Malware Analysis Report

2025-08-10 22:39

Sample ID 250127-r4aatatjgz
Target t_1.78.127.175.zip
SHA256 f132442507ac158f69a46503bea2888f92b9749c7a58a4820b52bd25b40549d1
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

f132442507ac158f69a46503bea2888f92b9749c7a58a4820b52bd25b40549d1

Threat Level: Shows suspicious behavior

The file t_1.78.127.175.zip was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Loads dropped DLL

Executes dropped EXE

Enumerates connected drives

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-27 14:44

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-27 14:44

Reported

2025-01-27 14:47

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

144s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\t_1.78.127.175.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\t_1.78.127.175.zip

Network

Country Destination Domain Proto
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 83.137.101.95.in-addr.arpa udp
US 8.8.8.8:53 214.72.21.2.in-addr.arpa udp
US 8.8.8.8:53 98.250.22.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-27 14:44

Reported

2025-01-27 14:47

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

135s

Command Line

"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\2025 - Password.png"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\system32\mspaint.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A

Processes

C:\Windows\system32\mspaint.exe

"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\2025 - Password.png"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 214.72.21.2.in-addr.arpa udp
US 8.8.8.8:53 167.205.23.2.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 102.137.101.95.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2025-01-27 14:44

Reported

2025-01-27 14:46

Platform

win10v2004-20241007-en

Max time kernel

99s

Max time network

99s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Launcher_2.1.7z"

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx C:\Windows\System32\svchost.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Tisoq Corp Solus\Kowi SApp\obs-ffmpeg-mux.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tisoq Corp Solus\Kowi SApp\obs-ffmpeg-mux.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2404 set thread context of 4316 N/A C:\Users\Admin\AppData\Roaming\Tisoq Corp Solus\Kowi SApp\obs-ffmpeg-mux.exe C:\Windows\SysWOW64\explorer.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI2760.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4941.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI49A0.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1BEF.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1D87.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1F11.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4A4E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1E44.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1EC2.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{735326FC-758C-4139-9E92-260E418070B2} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4ACD.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4B6A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e581b15.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1DF5.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1F60.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4A6E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5473.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e581b15.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e581b19.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4A0E.tmp C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Windows\system32\mspaint.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2220 wrote to memory of 2940 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2220 wrote to memory of 2940 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2220 wrote to memory of 2940 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2220 wrote to memory of 2648 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Tisoq Corp Solus\Kowi SApp\UnRar.exe
PID 2220 wrote to memory of 2648 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Tisoq Corp Solus\Kowi SApp\UnRar.exe
PID 2220 wrote to memory of 744 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Tisoq Corp Solus\Kowi SApp\createdump.exe
PID 2220 wrote to memory of 744 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Tisoq Corp Solus\Kowi SApp\createdump.exe
PID 2220 wrote to memory of 2404 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Tisoq Corp Solus\Kowi SApp\obs-ffmpeg-mux.exe
PID 2220 wrote to memory of 2404 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Tisoq Corp Solus\Kowi SApp\obs-ffmpeg-mux.exe
PID 2404 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Roaming\Tisoq Corp Solus\Kowi SApp\obs-ffmpeg-mux.exe C:\Windows\SysWOW64\explorer.exe
PID 2404 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Roaming\Tisoq Corp Solus\Kowi SApp\obs-ffmpeg-mux.exe C:\Windows\SysWOW64\explorer.exe
PID 2404 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Roaming\Tisoq Corp Solus\Kowi SApp\obs-ffmpeg-mux.exe C:\Windows\SysWOW64\explorer.exe
PID 2404 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Roaming\Tisoq Corp Solus\Kowi SApp\obs-ffmpeg-mux.exe C:\Windows\SysWOW64\explorer.exe
PID 2220 wrote to memory of 1128 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2220 wrote to memory of 1128 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2220 wrote to memory of 1128 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Launcher_2.1.7z"

C:\Windows\System32\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Desktop\setup.msi"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 3ED5B481BE489250C3B498F0BE50F2EF

