Malware Analysis Report

2025-08-10 22:23

Sample ID 240202-1rqxgaageq
Target 8aa0c81d85cd15b6295dc749662c47b1
SHA256 8bea8d31f0bcf44ca920cfc577355bc889d79187e41593a3420c9d2aa27464f7
Tags
adware discovery persistence stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

8bea8d31f0bcf44ca920cfc577355bc889d79187e41593a3420c9d2aa27464f7

Threat Level: Likely malicious

The file 8aa0c81d85cd15b6295dc749662c47b1 was found to be: Likely malicious.

Malicious Activity Summary

adware discovery persistence stealer

Modifies AppInit DLL entries

Loads dropped DLL

Installs/modifies Browser Helper Object

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: LoadsDriver

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-02 21:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-02 21:53

Reported

2024-02-02 21:56

Platform

win7-20231215-en

Max time kernel

141s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe"

Signatures

Modifies AppInit DLL entries

persistence

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Help Service = "C:\\Windows\\SYSTEM32\\winhelp32.exe" C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\ = "myiebho" C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD} C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ver19111-890258183.txt C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
File created C:\Windows\SysWOW64\rrs.zip C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
File created C:\Windows\SysWOW64\run.0.reg C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
File created C:\Windows\SysWOW64\run.2.reg C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
File created C:\Windows\SysWOW64\run.5.reg C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
File opened for modification C:\Windows\SysWOW64\vmmreg32.dll C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
File opened for modification C:\Windows\SysWOW64\log.txt C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
File created C:\Windows\SysWOW64\webmin\vmmreg32.bkp C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
File created C:\Windows\SysWOW64\run.1.reg C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
File created C:\Windows\SysWOW64\run.3.reg C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
File created C:\Windows\SysWOW64\vmmreg32.dll C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
File created C:\Windows\SysWOW64\VIDEO.sys C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
File created C:\Windows\SysWOW64\webmin\VIDEO.bkp C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
File created C:\Windows\SysWOW64\run.4.reg C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
File created C:\Windows\SysWOW64\dpcr.zip C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
File created C:\Windows\SysWOW64\winhelp32.exe C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
File created C:\Windows\SysWOW64\clrs.tmp C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2752 set thread context of 2680 N/A C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\kwv.cfg C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
File opened for modification C:\Windows\kwv.cfg C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
File created C:\Windows\krvm.cfg C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
File opened for modification C:\Windows\kwvrm.cfg C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
File created C:\Windows\kwvrm.cfg C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\AppID = "{A7DD26FD-C8E3-4FC3-EFC1-A22A105C1407}" C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\ProgID C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho\CLSID\ = "{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}" C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A7DD26FD-C8E3-4FC3-EFC1-A22A105C1407} C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\vmmreg32.dll C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0 C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\ = "Windows Update Monitor bar" C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho\CurVer C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho\CurVer\ = "MSS.bar.1" C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho.1\ = "Windows Update Monitor bar" C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\ProxyStubClsid C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\TypeLib\ = "{E1451945-AE2E-C356-B18F-6FDD0B100081}" C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho\ = "Windows Update Monitor bar" C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho.1\CLSID\ = "{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}" C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A7DD26FD-C8E3-4FC3-EFC1-A22A105C1407}\ = "IEBHO" C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081} C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\Programmable C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\TypeLib\ = "{E1451945-AE2E-C356-B18F-6FDD0B100081}" C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\0\win32\ = "%SystemRoot%\\SysWow64\\vmmreg32.dll" C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\ = "Imyiebho" C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho\CLSID C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho.1\CLSID C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\vmmreg32.dll\AppID = "{A7DD26FD-C8E3-4FC3-EFC1-A22A105C1407}" C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\ProgID\ = "MSS.bar.1" C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\TypeLib C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\InprocServer32\ = "%SystemRoot%\\SysWow64\\vmmreg32.dll" C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\VersionIndependentProgID\ = "MSS.bar" C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC} C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD} C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\TypeLib C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho.1 C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\ = "Windows Update Monitor 2.1 Type Library" C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\0 C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\HELPDIR\ = "%SystemRoot%\\system32" C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe

"C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe"

C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe

C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 thebestwebsearch.net udp

Files

memory/2752-0-0x0000000000400000-0x000000000046E000-memory.dmp

memory/2752-1-0x0000000000030000-0x0000000000032000-memory.dmp

memory/2680-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2752-4-0x0000000000400000-0x000000000046E000-memory.dmp

memory/2680-5-0x0000000000400000-0x000000000046A000-memory.dmp

\Windows\SysWOW64\vmmreg32.dll

MD5 6b03feb120f2b1ee8c813dd040e9d4ab
SHA1 e0dc0c7ad7c47787aa4771b3ee0a6d848c8666a2
SHA256 2f63c5f575bb8ac5a5346efd2dc2bfa232f36aedef5210dda334a066ffd3efe3
SHA512 7cfe70ff445190e1b64284718e0cb0dc5bcfaa20afe893647ece093993223d49a24139356434ac8a680dde63a9d93a0e115e298d0e3525f31a1b3850cc0158fe

memory/2680-11-0x0000000000600000-0x0000000000645000-memory.dmp

memory/2680-12-0x0000000010000000-0x0000000010054000-memory.dmp

memory/2680-14-0x00000000003E0000-0x00000000003E2000-memory.dmp

C:\Windows\kwv.cfg

MD5 fd03887411dfd900c39337951e679b04
SHA1 42152a98048ce7705b7d41468fea303c30b7c28a
SHA256 526c508ecdc95803a98d14016d7299a88daa8b026096dc09e4f5692f5a794fd0
SHA512 69ed482297e2c3c0866e1292c2615de587b449559eb1fc3c2f0f30c65ed9a19c34018450d345ce0cd28feec6a5b26d1d4d4d1069f0f93fdedb396c7e5d62d3c7

C:\Windows\SysWOW64\ver19111-890258183.txt

MD5 245f43b8765dd5669acee5ca14809431
SHA1 70aa396c20933cdaabf5a27cb6cec66403d7213f
SHA256 54856a3879f8d3486bbd93c109fd9412081b44eac4b3427d579882086ee815e3
SHA512 a082019585d345e6562ce86057f409bb16f0f0f776181a7163e19148e9d4d3fd2be4e05f777ec491f74e83b43aa3233615ece400d802a0adf80cfae5b9d48ada

C:\Windows\SysWOW64\ver19111-890258183.txt

MD5 4e54d7a58318e67a087e997132ef1825
SHA1 2416dd79a5b5fd896108472f8fa0f8f0e5d2d67e
SHA256 1872765dcdf3e77222ada1d35f0634ca78746f03e3707c68385f9ddef1c13cd8
SHA512 5ad0d0805b436397254df22d10af4d190b8cd9d0b3c7a695a3a37854543d9024d400d4d4dc9e1301a71b03764a37ff3dd12b5cd58e34722903efb8755f2df149

C:\Windows\SysWOW64\ver19111-890258183.txt

MD5 7c303d4aa154d0ad82867b031db4caf9
SHA1 2ef010eac443567d30e3f33f50368e9d11b03b8e
SHA256 151b30269646878e30900be6232534b1c30763d8b210c4d2b6852233e1a4b1c5
SHA512 22822297902f8495a8c7479cfb3f958159e1a51ddd72240f402cebc122605af6da5ad5b86173c7a66ec9d1516fe6add5b20f5bd5a25c504a7fbc23b794044ff4

C:\Windows\SysWOW64\ver19111-890258183.txt

MD5 43edf561a95aca5f530dcbb3fc219ac5
SHA1 ebd6bfa16d7747f29af02da4d0435ed5a03d4ce3
SHA256 5c357b0fef24a983ed3255417ecfbe08ec3d8a971843fda978393540182140bb
SHA512 574d23b9dd95fe0ed49673d8e97c4c62eb64041b4d69def02cc8288ad6083c924d16c90ab9113f830c9a099325a25cb719388fe3be3ac57c0df679312fef1b91

memory/2680-334-0x0000000000400000-0x000000000046A000-memory.dmp

memory/2680-335-0x0000000010000000-0x0000000010054000-memory.dmp

memory/2680-339-0x0000000010000000-0x0000000010054000-memory.dmp

memory/2680-345-0x0000000010000000-0x0000000010054000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-02 21:53

Reported

2024-02-02 21:56

Platform

win10v2004-20231215-en

Max time kernel

152s

Max time network

162s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe"

