Analysis
-
max time kernel
215s -
max time network
184s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
23-01-2022 12:04
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://transfer.sh/45dIVs/worstgeneration.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
https://transfer.sh/45dIVs/worstgeneration.exe
Resource
win10-en-20211208
General
-
Target
https://transfer.sh/45dIVs/worstgeneration.exe
Malware Config
Extracted
C:\How To Restore Your Files.txt
yourd34d@ctemplar.com
https://bisq.network/
https://www.getmonero.org/
Signatures
-
Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
worstgeneration.exeAddInProcess32.exepid process 920 worstgeneration.exe 1852 AddInProcess32.exe -
Modifies extensions of user files 19 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
AddInProcess32.exedescription ioc process File renamed C:\Users\Admin\Pictures\StartUndo.tiff => C:\Users\Admin\Pictures\StartUndo.tiff.babyk AddInProcess32.exe File opened for modification C:\Users\Admin\Pictures\StartUndo.tiff.babyk AddInProcess32.exe File opened for modification C:\Users\Admin\Pictures\UndoRepair.raw.babyk AddInProcess32.exe File opened for modification C:\Users\Admin\Pictures\MeasureDebug.tiff.babyk AddInProcess32.exe File opened for modification C:\Users\Admin\Pictures\StartUndo.tiff AddInProcess32.exe File renamed C:\Users\Admin\Pictures\SetRegister.raw => C:\Users\Admin\Pictures\SetRegister.raw.babyk AddInProcess32.exe File opened for modification C:\Users\Admin\Pictures\SetRegister.raw.babyk AddInProcess32.exe File opened for modification C:\Users\Admin\Pictures\SkipPing.tiff.babyk AddInProcess32.exe File renamed C:\Users\Admin\Pictures\MeasureDebug.tiff => C:\Users\Admin\Pictures\MeasureDebug.tiff.babyk AddInProcess32.exe File renamed C:\Users\Admin\Pictures\GrantAssert.crw => C:\Users\Admin\Pictures\GrantAssert.crw.babyk AddInProcess32.exe File opened for modification C:\Users\Admin\Pictures\GroupOut.png.babyk AddInProcess32.exe File renamed C:\Users\Admin\Pictures\InitializeSet.raw => C:\Users\Admin\Pictures\InitializeSet.raw.babyk AddInProcess32.exe File renamed C:\Users\Admin\Pictures\SkipPing.tiff => C:\Users\Admin\Pictures\SkipPing.tiff.babyk AddInProcess32.exe File renamed C:\Users\Admin\Pictures\UndoRepair.raw => C:\Users\Admin\Pictures\UndoRepair.raw.babyk AddInProcess32.exe File opened for modification C:\Users\Admin\Pictures\MeasureDebug.tiff AddInProcess32.exe File renamed C:\Users\Admin\Pictures\GroupOut.png => C:\Users\Admin\Pictures\GroupOut.png.babyk AddInProcess32.exe File opened for modification C:\Users\Admin\Pictures\GrantAssert.crw.babyk AddInProcess32.exe File opened for modification C:\Users\Admin\Pictures\InitializeSet.raw.babyk AddInProcess32.exe File opened for modification C:\Users\Admin\Pictures\SkipPing.tiff AddInProcess32.exe -
Loads dropped DLL 1 IoCs
Processes:
worstgeneration.exepid process 920 worstgeneration.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
AddInProcess32.exedescription ioc process File opened (read-only) \??\Y: AddInProcess32.exe File opened (read-only) \??\I: AddInProcess32.exe File opened (read-only) \??\O: AddInProcess32.exe File opened (read-only) \??\H: AddInProcess32.exe File opened (read-only) \??\Z: AddInProcess32.exe File opened (read-only) \??\X: AddInProcess32.exe File opened (read-only) \??\V: AddInProcess32.exe File opened (read-only) \??\T: AddInProcess32.exe File opened (read-only) \??\M: AddInProcess32.exe File opened (read-only) \??\B: AddInProcess32.exe File opened (read-only) \??\W: AddInProcess32.exe File opened (read-only) \??\R: AddInProcess32.exe File opened (read-only) \??\U: AddInProcess32.exe File opened (read-only) \??\F: AddInProcess32.exe File opened (read-only) \??\G: AddInProcess32.exe File opened (read-only) \??\L: AddInProcess32.exe File opened (read-only) \??\N: AddInProcess32.exe File opened (read-only) \??\Q: AddInProcess32.exe File opened (read-only) \??\A: AddInProcess32.exe File opened (read-only) \??\P: AddInProcess32.exe File opened (read-only) \??\S: AddInProcess32.exe File opened (read-only) \??\J: AddInProcess32.exe File opened (read-only) \??\K: AddInProcess32.exe File opened (read-only) \??\E: AddInProcess32.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
