Malware Analysis Report

2024-11-16 13:01

Sample ID 240524-fcrv1adg53
Target aa558b5c19ddb7e2614f0e27e27f1b00_NeikiAnalytics.exe
SHA256 7606e66f0b5c1ab0f2099aa446bf682e16221e4343650b7e9409658f4c8f26eb
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7606e66f0b5c1ab0f2099aa446bf682e16221e4343650b7e9409658f4c8f26eb

Threat Level: Known bad

The file aa558b5c19ddb7e2614f0e27e27f1b00_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-24 04:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-24 04:43

Reported

2024-05-24 04:46

Platform

win7-20231129-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aa558b5c19ddb7e2614f0e27e27f1b00_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2316 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\aa558b5c19ddb7e2614f0e27e27f1b00_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\aa558b5c19ddb7e2614f0e27e27f1b00_NeikiAnalytics.exe
PID 2316 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\aa558b5c19ddb7e2614f0e27e27f1b00_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\aa558b5c19ddb7e2614f0e27e27f1b00_NeikiAnalytics.exe
PID 2316 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\aa558b5c19ddb7e2614f0e27e27f1b00_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\aa558b5c19ddb7e2614f0e27e27f1b00_NeikiAnalytics.exe
PID 2316 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\aa558b5c19ddb7e2614f0e27e27f1b00_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\aa558b5c19ddb7e2614f0e27e27f1b00_NeikiAnalytics.exe
PID 2316 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\aa558b5c19ddb7e2614f0e27e27f1b00_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\aa558b5c19ddb7e2614f0e27e27f1b00_NeikiAnalytics.exe
PID 2316 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\aa558b5c19ddb7e2614f0e27e27f1b00_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\aa558b5c19ddb7e2614f0e27e27f1b00_NeikiAnalytics.exe
PID 2376 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\aa558b5c19ddb7e2614f0e27e27f1b00_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2376 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\aa558b5c19ddb7e2614f0e27e27f1b00_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2376 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\aa558b5c19ddb7e2614f0e27e27f1b00_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2376 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\aa558b5c19ddb7e2614f0e27e27f1b00_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2064 wrote to memory of 860 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2064 wrote to memory of 860 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2064 wrote to memory of 860 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2064 wrote to memory of 860 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2064 wrote to memory of 860 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2064 wrote to memory of 860 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 860 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 860 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 860 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 860 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2776 wrote to memory of 1124 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2776 wrote to memory of 1124 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2776 wrote to memory of 1124 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2776 wrote to memory of 1124 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2776 wrote to memory of 1124 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2776 wrote to memory of 1124 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1124 wrote to memory of 764 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1124 wrote to memory of 764 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1124 wrote to memory of 764 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1124 wrote to memory of 764 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 764 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 764 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 764 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 764 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 764 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 764 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\aa558b5c19ddb7e2614f0e27e27f1b00_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\aa558b5c19ddb7e2614f0e27e27f1b00_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\aa558b5c19ddb7e2614f0e27e27f1b00_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\aa558b5c19ddb7e2614f0e27e27f1b00_NeikiAnalytics.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2316-0-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2376-2-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2376-11-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2376-9-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2316-8-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2376-5-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2376-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2064-21-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 8f5d1f8c16c649e1cb863191544b1492
SHA1 54b625db7f84d0e9145d1fc6a8681cdc6f86cc41
SHA256 8963dd305e34bed828548fb39f96f1cc3dc0eb8342d59ad07605945bb8cf012d
SHA512 338c3a8879c26ee8c7605475c48046ba111a2fed0ff8f75da6f485118ff04498df10b74cc7788c30223e4eb493bc267cd44854f687a60bfc9052f2db440b4694

memory/2064-31-0x0000000000400000-0x0000000000423000-memory.dmp

memory/860-34-0x0000000000400000-0x0000000000429000-memory.dmp

memory/860-37-0x0000000000400000-0x0000000000429000-memory.dmp

memory/860-40-0x0000000000400000-0x0000000000429000-memory.dmp

memory/860-43-0x0000000000400000-0x0000000000429000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 813e80f5bfa97093070ed817a914e89f
SHA1 2a9611459926a89c6ff1ee06a81cfcce9529594d
SHA256 c83cf6f5f379c24599ecae98632dc413d762b5f018994861e484b31ccf805932
SHA512 e44780ff6bfeaef51dbb44c585902cf92e87472f83a87c8ec4745dea543e213b4d2ae39b85a9a1c8e0bc9b83a2724c7eb3c102455b66e2265eb07512aa382c32

