Malware Analysis Report

2024-08-06 11:33

Sample ID 240611-g8smvaxemh
Target 2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe
SHA256 2cb0b6c1f841332c7ba8cadcf7f33765eb4bfc89f32286d3febdc0c0c99bf3fa
Tags
quasar evasion spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2cb0b6c1f841332c7ba8cadcf7f33765eb4bfc89f32286d3febdc0c0c99bf3fa

Threat Level: Known bad

The file 2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

quasar evasion spyware trojan

Quasar RAT

Quasar payload

Looks for VirtualBox Guest Additions in registry

Looks for VMWare Tools registry key

Checks computer location settings

Checks BIOS information in registry

Maps connected drives based on registry

Looks up external IP address via web service

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Virtualization/Sandbox Evasion
T1497
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Virtualization/Sandbox Evasion
T1497
System Information Discovery
T1082
Peripheral Device Discovery
T1120
Remote System Discovery
T1018
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-11 06:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 06:28

Reported

2024-06-11 06:31

Platform

win10v2004-20240508-en

Max time kernel

83s

Max time network

86s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools C:\Users\Admin\AppData\Local\Temp\2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5068 set thread context of 3200 N/A C:\Users\Admin\AppData\Local\Temp\2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5068 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe C:\Windows\SysWOW64\schtasks.exe
PID 5068 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe C:\Windows\SysWOW64\schtasks.exe
PID 5068 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe C:\Windows\SysWOW64\schtasks.exe
PID 5068 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 5068 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 5068 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 5068 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 5068 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 5068 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 5068 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 5068 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3200 wrote to memory of 2256 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\cmd.exe
PID 3200 wrote to memory of 2256 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\cmd.exe
PID 3200 wrote to memory of 2256 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 2296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2256 wrote to memory of 2296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2256 wrote to memory of 2296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2256 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2256 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2256 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2256 wrote to memory of 5032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2256 wrote to memory of 5032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2256 wrote to memory of 5032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DWnYllkYIWuy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp39C8.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"{path}"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GYa9fggAXHkT.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3200 -ip 3200

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 2184

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp

Files

memory/5068-0-0x000000007482E000-0x000000007482F000-memory.dmp

memory/5068-1-0x0000000000620000-0x00000000007C4000-memory.dmp

memory/5068-2-0x00000000075C0000-0x000000000767C000-memory.dmp

memory/5068-3-0x00000000058F0000-0x0000000005E94000-memory.dmp

memory/5068-4-0x0000000074820000-0x0000000074FD0000-memory.dmp

memory/5068-5-0x00000000054E0000-0x0000000005572000-memory.dmp

memory/5068-6-0x0000000005670000-0x000000000567A000-memory.dmp

memory/5068-7-0x00000000058A0000-0x00000000058B4000-memory.dmp

memory/5068-8-0x000000007482E000-0x000000007482F000-memory.dmp

memory/5068-9-0x0000000074820000-0x0000000074FD0000-memory.dmp

memory/5068-10-0x0000000006B10000-0x0000000006B96000-memory.dmp

memory/5068-11-0x0000000006D80000-0x0000000006E1C000-memory.dmp

memory/5068-12-0x0000000006F20000-0x0000000006F86000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp39C8.tmp

MD5 c316fba0328c40c557d905d733d8ec02
SHA1 4cd78457781c76e57cb88f114d6e525e47da3617
SHA256 2d873b80ea947edc913419cbcbc5bf0d0aae416c635abe01fd35d7861cb1bac6
SHA512 a99d19a497c159b8f5107f31b7b479525e3e3008646436b8f1949b10ce1e7901d952ae18a50c644fe2a91e391b50c5579857c49110f4012729b08f990e95a363

memory/3200-16-0x0000000000400000-0x0000000000468000-memory.dmp

memory/5068-18-0x0000000074820000-0x0000000074FD0000-memory.dmp

memory/3200-19-0x0000000074820000-0x0000000074FD0000-memory.dmp

memory/3200-20-0x0000000074820000-0x0000000074FD0000-memory.dmp

memory/3200-21-0x0000000005C20000-0x0000000005C32000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GYa9fggAXHkT.bat

MD5 a5e0ece81e73ddd35c3c7856d06347ca
SHA1 7c1fcb18e331ae324f333491b1c82fabe9878dcc
SHA256 5f76f7a5f120917c323f4804e94980c7c482b3286d4dffec8f243c11478a5468
SHA512 d82bb7ecf6b7478421c6b5a22f55a3356179a65202b993d02c3f3395deaa46d610200efc484ccab6c3ab7ce42a9d0887f98ca3f30a3521fbacfc633f42cb3d0d

memory/3200-27-0x0000000074820000-0x0000000074FD0000-memory.dmp

memory/5032-28-0x0000000000D50000-0x0000000000D90000-memory.dmp

memory/5032-29-0x0000000005550000-0x000000000556A000-memory.dmp

memory/5032-30-0x00000000057F0000-0x000000000594A000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 06:28

Reported

2024-06-11 06:31

Platform

win7-20240220-en

Max time kernel

118s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools C:\Users\Admin\AppData\Local\Temp\2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2912 set thread context of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2912 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe C:\Windows\SysWOW64\schtasks.exe
PID 2912 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe C:\Windows\SysWOW64\schtasks.exe
PID 2912 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe C:\Windows\SysWOW64\schtasks.exe
PID 2912 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe C:\Windows\SysWOW64\schtasks.exe
PID 2912 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2912 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2912 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2912 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2912 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2912 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2912 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2912 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2912 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DWnYllkYIWuy" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF5A5.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"{path}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 starwor.kozow.com udp
GB 23.19.58.183:1980 starwor.kozow.com tcp
GB 23.19.58.183:1980 starwor.kozow.com tcp

Files

memory/2912-0-0x000000007423E000-0x000000007423F000-memory.dmp

memory/2912-1-0x00000000001A0000-0x0000000000344000-memory.dmp

memory/2912-2-0x00000000049F0000-0x0000000004AAC000-memory.dmp

memory/2912-3-0x0000000074230000-0x000000007491E000-memory.dmp

memory/2912-4-0x0000000000410000-0x0000000000424000-memory.dmp

memory/2912-5-0x000000007423E000-0x000000007423F000-memory.dmp

memory/2912-6-0x0000000074230000-0x000000007491E000-memory.dmp

memory/2912-7-0x0000000005590000-0x0000000005616000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpF5A5.tmp

MD5 a4aafa548209b1f08a550306d733f624
SHA1 32522ab9db13048137d3c25dbb2a323020f80795
SHA256 579341444402c734bfaf87def301bc7e7c8d3349fab85977460dd174c7f6922e
SHA512 5033905a89911581695184adbc4c76ec13aa4617cb0b1b8b3308554b671587bb775e4f59a89aad5702a04e8eda6b782cb601537e2905db7b9b4f87684f6d1dd5

memory/2232-12-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2232-14-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2232-13-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2232-19-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2232-23-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2232-21-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2232-18-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2912-24-0x0000000074230000-0x000000007491E000-memory.dmp