Malware Analysis Report

2024-11-16 12:59

Sample ID 240522-afsntaee5t
Target 1223f3fc984b9608c6893175381e40e0_NeikiAnalytics.exe
SHA256 80bb9eba7fc0082b35bb6bad4f1619ea7e8bb8fdeb14657d591eb8d1646f13b4
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

80bb9eba7fc0082b35bb6bad4f1619ea7e8bb8fdeb14657d591eb8d1646f13b4

Threat Level: Known bad

The file 1223f3fc984b9608c6893175381e40e0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-22 00:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 00:09

Reported

2024-05-22 00:12

Platform

win7-20240221-en

Max time kernel

150s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1223f3fc984b9608c6893175381e40e0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2164 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\1223f3fc984b9608c6893175381e40e0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\1223f3fc984b9608c6893175381e40e0_NeikiAnalytics.exe
PID 2164 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\1223f3fc984b9608c6893175381e40e0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\1223f3fc984b9608c6893175381e40e0_NeikiAnalytics.exe
PID 2164 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\1223f3fc984b9608c6893175381e40e0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\1223f3fc984b9608c6893175381e40e0_NeikiAnalytics.exe
PID 2164 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\1223f3fc984b9608c6893175381e40e0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\1223f3fc984b9608c6893175381e40e0_NeikiAnalytics.exe
PID 2164 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\1223f3fc984b9608c6893175381e40e0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\1223f3fc984b9608c6893175381e40e0_NeikiAnalytics.exe
PID 2164 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\1223f3fc984b9608c6893175381e40e0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\1223f3fc984b9608c6893175381e40e0_NeikiAnalytics.exe
PID 1264 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\1223f3fc984b9608c6893175381e40e0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1264 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\1223f3fc984b9608c6893175381e40e0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1264 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\1223f3fc984b9608c6893175381e40e0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1264 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\1223f3fc984b9608c6893175381e40e0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1284 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1284 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1284 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1284 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1284 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1284 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2172 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2172 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2172 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2172 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2688 wrote to memory of 1628 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2688 wrote to memory of 1628 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2688 wrote to memory of 1628 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2688 wrote to memory of 1628 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2688 wrote to memory of 1628 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2688 wrote to memory of 1628 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1628 wrote to memory of 1652 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1628 wrote to memory of 1652 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1628 wrote to memory of 1652 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1628 wrote to memory of 1652 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1652 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1652 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1652 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1652 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1652 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1652 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1223f3fc984b9608c6893175381e40e0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\1223f3fc984b9608c6893175381e40e0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\1223f3fc984b9608c6893175381e40e0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\1223f3fc984b9608c6893175381e40e0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 tcp

Files

memory/2164-0-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2164-7-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1264-5-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1264-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1264-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1264-9-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1264-11-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 d05aceaab0f4fa62ea57774190c75dac
SHA1 d619a49bf0a490b4fe91fbe5a8b3f62e76b0da15
SHA256 0c6bb14829ca1ca5f7986c94101df240d290c143ee2d13cf5e5110a0c67f42de
SHA512 ab87ce51b4a63a33021ee123a722706fd91546eca297da0965d41fd40289eaa818612fabc1ef6314e5d350bd3601d83b4caee15a310a661c2115a55d4551509c

memory/1284-30-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1284-21-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2172-34-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2172-37-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2172-40-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2172-43-0x0000000000400000-0x0000000000429000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 39d2e37719a62133c44ac6b53a2e816d
SHA1 2e5616839e424b4b3507d6d0dc5c4b3270d191ff
SHA256 f7cf3f25aca787ce422b87ae1bd7aa25ee79fb2eebfb5a1755a40bdf15d8a08e
SHA512 fec6d622eaa504db65d17db8e6854727cf7a3055968e4b4ad39e209fbe48a3b640bdbc60bcdebb0123e4113f665f736d88c1b28d64b03942e3b1e471070bd9ce

memory/2172-46-0x00000000003C0000-0x00000000003E3000-memory.dmp

memory/2172-55-0x00000000003C0000-0x00000000003E3000-memory.dmp

memory/2172-52-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2688-66-0x0000000000400000-0x0000000000423000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 d5640799a40f005a9ef513454bd6552f
SHA1 1ac3d0d82a9252173e62783b9436727231d8b0e1
SHA256 0eb638e1f641409ecb1a5fbb108e8f59294a69688b6ed610ae16f8fda92480c9
SHA512 11f9fcb1381f6928ec3923102df50c9d0c6b8ba6cfe3d82fb81d8e3273155ac59770e00a9cb68cabcb3d6f5d54b47efeddf6cf9b0d3c79b75da587ffa6b0c6b7

memory/1652-77-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1652-85-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2876-87-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2876-90-0x0000000000400000-0x0000000000429000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 00:09