memory/860-46-0x0000000001F60000-0x0000000001F83000-memory.dmp

memory/860-54-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2776-56-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2776-64-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 7b86499a108c6792d717eae320fc53fb
SHA1 ad953294f9ce195b49c8ce04ddc631b126303e8f
SHA256 9fe45ea10acc3b302841bd8e06ab14a9b3ae2f4b226e14d13e43e0d31935f496
SHA512 83ab42021367f2b4cb1a5ab79509f31d1bf4fa3d112fd3ac5591b4f9e4c7e2d9ad08669512b7c2055781f9d682bf7213ddb41aba3cc25c9dd8ff3d09140d1369

memory/1124-71-0x0000000000230000-0x0000000000253000-memory.dmp

memory/764-79-0x0000000000400000-0x0000000000423000-memory.dmp

memory/764-87-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2940-89-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2940-92-0x0000000000400000-0x0000000000429000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-24 04:43

Reported

2024-05-24 04:46

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aa558b5c19ddb7e2614f0e27e27f1b00_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1848 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\aa558b5c19ddb7e2614f0e27e27f1b00_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\aa558b5c19ddb7e2614f0e27e27f1b00_NeikiAnalytics.exe
PID 1848 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\aa558b5c19ddb7e2614f0e27e27f1b00_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\aa558b5c19ddb7e2614f0e27e27f1b00_NeikiAnalytics.exe
PID 1848 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\aa558b5c19ddb7e2614f0e27e27f1b00_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\aa558b5c19ddb7e2614f0e27e27f1b00_NeikiAnalytics.exe
PID 1848 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\aa558b5c19ddb7e2614f0e27e27f1b00_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\aa558b5c19ddb7e2614f0e27e27f1b00_NeikiAnalytics.exe
PID 1848 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\aa558b5c19ddb7e2614f0e27e27f1b00_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\aa558b5c19ddb7e2614f0e27e27f1b00_NeikiAnalytics.exe
PID 3316 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\aa558b5c19ddb7e2614f0e27e27f1b00_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3316 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\aa558b5c19ddb7e2614f0e27e27f1b00_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3316 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\aa558b5c19ddb7e2614f0e27e27f1b00_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3116 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3116 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3116 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3116 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3116 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1184 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1184 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1184 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3720 wrote to memory of 4460 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3720 wrote to memory of 4460 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3720 wrote to memory of 4460 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3720 wrote to memory of 4460 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3720 wrote to memory of 4460 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4460 wrote to memory of 2460 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4460 wrote to memory of 2460 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4460 wrote to memory of 2460 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2460 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2460 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2460 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2460 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2460 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\aa558b5c19ddb7e2614f0e27e27f1b00_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\aa558b5c19ddb7e2614f0e27e27f1b00_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\aa558b5c19ddb7e2614f0e27e27f1b00_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\aa558b5c19ddb7e2614f0e27e27f1b00_NeikiAnalytics.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1848 -ip 1848

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3116 -ip 3116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 288

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3720 -ip 3720

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 292

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2460 -ip 2460

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 256

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/1848-0-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3316-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3316-2-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3316-3-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 8f5d1f8c16c649e1cb863191544b1492
SHA1 54b625db7f84d0e9145d1fc6a8681cdc6f86cc41
SHA256 8963dd305e34bed828548fb39f96f1cc3dc0eb8342d59ad07605945bb8cf012d
SHA512 338c3a8879c26ee8c7605475c48046ba111a2fed0ff8f75da6f485118ff04498df10b74cc7788c30223e4eb493bc267cd44854f687a60bfc9052f2db440b4694

memory/3116-11-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3316-5-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1184-14-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1184-15-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1184-18-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1184-21-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1184-24-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1184-25-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1184-29-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 ec8af3627a68de5127d7d9b97e72a881
SHA1 f86db60acc4d3a8e77e9becb5e07d6079c0cbf71
SHA256 0c84109fb7cf3f34d65094a0129e75692c73cc97ded200e0611166d2f72e5bcd
SHA512 6e18c0ae8ad781f3963c851a0499a6ad46cc4a34a3c6548116998f48cee46de829d0a3e9d6a89d92d62fabf5937e52ba8a9719ce353221fdf0434bed909e64ae

memory/3720-32-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4460-38-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4460-36-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4460-35-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 86e642daef39d2c02bbd48673a6adad5
SHA1 2d1eb5de67a0d72248e834410e4a20f461ee882f
SHA256 b62727857bf71a661e9a526548bb2529e691d6826a5148c9cc048164cbea16ef
SHA512 69d94d575e34632314cb56af8f15a4ca65cc7bc2d7aed97604b160a739245f02ee5ffc446ccc78765ac67d2945b63dac20feaee3647003b35fa330c655af144c

memory/2460-43-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4060-48-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4060-47-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3720-50-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4060-52-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4060-55-0x0000000000400000-0x0000000000429000-memory.dmp