Signatures

Modifies AppInit DLL entries

persistence

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Help Service = "C:\\Windows\\SYSTEM32\\winhelp32.exe" C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\ = "myiebho" C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD} C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\vmmreg32.dll C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
File created C:\Windows\SysWOW64\VIDEO.sys C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
File created C:\Windows\SysWOW64\dpcr.zip C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
File created C:\Windows\SysWOW64\clrs.tmp C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
File opened for modification C:\Windows\SysWOW64\ver19144-890258183.txt C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
File created C:\Windows\SysWOW64\rrs.zip C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
File created C:\Windows\SysWOW64\run.3.reg C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
File created C:\Windows\SysWOW64\run.5.reg C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
File created C:\Windows\SysWOW64\webmin\VIDEO.bkp C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
File created C:\Windows\SysWOW64\winhelp32.exe C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
File created C:\Windows\SysWOW64\run.4.reg C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
File created C:\Windows\SysWOW64\run.1.reg C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
File created C:\Windows\SysWOW64\run.2.reg C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
File opened for modification C:\Windows\SysWOW64\vmmreg32.dll C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
File opened for modification C:\Windows\SysWOW64\log.txt C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
File created C:\Windows\SysWOW64\run.0.reg C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 392 set thread context of 3672 N/A C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\kwvrm.cfg C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
File created C:\Windows\kwv.cfg C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
File opened for modification C:\Windows\kwv.cfg C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
File created C:\Windows\krvm.cfg C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
File opened for modification C:\Windows\kwvrm.cfg C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\AppID = "{A7DD26FD-C8E3-4FC3-EFC1-A22A105C1407}" C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\TypeLib C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho.1\CLSID\ = "{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}" C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A7DD26FD-C8E3-4FC3-EFC1-A22A105C1407} C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081} C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\VersionIndependentProgID\ = "MSS.bar" C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho\CurVer C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\vmmreg32.dll C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\ProxyStubClsid C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho\ = "Windows Update Monitor bar" C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\0\win32\ = "%SystemRoot%\\SysWow64\\vmmreg32.dll" C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho.1\ = "Windows Update Monitor bar" C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC} C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0 C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\0 C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\TypeLib\ = "{E1451945-AE2E-C356-B18F-6FDD0B100081}" C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho\CurVer\ = "MSS.bar.1" C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\vmmreg32.dll\AppID = "{A7DD26FD-C8E3-4FC3-EFC1-A22A105C1407}" C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\HELPDIR\ = "%SystemRoot%\\system32" C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\ = "Imyiebho" C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A7DD26FD-C8E3-4FC3-EFC1-A22A105C1407}\ = "IEBHO" C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\TypeLib C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\ = "Windows Update Monitor bar" C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\InprocServer32\ = "%SystemRoot%\\SysWow64\\vmmreg32.dll" C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\ProgID C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\ProgID\ = "MSS.bar.1" C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho\CLSID\ = "{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}" C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD} C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho\CLSID C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho.1\CLSID C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\TypeLib\ = "{E1451945-AE2E-C356-B18F-6FDD0B100081}" C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\Programmable C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho.1 C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\ = "Windows Update Monitor 2.1 Type Library" C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe

"C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe"

C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe

C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 thebestwebsearch.net udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 5.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 thebestwebsearch.net udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 29.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 107.116.69.13.in-addr.arpa udp

Files

memory/392-0-0x0000000000400000-0x000000000046E000-memory.dmp

memory/392-1-0x00000000001D0000-0x00000000001D2000-memory.dmp

memory/392-2-0x0000000000400000-0x000000000046E000-memory.dmp

memory/3672-3-0x0000000000400000-0x000000000046A000-memory.dmp

C:\Windows\SysWOW64\vmmreg32.dll

MD5 6b03feb120f2b1ee8c813dd040e9d4ab
SHA1 e0dc0c7ad7c47787aa4771b3ee0a6d848c8666a2
SHA256 2f63c5f575bb8ac5a5346efd2dc2bfa232f36aedef5210dda334a066ffd3efe3
SHA512 7cfe70ff445190e1b64284718e0cb0dc5bcfaa20afe893647ece093993223d49a24139356434ac8a680dde63a9d93a0e115e298d0e3525f31a1b3850cc0158fe

