Malware Analysis Report

2024-11-16 13:00

Sample ID 240520-mcp5qsfa57
Target e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe
SHA256 e178115b6696cca91a0e9dc17f21a186ddb79b9f44e16a7f8c9815652bec0e54
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e178115b6696cca91a0e9dc17f21a186ddb79b9f44e16a7f8c9815652bec0e54

Threat Level: Known bad

The file e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-20 10:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-20 10:19

Reported

2024-05-20 10:21

Platform

win7-20240508-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2408 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe
PID 2408 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe
PID 2408 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe
PID 2408 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe
PID 2408 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe
PID 2408 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe
PID 2260 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2260 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2260 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2260 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1676 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1676 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1676 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1676 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1676 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1676 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2360 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2360 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2360 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2360 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2864 wrote to memory of 2732 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2864 wrote to memory of 2732 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2864 wrote to memory of 2732 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2864 wrote to memory of 2732 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2864 wrote to memory of 2732 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2864 wrote to memory of 2732 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2732 wrote to memory of 852 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2732 wrote to memory of 852 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2732 wrote to memory of 852 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2732 wrote to memory of 852 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 852 wrote to memory of 572 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 852 wrote to memory of 572 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 852 wrote to memory of 572 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 852 wrote to memory of 572 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 852 wrote to memory of 572 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 852 wrote to memory of 572 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2408-0-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2260-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2408-6-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2260-5-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2260-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2260-12-0x0000000000400000-0x0000000000429000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 f1f33d4dd65a06546b32e56a4f10b0e1
SHA1 f0fed91149ec8f89e94af540ddafcaf602f23c2b
SHA256 ab96330ac27d557bacf0c8b14381b5240a77b4d8fdf41db27036385de92a2fe8
SHA512 2a2066dc0286390c03ed8e5c64efeac9d31932ce5d3a60a575e717c623a0cb818f6a2938266cb912990b6b2e43cfea2393077d64a2b6c758c54120437dfd44fc

memory/2260-8-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2260-18-0x0000000000230000-0x0000000000254000-memory.dmp

memory/1676-21-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1676-30-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2360-33-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2360-36-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2360-39-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2360-42-0x0000000000400000-0x0000000000429000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 245a740264359625176bde85f1611fed
SHA1 63ec69f4e9be3804ec228b6d94a6c7f208b022e3
SHA256 2368aead53a0b5282b45e4d31c8dec2508421f9b8ed60fd27d92c47c53a0dbe3
SHA512 3ed3cdd05ab9bbd218b9d6df76ff21101493b652df3079682fc42e677d07eca5dffb8acb0bde8f988d30ec81c1416845aba1ec1e200c90c48ef204020e58a23c

memory/2360-45-0x0000000000290000-0x00000000002B4000-memory.dmp

memory/2360-53-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2864-62-0x0000000000400000-0x0000000000424000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 704eadaa70c9405b9fe3faafc54d0df5
SHA1 99f6c526b61deadc40a3fa5fd68f0d34e091f59f
SHA256 62a07eadcdab92d3364ed0a5acf9f9b085ce26c805315fec0941d5b9ee23c636
SHA512 400f12612328a654ac81eb28fa1fa8080157587656152f3dcaa1ff1dde5bbd8c178947fc1e7f076df1ea0dc4cef5f0d136f237af9fef1d83d51b050a4662fb63

memory/852-76-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2732-68-0x0000000000240000-0x0000000000264000-memory.dmp

memory/852-83-0x0000000000400000-0x0000000000424000-memory.dmp

memory/572-85-0x0000000000400000-0x0000000000429000-memory.dmp

memory/572-88-0x0000000000400000-0x0000000000429000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-20 10:19

Reported

2024-05-20 10:21

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 412 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe
PID 412 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe
PID 412 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe
PID 412 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe
PID 412 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe
PID 1204 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1204 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1204 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1396 wrote to memory of 876 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1396 wrote to memory of 876 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1396 wrote to memory of 876 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1396 wrote to memory of 876 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1396 wrote to memory of 876 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 876 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 876 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 876 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3412 wrote to memory of 3688 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3412 wrote to memory of 3688 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3412 wrote to memory of 3688 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3412 wrote to memory of 3688 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3412 wrote to memory of 3688 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3688 wrote to memory of 4908 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3688 wrote to memory of 4908 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3688 wrote to memory of 4908 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4908 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4908 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4908 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4908 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4908 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 412 -ip 412

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1396 -ip 1396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 288

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 288

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3412 -ip 3412

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 292

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4908 -ip 4908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 256

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 130.211.222.173.in-addr.arpa udp
NL 23.62.61.88:443 www.bing.com tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 88.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/412-0-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1204-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1204-2-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1204-3-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1204-5-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1396-11-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 f1f33d4dd65a06546b32e56a4f10b0e1
SHA1 f0fed91149ec8f89e94af540ddafcaf602f23c2b
SHA256 ab96330ac27d557bacf0c8b14381b5240a77b4d8fdf41db27036385de92a2fe8
SHA512 2a2066dc0286390c03ed8e5c64efeac9d31932ce5d3a60a575e717c623a0cb818f6a2938266cb912990b6b2e43cfea2393077d64a2b6c758c54120437dfd44fc

memory/876-14-0x0000000000400000-0x0000000000429000-memory.dmp

memory/876-15-0x0000000000400000-0x0000000000429000-memory.dmp

memory/412-16-0x0000000000400000-0x0000000000424000-memory.dmp

memory/876-17-0x0000000000400000-0x0000000000429000-memory.dmp

memory/876-20-0x0000000000400000-0x0000000000429000-memory.dmp

memory/876-23-0x0000000000400000-0x0000000000429000-memory.dmp

memory/876-24-0x0000000000400000-0x0000000000429000-memory.dmp

memory/876-28-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 de3ea46560c7e0ed009b4ddb95145899
SHA1 b03a199fc83a8f79b6e3115e36cee413ebe5768a
SHA256 19a21890ef1e4d6fa7f181ebd07e5c096cacfc117cbf5eb01ccbabd3b8b99566
SHA512 4a3ea27bfdf413baf400de50969fb6f0244093c8af86bb06de43e9e6606fbcbcfafc8f68f3796af44664e1867a36a712bf06a20e2c95bd38d6dafb79853a9998

memory/3412-31-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3688-34-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3688-35-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 f070806249d51972e6924609e9350db4
SHA1 fdb9ac094e1320f77ce8acbc156eb081c1018dc7
SHA256 d0f384b0569b25028f12b5b57675fd4b07ca804309fa4849c8d88ca1aff41892
SHA512 bb0fa709c7ca7c2cf16da3d6ec316b9629d058e333fc1a536beb608eb3e9a34111fd6b5bede61aa9369b18575d5a5fc111702acabe3477b8df667a758e71ec91

memory/4908-40-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3688-38-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4532-45-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4532-46-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3412-47-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4532-48-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4532-51-0x0000000000400000-0x0000000000429000-memory.dmp