Malware Analysis Report

2024-11-16 13:01

Sample ID 240523-zw448age34
Target 890a24c08cce22c88bd4fd4c3dd1a330_NeikiAnalytics.exe
SHA256 e9cb147b309b2a092a566b155a1d7e596eabb7e05876bdb97f122bdb5306ecb6
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e9cb147b309b2a092a566b155a1d7e596eabb7e05876bdb97f122bdb5306ecb6

Threat Level: Known bad

The file 890a24c08cce22c88bd4fd4c3dd1a330_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-23 21:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-23 21:05

Reported

2024-05-23 21:07

Platform

win7-20240221-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\890a24c08cce22c88bd4fd4c3dd1a330_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2508 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\890a24c08cce22c88bd4fd4c3dd1a330_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\890a24c08cce22c88bd4fd4c3dd1a330_NeikiAnalytics.exe
PID 2508 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\890a24c08cce22c88bd4fd4c3dd1a330_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\890a24c08cce22c88bd4fd4c3dd1a330_NeikiAnalytics.exe
PID 2508 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\890a24c08cce22c88bd4fd4c3dd1a330_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\890a24c08cce22c88bd4fd4c3dd1a330_NeikiAnalytics.exe
PID 2508 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\890a24c08cce22c88bd4fd4c3dd1a330_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\890a24c08cce22c88bd4fd4c3dd1a330_NeikiAnalytics.exe
PID 2508 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\890a24c08cce22c88bd4fd4c3dd1a330_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\890a24c08cce22c88bd4fd4c3dd1a330_NeikiAnalytics.exe
PID 2508 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\890a24c08cce22c88bd4fd4c3dd1a330_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\890a24c08cce22c88bd4fd4c3dd1a330_NeikiAnalytics.exe
PID 2908 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\890a24c08cce22c88bd4fd4c3dd1a330_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2908 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\890a24c08cce22c88bd4fd4c3dd1a330_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2908 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\890a24c08cce22c88bd4fd4c3dd1a330_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2908 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\890a24c08cce22c88bd4fd4c3dd1a330_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2892 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2892 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2892 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2892 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2892 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2892 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3028 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3028 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3028 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3028 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1588 wrote to memory of 1968 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1588 wrote to memory of 1968 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1588 wrote to memory of 1968 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1588 wrote to memory of 1968 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1588 wrote to memory of 1968 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1588 wrote to memory of 1968 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1968 wrote to memory of 2020 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1968 wrote to memory of 2020 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1968 wrote to memory of 2020 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1968 wrote to memory of 2020 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2020 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2020 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2020 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2020 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2020 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2020 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\890a24c08cce22c88bd4fd4c3dd1a330_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\890a24c08cce22c88bd4fd4c3dd1a330_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\890a24c08cce22c88bd4fd4c3dd1a330_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\890a24c08cce22c88bd4fd4c3dd1a330_NeikiAnalytics.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2508-0-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2908-14-0x0000000000230000-0x0000000000253000-memory.dmp

memory/2908-9-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2508-7-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2908-5-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2908-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 5429ee252b225c58bce440d704d28eda
SHA1 9fb7408b11d09070a759702c6c4c575b4ae35b29
SHA256 71aab23bf69517157b36618937e9e28ddfd36e2b333e2ca34be5f96676b83255
SHA512 73979325b2b46c6c3e87940c444fe967704fe8d234da8c5bba65391667aa264f3ebee0320e05a9f213084efef4fe4a06316cf1fe1814b77a7c5639eeaaa1ae94

memory/2908-11-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2908-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2892-22-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2892-25-0x0000000000230000-0x0000000000253000-memory.dmp

memory/2892-34-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3028-36-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3028-39-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3028-42-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3028-45-0x0000000000400000-0x0000000000429000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 1cef5f406a2d166d4ed01a2da5d9cd95
SHA1 18d7d5cb07b1acd0907fcc9af767ad4b4cae8997
SHA256 2ac0ef7351c6cd525c2b1dbf6c828d1d1f228f1cd8ce61bff71fddf737a44978
SHA512 84c37f33351264fe3e243ebabfebd46c4c39d7ee1914ac39b07c03e13a3d6fa65aaa8d83686edd0ac7658df0d65b2d0069197ac79806888eccc3e3a10316ca2d

memory/3028-48-0x0000000002550000-0x0000000002573000-memory.dmp

memory/1588-58-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3028-57-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 c333103d11f4aba25ed71d7920e6331b
SHA1 c9b36cf6a1b8cdcc7d9f32b59d83a7264b511698
SHA256 10cf35625b3e61b98779e0e38a107d701b0131b552a98dab30ce125ea0218208
SHA512 9a8cca4e8c05d0cb3c638e8319cd2b0dfaf8725ae013cc9de0f87d742c15652668b98f160f54f7ef0f1bbe47ccdeb9aac9f49ad664a480450183ed3a886fcded

memory/1588-68-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1968-73-0x0000000000230000-0x0000000000253000-memory.dmp

memory/2020-81-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2020-89-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1912-91-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1912-94-0x0000000000400000-0x0000000000429000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-23 21:05