C:\Users\Admin\AppData\Roaming\Tisoq Corp Solus\Kowi SApp\UnRar.exe

"C:\Users\Admin\AppData\Roaming\Tisoq Corp Solus\Kowi SApp\UnRar.exe" x -p156427613t -o+ "C:\Users\Admin\AppData\Roaming\Tisoq Corp Solus\Kowi SApp\iwhgjds.rar" "C:\Users\Admin\AppData\Roaming\Tisoq Corp Solus\Kowi SApp\"

C:\Users\Admin\AppData\Roaming\Tisoq Corp Solus\Kowi SApp\createdump.exe

"C:\Users\Admin\AppData\Roaming\Tisoq Corp Solus\Kowi SApp\createdump.exe"

C:\Users\Admin\AppData\Roaming\Tisoq Corp Solus\Kowi SApp\obs-ffmpeg-mux.exe

"C:\Users\Admin\AppData\Roaming\Tisoq Corp Solus\Kowi SApp\obs-ffmpeg-mux.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe explorer.exe

C:\Windows\System32\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Desktop\setup.msi"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding DD53A4B0D7E7E6AE132A969395180008

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\mspaint.exe

"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\2025 - Password.png" /ForceBootstrapPaint3D

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 98.250.22.2.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 lightningpatrol.com udp
GB 143.244.38.136:80 lightningpatrol.com tcp
US 8.8.8.8:53 136.38.244.143.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 83.137.101.95.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 214.72.21.2.in-addr.arpa udp

Files

C:\Windows\Installer\MSI1BEF.tmp

MD5 ee09d6a1bb908b42c05fd0beeb67dfd2
SHA1 1eb7c1304b7bca649c2a5902b18a1ea57ceaa532
SHA256 7bbf611f5e2a16439dc8cd11936f6364f6d5cc0044545c92775da5646afc7752
SHA512 2dd2e4e66d2f2277f031c5f3c829a31c3b29196ab27262c6a8f1896a2113a1be1687c9e8cd9667b89157f099dfb969ef14ae3ea602d4c772e960bc41d39c3d05

C:\Windows\Installer\MSI1EC2.tmp

MD5 e83d774f643972b8eccdb3a34da135c5
SHA1 a58eccfb12d723c3460563c5191d604def235d15
SHA256 d0a6f6373cfb902fcd95bc12360a9e949f5597b72c01e0bd328f9b1e2080b5b7
SHA512 cb5ff0e66827e6a1fa27abdd322987906cfdb3cdb49248efee04d51fee65e93b5d964ff78095866e197448358a9de9ec7f45d4158c0913cbf0dbd849883a6e90

C:\Config.Msi\e581b18.rbs

MD5 51da5317787aa907336e4df5bd65c54a
SHA1 e7771c04f8c069d2567a650741760a9381a0a4a1
SHA256 1662c37b932916bed23081f37e5d808d2842b13c909f702b87fbb29952b6cd59
SHA512 ff19372283087a83cdf6f5f6a0a52532095804a87e5b108eb3e4a90c6df6ea70cab5723bb2c9335dc2b4a836930befcd8ec7cb82fb8f5b52318b97d79484c02d

C:\Users\Admin\AppData\Roaming\Tisoq Corp Solus\Kowi SApp\UnRar.exe

MD5 98ccd44353f7bc5bad1bc6ba9ae0cd68
SHA1 76a4e5bf8d298800c886d29f85ee629e7726052d
SHA256 e51021f6cb20efbd2169f2a2da10ce1abca58b4f5f30fbf4bae931e4ecaac99b
SHA512 d6e8146a1055a59cba5e2aaf47f6cb184acdbe28e42ec3daebf1961a91cec5904554d9d433ebf943dd3639c239ef11560fa49f00e1cff02e11cd8d3506c4125f