Reported

2024-05-22 00:12

Platform

win10v2004-20240426-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1223f3fc984b9608c6893175381e40e0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1688 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\1223f3fc984b9608c6893175381e40e0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\1223f3fc984b9608c6893175381e40e0_NeikiAnalytics.exe
PID 1688 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\1223f3fc984b9608c6893175381e40e0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\1223f3fc984b9608c6893175381e40e0_NeikiAnalytics.exe
PID 1688 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\1223f3fc984b9608c6893175381e40e0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\1223f3fc984b9608c6893175381e40e0_NeikiAnalytics.exe
PID 1688 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\1223f3fc984b9608c6893175381e40e0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\1223f3fc984b9608c6893175381e40e0_NeikiAnalytics.exe
PID 1688 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\1223f3fc984b9608c6893175381e40e0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\1223f3fc984b9608c6893175381e40e0_NeikiAnalytics.exe
PID 1228 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\1223f3fc984b9608c6893175381e40e0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1228 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\1223f3fc984b9608c6893175381e40e0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1228 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\1223f3fc984b9608c6893175381e40e0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4664 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4664 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4664 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4664 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4664 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4696 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4696 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4696 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4112 wrote to memory of 3008 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4112 wrote to memory of 3008 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4112 wrote to memory of 3008 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4112 wrote to memory of 3008 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4112 wrote to memory of 3008 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3008 wrote to memory of 4952 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3008 wrote to memory of 4952 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3008 wrote to memory of 4952 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4952 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4952 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4952 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4952 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4952 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1223f3fc984b9608c6893175381e40e0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\1223f3fc984b9608c6893175381e40e0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\1223f3fc984b9608c6893175381e40e0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\1223f3fc984b9608c6893175381e40e0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1688 -ip 1688

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4664 -ip 4664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 288

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 288

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4112 -ip 4112

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 304

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4952 -ip 4952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 256

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/1688-0-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1228-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1228-2-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1228-3-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1228-5-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 d05aceaab0f4fa62ea57774190c75dac
SHA1 d619a49bf0a490b4fe91fbe5a8b3f62e76b0da15
SHA256 0c6bb14829ca1ca5f7986c94101df240d290c143ee2d13cf5e5110a0c67f42de
SHA512 ab87ce51b4a63a33021ee123a722706fd91546eca297da0965d41fd40289eaa818612fabc1ef6314e5d350bd3601d83b4caee15a310a661c2115a55d4551509c

memory/4664-11-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4696-15-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4696-14-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1688-16-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4696-18-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4696-21-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4696-24-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4696-25-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 1edbf17e2588f6b9e2086f73515ceb98
SHA1 cdc1e7c4df486d868663b1e0d40871245c8b3dea
SHA256 53f8715a16388bb243cd49d436333a99431fa5ca9f2cadf5473cf5199c266884
SHA512 8ab454e7d6732310cfb90f9ef59ac78ce0fbb35aa91f88ec969e123bba339bf6042e901e15f95972b42bbe0556426b9ce45630f21d990c396072d1316a60c93a

memory/4696-29-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4112-31-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3008-36-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3008-38-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3008-35-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 89e0171902c45dd156f5080652630205
SHA1 f6146f1eb19ace9551403a287ad95b6ee612e9b5
SHA256 c2866857d9af4871f22ecebc6a8f4374364aa1887a5301585ce8deeda8d4495f
SHA512 1e40f6f202d3a7645bac9e84ba74783c309a05f020857d74b25dd1f53e874485698ded85c712e11f0c79146ff5e05d3efa85b973ed14cc043df59224cd55d820

memory/4952-43-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3956-49-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3956-47-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4112-51-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4952-52-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3956-53-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3956-56-0x0000000000400000-0x0000000000429000-memory.dmp