Reported

2024-05-23 21:07

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\890a24c08cce22c88bd4fd4c3dd1a330_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4016 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\890a24c08cce22c88bd4fd4c3dd1a330_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\890a24c08cce22c88bd4fd4c3dd1a330_NeikiAnalytics.exe
PID 4016 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\890a24c08cce22c88bd4fd4c3dd1a330_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\890a24c08cce22c88bd4fd4c3dd1a330_NeikiAnalytics.exe
PID 4016 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\890a24c08cce22c88bd4fd4c3dd1a330_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\890a24c08cce22c88bd4fd4c3dd1a330_NeikiAnalytics.exe
PID 4016 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\890a24c08cce22c88bd4fd4c3dd1a330_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\890a24c08cce22c88bd4fd4c3dd1a330_NeikiAnalytics.exe
PID 4016 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\890a24c08cce22c88bd4fd4c3dd1a330_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\890a24c08cce22c88bd4fd4c3dd1a330_NeikiAnalytics.exe
PID 3084 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\890a24c08cce22c88bd4fd4c3dd1a330_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3084 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\890a24c08cce22c88bd4fd4c3dd1a330_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3084 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\890a24c08cce22c88bd4fd4c3dd1a330_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2612 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2612 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2612 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2612 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2612 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2484 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2484 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2484 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4768 wrote to memory of 1976 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4768 wrote to memory of 1976 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4768 wrote to memory of 1976 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4768 wrote to memory of 1976 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4768 wrote to memory of 1976 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1976 wrote to memory of 3156 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1976 wrote to memory of 3156 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1976 wrote to memory of 3156 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3156 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3156 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3156 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3156 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3156 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\890a24c08cce22c88bd4fd4c3dd1a330_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\890a24c08cce22c88bd4fd4c3dd1a330_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\890a24c08cce22c88bd4fd4c3dd1a330_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\890a24c08cce22c88bd4fd4c3dd1a330_NeikiAnalytics.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4016 -ip 4016

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2612 -ip 2612

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 288

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4016 -s 288

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4768 -ip 4768

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 292

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3156 -ip 3156

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 268

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 88.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 98.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
US 52.111.227.14:443 tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/4016-0-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3084-2-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3084-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3084-3-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3084-5-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 5429ee252b225c58bce440d704d28eda
SHA1 9fb7408b11d09070a759702c6c4c575b4ae35b29
SHA256 71aab23bf69517157b36618937e9e28ddfd36e2b333e2ca34be5f96676b83255
SHA512 73979325b2b46c6c3e87940c444fe967704fe8d234da8c5bba65391667aa264f3ebee0320e05a9f213084efef4fe4a06316cf1fe1814b77a7c5639eeaaa1ae94

memory/2612-10-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2484-14-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2484-16-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4016-19-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2484-20-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2484-23-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2484-26-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2484-27-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 ea661f0f532b091df8938bf327d34c70
SHA1 a2e00a7b9965607a2145e2ab5692206804c4ce05
SHA256 ec4c1dcaa42d333e7b1bd026d2342ea783b53aa24c24b6e52f38a4f782170411
SHA512 0d0525395f60cc16e65eb9cc7a9f3f98117ced64a7f7fc5ae55f435f4da5eba941918627c86f80afcb272dcaa3a9c8835a5e0e01c81b87b0f391dcf83a1498ca

memory/2484-30-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4768-34-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1976-38-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1976-37-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 61de6eed091a188690a5ffebe0b6ead8
SHA1 829947a1e3554593bf2912206f1d5523396d8f7f
SHA256 e551931d6fbf4aa3f939d129db968a5e284cc680044a7c0f5bac8a12e2197912
SHA512 e4d1df8467be4745d55d689f3e8af8826d7740980e2c948d7d65dcc2bcea5e4b5fbc640957fa3b3924414e5b1cf8dceaa4045e68f2042441881cbb8d3228e8b2

memory/1976-41-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3156-43-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2216-49-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2216-48-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3156-51-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2216-52-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2216-55-0x0000000000400000-0x0000000000429000-memory.dmp