C:\Users\Admin\AppData\Roaming\Tisoq Corp Solus\Kowi SApp\iwhgjds.rar

MD5 e9b2c4a0d8637ef7609e47b5677640aa
SHA1 5880506e1b269389720c4c4df0b6b0bc5a36a657
SHA256 94e750907eb0fccf548119557b2477c23474b243fcdd668b017a6805d95b3b19
SHA512 134d0b9f04cf8cec193d376cf35de02be32515a81675f1b3a637b506f1cc87201a48223c262777323f820256b9bb24d9b759121d2842ccb6b6f3de2a2f532e62

C:\Users\Admin\AppData\Roaming\Tisoq Corp Solus\Kowi SApp\createdump.exe

MD5 71f796b486c7faf25b9b16233a7ce0cd
SHA1 21ffc41e62cd5f2efcc94baf71bd2659b76d28d3
SHA256 b2acb555e6d5c6933a53e74581fd68d523a60bcd6bd53e4a12d9401579284ffd
SHA512 a82ea6fc7e7096c10763f2d821081f1b1affa391684b8b47b5071640c8a4772f555b953445664c89a7dfdb528c5d91a9addb5d73f4f5e7509c6d58697ed68432

C:\Users\Admin\AppData\Roaming\Tisoq Corp Solus\Kowi SApp\obs-ffmpeg-mux.exe

MD5 d3cac4d7b35bacae314f48c374452d71
SHA1 95d2980786bc36fec50733b9843fde9eab081918
SHA256 4233600651fb45b9e50d2ec8b98b9a76f268893b789a425b4159675b74f802aa
SHA512 21c8d73cc001ef566c1f3c7924324e553a6dca68764ecb11c115846ca54e74bd1dfed12a65af28d9b00ddaba04f987088aa30e91b96e050e4fc1a256fff20880

C:\Users\Admin\AppData\Roaming\Tisoq Corp Solus\Kowi SApp\avformat-60.dll

MD5 01589e66d46abcd9acb739da4b542ce4
SHA1 6bf1bd142df68fa39ef26e2cae82450fed03ecb6
SHA256 9bb4a5f453da85acd26c35969c049592a71a7ef3060bfa4eb698361f2edb37a3
SHA512 0527af5c1e7a5017e223b3cc0343ed5d42ec236d53eca30d6decceb2945af0c1fbf8c7ce367e87bc10fcd54a77f5801a0d4112f783c3b7e829b2f40897af8379

C:\Users\Admin\AppData\Roaming\Tisoq Corp Solus\Kowi SApp\avutil-58.dll

MD5 3aaf57892f2d66f4a4f0575c6194f0f8
SHA1 d65c9143603940ede756d7363ab6750f6b45ab4e
SHA256 9e0d0a05b798da5d6c38d858ce1ad855c6d68ba2f9822fa3da16e148e97f9926
SHA512 a5f595d9c48b8d5191149d59896694c6dd0e9e1af782366162d7e3c90c75b2914f6e7aff384f4b59ca7c5a1ecccdbf5758e90a6a2b14a8625858a599dcca429b

C:\Users\Admin\AppData\Roaming\Tisoq Corp Solus\Kowi SApp\avcodec-60.dll

MD5 32f56f3e644c4ac8c258022c93e62765
SHA1 06dff5904ebbf69551dfa9f92e6cc2ffa9679ba1
SHA256 85af2fb4836145098423e08218ac381110a6519cb559ff6fc7648ba310704315
SHA512 cae2b9e40ff71ddaf76a346c20028867439b5726a16ae1ad5e38e804253dfcf6ed0741095a619d0999728d953f2c375329e86b8de4a0fce55a8cdc13946d5ad8

C:\Users\Admin\AppData\Roaming\Tisoq Corp Solus\Kowi SApp\obs.dll

MD5 37d185f03affa6ae144e7cffe41c4f3a
SHA1 101e47b95fce489f0f5154d70811537c96f1674b
SHA256 50d89a47ddecdd32a4a5d4d3fe9d1f8c79ff119a763a6993d6ac07eb53cf5f0b
SHA512 780f175ccdc93d4b24629f0df5ff17be580ddcb42c75552358ff70c2b18178437a53ef8143d424e90178fc6744432d25168c622034765374441e51bbf5e77e83