memory/3672-9-0x0000000010000000-0x0000000010054000-memory.dmp

memory/3672-10-0x0000000000630000-0x0000000000632000-memory.dmp

memory/3672-11-0x0000000000650000-0x0000000000695000-memory.dmp

C:\Windows\SysWOW64\log.txt

MD5 9a10ec1af465c9edda9a803825260cf9
SHA1 112717da5f03fc6d482ee006d6930c36271b3f52
SHA256 116b9949ece1091a1e300f0d3a6bd9533cfd2d3942a526dc6d02b583b6d10c2e
SHA512 c53648bae85fed65145cd08a1c5a649a01caa790303920c5391ed7fd1b7a9106c65dba62c133f432b7a0b494e56f4685f53533c71e6cb548066f40eb54b1fb04

C:\Windows\SysWOW64\log.txt

MD5 7bc374f4cd77ab09ad587290011456b1
SHA1 80120a7094c94a0744ef7d1429465dcc3ea816bb
SHA256 d29c5dd3c2e6c70a4989eb065357e6676cf65ad6fab64426ea0466ec83dddbc6
SHA512 8381180074baec9eebd26e30252e3faaf43c5abb430388687864a9dbd0ae947f89946fb8a102c8425f29b26d0c4b4fed9d8f4ee2b226f082533400709ba21abf

C:\Windows\kwv.cfg

MD5 fd03887411dfd900c39337951e679b04
SHA1 42152a98048ce7705b7d41468fea303c30b7c28a
SHA256 526c508ecdc95803a98d14016d7299a88daa8b026096dc09e4f5692f5a794fd0
SHA512 69ed482297e2c3c0866e1292c2615de587b449559eb1fc3c2f0f30c65ed9a19c34018450d345ce0cd28feec6a5b26d1d4d4d1069f0f93fdedb396c7e5d62d3c7

C:\Windows\SysWOW64\ver19144-890258183.txt

MD5 e890e3f14947969c7881b3b85a087335
SHA1 79e4fb1aed296fd6e99998ed5fe035b5f697a16f
SHA256 ea7f4499ab15cb7e1b19712bce38b23a1bc5a1ff345f651e5d2675b6f9565456
SHA512 d1b0afb6389e8e5eacbc305d8fab87890de58a44198d6ff4180bc1b13f04f9093c5d050ca0f924a3f736e329a45e101075ed7f82fdafe00e1bb51e2bfff82d7d

C:\Windows\SysWOW64\ver19144-890258183.txt

MD5 31c2432b92db95b25fdfa5d509e397f2
SHA1 8684a477112669789f9490383f2c9a4a3963adff
SHA256 d2788dc590dbbc71f069fb484b129bda9c7aebab56d5247675ce29d4b86be78b
SHA512 850426e1d7c87022cf01c351c6787b7edb5029005c406c0c2db6ab9907fc4040087e4c944599bf0a1f810cc6b91e474a650bd3a137c241e93424975a58b9733e

C:\Windows\SysWOW64\ver19144-890258183.txt

MD5 68ed34f4855c533598db9dd5bd9ff790
SHA1 944338f3bee1dc28abe3a646a9d2d3cacb68e8ce
SHA256 810c4325aff30ff41d3fb19cade3073c60252c814ea6f15b78676e1e3d5d3e39
SHA512 cf5d2fdfe24f6e7831acbf60cc2e91b390a7b476d4ab5457561ef52d5763de1bd96cd44f5ec04e301d6dde71fda304e4104a95d25b85e7966519e0f824466a16

memory/3672-96-0x0000000000400000-0x000000000046A000-memory.dmp

memory/3672-97-0x0000000010000000-0x0000000010054000-memory.dmp

C:\Windows\SysWOW64\ver19144-890258183.txt

MD5 b57ea27c4cda34f095b1d6c7cdf6b4fd
SHA1 b9e533efebe39cbf7f5486c76d14cbf9031cfb72
SHA256 e3374cf3c674c183d74b213bfa31cc7ec194101b3c8b2bf95000d19fd32888ab
SHA512 b3ff4dcfbe262ec94752ea8c8581ca841fe90f154285c1b25ffdb3b854bca61bd9a2755da83094a7b1cc0deb80a78f5787df5c1619af9c943a380cbd94b2846b

memory/3672-261-0x0000000010000000-0x0000000010054000-memory.dmp