worstgeneration.exedescription pid process target process PID 920 set thread context of 1852 920 worstgeneration.exe AddInProcess32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 624 vssadmin.exe 1736 vssadmin.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\PhishingFilter iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = a0c9d5705110d801 iexplore.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A82295F1-7C44-11EC-8C33-C64E4713EE09} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "18" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b01132805110d801 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DOMStorage\transfer.sh\Total = "18" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DOMStorage\transfer.sh\NumberOfSubdomains = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029a8fa03d77d0143b95f148165a5bc9200000000020000000000106600000001000020000000c778cdf4561762fc58054ca42afd483c6468e625981091d53e89d46c4d953d97000000000e8000000002000020000000df7c8a7549300a0d94a081c17b2c7ee2b6b0986bb633aa77acf21bcdd90dbefc20000000c483acc034c55f4541f13048e496521efeec35f13e3b259233295f4d3da689b540000000e6a34fc6c2575d0b5c9f345540ef73b2f06de862eca9e6561798b92a0544aa31807deb62195af80d2d99f41dd89869547c37153935f7f4116379538f4f451253 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DOMStorage\transfer.sh\ = "18" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DOMStorage IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029a8fa03d77d0143b95f148165a5bc9200000000020000000000106600000001000020000000c6791dda9fbe68b1aa0cb39432ea83d7b8b72a1467a92a4dcaeaff9bc1d47ae2000000000e8000000002000020000000c1b41f71b9d2b0765b06eb38cacbc183bb17c5736a9ee6dae88211b248bcea80900000004464b8a09e1fff8a8e09a99a5471e69ed9136848c063e88451315525bda2964672aaff4620cdf712c96628fc0693f277b5ff87dc1be669bb2122fd79c0a2234880b9799ce68eaa0a31f5d5204726f72d8f209cb1bfa9d4c5bc7f1dfdb4d0380345b4055bdb162187735a13df2119790ce5eec6ee03482c77a3b66f105ba63269b84878f16b9fbbb5ecf759f9c85605a24000000092de4d448d383689f890738eac7bded2b1e8a7c73d9132cd50413d3df34de87c2f24d5ed05298fc8eb748aa537c152b98f23e6516d4270e07c31ba9105285be0 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "349704461" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DOMStorage\transfer.sh\ = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DOMStorage\transfer.sh\Total = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DOMStorage\transfer.sh IEXPLORE.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
worstgeneration.exeAddInProcess32.exepid process 920 worstgeneration.exe 920 worstgeneration.exe 1852 AddInProcess32.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
worstgeneration.exevssvc.exedescription pid process Token: SeDebugPrivilege 920 worstgeneration.exe Token: SeBackupPrivilege 336 vssvc.exe Token: SeRestorePrivilege 336 vssvc.exe Token: SeAuditPrivilege 336 vssvc.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
iexplore.exepid process 1608 iexplore.exe 1608 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 1608 iexplore.exe 1608 iexplore.exe 1088 IEXPLORE.EXE 1088 IEXPLORE.EXE 1088 IEXPLORE.EXE 1088 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
iexplore.exeworstgeneration.exeAddInProcess32.execmd.execmd.exedescription pid process target process PID 1608 wrote to memory of 1088 1608 iexplore.exe IEXPLORE.EXE PID 1608 wrote to memory of 1088 1608 iexplore.exe IEXPLORE.EXE PID 1608 wrote to memory of 1088 1608 iexplore.exe IEXPLORE.EXE PID 1608 wrote to memory of 1088 1608 iexplore.exe IEXPLORE.EXE PID 1608 wrote to memory of 920 1608 iexplore.exe worstgeneration.exe PID 1608 wrote to memory of 920 1608 iexplore.exe worstgeneration.exe PID 1608 wrote to memory of 920 1608 iexplore.exe worstgeneration.exe PID 1608 wrote to memory of 920 1608 iexplore.exe worstgeneration.exe PID 920 wrote to memory of 1852 920 worstgeneration.exe AddInProcess32.exe PID 920 wrote to memory of 1852 920 worstgeneration.exe AddInProcess32.exe PID 920 wrote to memory of 1852 920 worstgeneration.exe AddInProcess32.exe PID 920 wrote to memory of 1852 920 worstgeneration.exe AddInProcess32.exe PID 920 wrote to memory of 1852 920 worstgeneration.exe AddInProcess32.exe PID 920 wrote to memory of 1852 920 worstgeneration.exe AddInProcess32.exe PID 920 wrote to memory of 1852 920 worstgeneration.exe AddInProcess32.exe PID 920 wrote to memory of 1852 920 worstgeneration.exe AddInProcess32.exe PID 920 wrote to memory of 1852 920 worstgeneration.exe AddInProcess32.exe PID 920 wrote to memory of 1852 920 worstgeneration.exe AddInProcess32.exe PID 920 wrote to memory of 1852 920 worstgeneration.exe AddInProcess32.exe PID 1852 wrote to memory of 1448 1852 AddInProcess32.exe cmd.exe PID 1852 wrote to