060-45-0x0000000002220000-0x0000000002244000-memory.dmp

memory/1448-55-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3060-53-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1448-62-0x0000000000400000-0x0000000000424000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 b9d318413e7b40877a2ccf662aa5078d
SHA1 ec119789c6318b9c7fdd367ae1a21e3695c4d49d
SHA256 065be7f6ac286ae9b2432432d4ee5497e55b3cc9309ec124570dcab4a0918424
SHA512 8f067829eac59f40fd31302e4083039b779d1e52cde36dff46d1a9858bc0a83e679556503fe8512b626aec990724370d587adad97781bc89caf70745449a5b99

memory/2808-68-0x0000000000230000-0x0000000000254000-memory.dmp

memory/1336-77-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1336-84-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1240-86-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1240-89-0x0000000000400000-0x0000000000429000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-20 01:45

Reported

2024-05-20 01:47

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4648 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe
PID 4648 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe
PID 4648 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe
PID 4648 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe
PID 4648 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe
PID 1536 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1536 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1536 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1608 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1608 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1608 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1608 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1608 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4084 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4084 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4084 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1608 wrote to memory of 1884 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1608 wrote to memory of 1884 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1608 wrote to memory of 1884 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1608 wrote to memory of 1884 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1608 wrote to memory of 1884 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1884 wrote to memory of 1204 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1884 wrote to memory of 1204 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1884 wrote to memory of 1204 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1204 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1204 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1204 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1204 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1204 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4648 -ip 4648

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1608 -ip 1608

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 288

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 296

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1608 -ip 1608

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 300

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1204 -ip 1204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 256

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/4648-0-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1536-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1536-2-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1536-3-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1536-5-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 19b6f9f15ac8df3067d54275f67c7dc3
SHA1 f38fc26b1605b14607312aaa6c99753aa1b0c182
SHA256 2e6190e313520edc485aa739208b09cd12f822a582e89926315992f3c2bed409
SHA512 aaa2c3e41e2102f8308ca55f81c9371b89a6e1e5f7af08f7efdea98bfe69b83f5ddcd3913fbbcaaf0f45a6221c668ada22c99c33ffbf7173c96a4bd2420c623a

memory/1608-11-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4084-15-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4084-14-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4648-16-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4084-17-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4084-20-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4084-23-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4084-24-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4084-31-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 c28bfc381a8db99ed16dde0efbb6d295
SHA1 b9b2d79b7e494f3e47aa7ae50ee8ccc981c56edb
SHA256 c8625c595b98e72714fdf3789b8082f46f5256e5812f4490ae72b217af74c6c0
SHA512 b97e0a6bfd4adac35c211eb0bfbaaceb318c203cbb0d933e42b09806ebd4cc4322bfc1f49c35747dec41c793826298b0e7f7a1d9e1f11a81ea6ecb13c100906b

memory/1608-32-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1884-35-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 ff000d5b43cdc4391be8e72df35c57d6
SHA1 69dd2faba5aed210923f2c6feb3e88755fd4ed12
SHA256 fef2c34eb2e0465205b56bd0d7a019034bd480d047a96c589cb3b64178204e3b
SHA512 8b9f160ba86527535b7c17f18334af31c32c7274101cc4d05440e3451024fac8762257088139988c8a59a050985a622dd76af38f11966c4c2cee856d9505da5e

memory/1204-43-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1884-42-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1884-36-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2944-48-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2944-47-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1608-49-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2944-50-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2944-53-0x0000000000400000-0x0000000000429000-memory.dmp