C:\Users\Admin\AppData\Roaming\Tisoq Corp Solus\Kowi SApp\swresample-4.dll

MD5 7fb892e2ac9ff6981b6411ff1f932556
SHA1 861b6a1e59d4cd0816f4fec6fd4e31fde8536c81
SHA256 a45a29aecb118fc1a27eca103ead50edd5343f85365d1e27211fe3903643c623
SHA512 986672fbb14f3d61fff0924801aab3e9d6854bb3141b95ee708bf5b80f8552d5e0d57182226baba0ae8995a6a6f613864ab0e5f26c4dce4eb88ab82b060bdac5

C:\Users\Admin\AppData\Roaming\Tisoq Corp Solus\Kowi SApp\vcruntime140.dll

MD5 f34eb034aa4a9735218686590cba2e8b
SHA1 2bc20acdcb201676b77a66fa7ec6b53fa2644713
SHA256 9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1
SHA512 d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

C:\Users\Admin\AppData\Roaming\Tisoq Corp Solus\Kowi SApp\w32-pthreads.dll

MD5 e1eebd44f9f4b52229d6e54155876056
SHA1 052cea514fc3da5a23de6541f97cd4d5e9009e58
SHA256 d96f2242444a334319b4286403d4bfadaf3f9fccf390f3dd40be32fb48ca512a
SHA512 235bb9516409a55fe7ddb49b4f3179bdca406d62fd0ec1345acddf032b0f3f111c43ff957d4d09ad683d39449c0ffc4c050b387507fadf5384940bd973dab159

memory/2404-126-0x00007FFFCA630000-0x00007FFFCA632000-memory.dmp

memory/2404-127-0x00007FFFCA640000-0x00007FFFCA642000-memory.dmp

memory/2404-128-0x00007FFFAA350000-0x00007FFFAA919000-memory.dmp

memory/2404-132-0x0000015FB9220000-0x0000015FB9221000-memory.dmp

memory/4316-134-0x0000000000060000-0x0000000000099000-memory.dmp

memory/4316-135-0x0000000000060000-0x0000000000099000-memory.dmp

memory/2404-136-0x00007FFFAA920000-0x00007FFFAAB2E000-memory.dmp

memory/2404-137-0x00007FFFA9EF0000-0x00007FFFAA34D000-memory.dmp

memory/2404-139-0x00007FFFBBD80000-0x00007FFFBBDA8000-memory.dmp

memory/4316-140-0x0000000000060000-0x0000000000099000-memory.dmp

memory/2404-138-0x00007FFFA7490000-0x00007FFFA9EE5000-memory.dmp

\??\PIPE\wkssvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Config.Msi\e581b1c.rbs

MD5 86fcb6fde5da1af89e5f839db1f67621
SHA1 66ee650836b7cfbf1226f1971aced7bbf6b1324a
SHA256 65f02f86e9c1f44c73934ebd21f2c016c942253b7f4363bcc6046a7bf84a6879
SHA512 db77f1c47da83085a821d90ad58a3b6b04df555dce9328590285af2cd2b1b04017ce988cd30c47b07b679344ad14780e3510730511989510abac9a9baf32a14c

memory/4280-185-0x000001A5DE170000-0x000001A5DE180000-memory.dmp

memory/4280-181-0x000001A5DE130000-0x000001A5DE140000-memory.dmp

memory/4280-192-0x000001A5E6DB0000-0x000001A5E6DB1000-memory.dmp

memory/4280-194-0x000001A5E6E30000-0x000001A5E6E31000-memory.dmp

memory/4280-198-0x000001A5E6EC0000-0x000001A5E6EC1000-memory.dmp

memory/4280-197-0x000001A5E6EC0000-0x000001A5E6EC1000-memory.dmp

memory/4280-196-0x000001A5E6E30000-0x000001A5E6E31000-memory.dmp

memory/4280-199-0x000001A5E6ED0000-0x000001A5E6ED1000-memory.dmp

memory/4280-200-0x000001A5E6ED0000-0x000001A5E6ED1000-memory.dmp