memory of 1448 1852 AddInProcess32.exe cmd.exe PID 1852 wrote to memory of 1448 1852 AddInProcess32.exe cmd.exe PID 1852 wrote to memory of 1448 1852 AddInProcess32.exe cmd.exe PID 1448 wrote to memory of 624 1448 cmd.exe vssadmin.exe PID 1448 wrote to memory of 624 1448 cmd.exe vssadmin.exe PID 1448 wrote to memory of 624 1448 cmd.exe vssadmin.exe PID 1852 wrote to memory of 1664 1852 AddInProcess32.exe cmd.exe PID 1852 wrote to memory of 1664 1852 AddInProcess32.exe cmd.exe PID 1852 wrote to memory of 1664 1852 AddInProcess32.exe cmd.exe PID 1852 wrote to memory of 1664 1852 AddInProcess32.exe cmd.exe PID 1664 wrote to memory of 1736 1664 cmd.exe vssadmin.exe PID 1664 wrote to memory of 1736 1664 cmd.exe vssadmin.exe PID 1664 wrote to memory of 1736 1664 cmd.exe vssadmin.exe
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://transfer.sh/45dIVs/worstgeneration.exe1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1608 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3UFND3CH\worstgeneration.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3UFND3CH\worstgeneration.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"3⤵
- Executes dropped EXE
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
3155c3c9e5aaa1e74a8fcb117ff94672
SHA12c63253616ad64c052e08f48223fdbc25c484eed
SHA2564a921825386e618862db5eac0c0bcf06c962785b14a07e4559a03fa2e4c1014f
SHA5120daba3d92ed08d747b7b7911911aab6ebbcc05089729e8122b2518a2a265b9367d9f7b65815122d5499ac57409e16f12a0a46b648cc5df976ef3cd2e234df2a5
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\o5rwqiw\imagestore.datMD5
15f216175114ed62a734e1e38d32b396
SHA1d0774371a47f93797de0918e4c73b5cc9c441493
SHA25649359724701ffbeefa2e9624b139e0a4c616948d56e25b1a2009c892a3028754
SHA5121605a8343dc0294de9d893ac0914cde44e71dbcc3ac6630936daea298453bf79625d19bf544bd9f65d36eadb56b30738fdca93b1bb9bce2b71d7f98dccb8cf1e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3UFND3CH\worstgeneration.exeMD5
4dc689389054b8aae01c162fb7fec051
SHA1fd4356fd980f837a813515321fe5f54d5625258b
SHA256e69149c02a0f24731559d5bec3c1bdbe916cd2829751025845fe48ea01966b82
SHA512e924f802421f24447ace77bce1ff7f24f11ea852ae00cc624d17bec6f6e675eb258923cd7897f5307c3346b1f08d9cea978dd980344c8905b14b1b88631895c1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3UFND3CH\worstgeneration.exe.w1lz7su.partialMD5
4dc689389054b8aae01c162fb7fec051
SHA1fd4356fd980f837a813515321fe5f54d5625258b
SHA256e69149c02a0f24731559d5bec3c1bdbe916cd2829751025845fe48ea01966b82
SHA512e924f802421f24447ace77bce1ff7f24f11ea852ae00cc624d17bec6f6e675eb258923cd7897f5307c3346b1f08d9cea978dd980344c8905b14b1b88631895c1
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exeMD5
6a673bfc3b67ae9782cb31af2f234c68
SHA17544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA51272c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\OEEFWG3J.txtMD5
0cdf3277491f0d4a1af45538ed1da204
SHA13ed6dab373027500e5432752ac96fc5c01fbe2bd
SHA2569ef963e8286af4b50cbfad933ad42a3f22024e1ef233084b2b683e2557d2b54a
SHA5123f18e3740ec1fff7d1680f8a9edd8ce781e91e022475212716271e1b342b8dfdad5a69fcf3fda19340df691eec06707c0cb824217b343e19246ec9ccd561dc58
-
\Users\Admin\AppData\Local\Temp\AddInProcess32.exeMD5
6a673bfc3b67ae9782cb31af2f234c68
SHA17544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA51272c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39
-
memory/920-57-0x00000000001C0000-0x000000000022C000-memory.dmpFilesize
432KB
-
memory/920-62-0x0000000001E10000-0x0000000001E16000-memory.dmpFilesize
24KB
-
memory/920-61-0x0000000000850000-0x000000000086A000-memory.dmpFilesize
104KB
-
memory/920-60-0x0000000004E30000-0x0000000004E31000-memory.dmpFilesize
4KB
-
memory/920-59-0x00000000004E0000-0x00000000004F6000-memory.dmpFilesize
88KB
-
memory/920-58-0x00000000004B0000-0x00000000004E2000-memory.dmpFilesize
200KB
-
memory/920-70-0x0000000004E31000-0x0000000004E32000-memory.dmpFilesize
4KB
-
memory/1852-64-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/1852-69-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/1852-68-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/1852-71-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/1852-67-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/1852-73-0x0000000075471000-0x0000000075473000-memory.dmpFilesize
8KB
-
memory/1852-74-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/1852-66-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/1852-65-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB