66d5386bab9d3ebbea1fd59ee2f03ec183191fa77d3bc7452e25783fec86ed6f

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2024 22:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
Size

1.9MB
MD5

44984716689d71db1360e6b2722a5283
SHA1

3506cfd3b45c80e3bc97c70499f1b195aa5ed9cd
SHA256

66d5386bab9d3ebbea1fd59ee2f03ec183191fa77d3bc7452e25783fec86ed6f
SHA512

7d43d53903811eb99d1d6ddc3a663d02b4b4701a399db0659d4bb8149c617554b161cc75cf70c9e39d2f63c02e4a01c7175f1f767b2829a28a0685428d5fa1c2
SSDEEP

49152:sW8QbBnW5oGvmx4UJASuA4wDinashps9AzV1pCh9mLs0g:ySBnW5d+lub3asPs9S7pcr7

Score

7^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1004	gamevance32.exe

Loads dropped DLL 3 IoCs

pid	Process
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
1004	gamevance32.exe
4724	regsvr32.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Gamevance = "C:\\Program Files (x86)\\Gamevance\\gamevance32.exe a"	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ = "Gamevance Text"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\NoExplorer = "1"	regsvr32.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Gamevance\gamevancelib32.dll	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
File created	C:\Program Files (x86)\Gamevance\gvun.exe	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
File created	C:\Program Files (x86)\Gamevance\icon.ico	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
File created	C:\Program Files (x86)\Gamevance\gvff.tmp	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
File created	C:\Program Files (x86)\Gamevance\ars.cfg	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
File created	C:\Program Files (x86)\Gamevance\gamevance32.exe	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Gamevance\ars.cfg	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Gamevance\ars.cfg	gamevance32.exe
File created	C:\Program Files (x86)\Gamevance\gvtl.dll	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gamevance32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	gamevance32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	gamevance32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	gamevance32.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	gamevance32.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	gamevance32.exe

Modifies registry class 26 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CurVer\ = "GamevanceText.Linker.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ = "Gamevance Text"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32\ = "C:\\Program Files (x86)\\Gamevance\\gvtl.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL\ = "GamevanceText"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\CLSID\ = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\ = "Gamevance Text"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\TypeLib\ = "{014C4232-6904-47B9-9144-7E0FB7277444}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL\AppID = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\ = "Gamevance Text"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\VersionIndependentProgID\ = "GamevanceText.Linker"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CLSID\ = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ProgID\ = "GamevanceText.Linker.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 412 wrote to memory of 1296	412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe	94
PID 412 wrote to memory of 1296	412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe	94
PID 412 wrote to memory of 1296	412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe	94
PID 1296 wrote to memory of 1004	1296	cmd.exe	96
PID 1296 wrote to memory of 1004	1296	cmd.exe	96
PID 1296 wrote to memory of 1004	1296	cmd.exe	96
PID 412 wrote to memory of 1376	412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe	98
PID 412 wrote to memory of 1376	412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe	98
PID 412 wrote to memory of 1376	412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe	98
PID 1376 wrote to memory of 4724	1376	cmd.exe	100
PID 1376 wrote to memory of 4724	1376	cmd.exe	100
PID 1376 wrote to memory of 4724	1376	cmd.exe	100
PID 412 wrote to memory of 4888	412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe	101
PID 412 wrote to memory of 4888	412	44984716689d71db1360e6b2722a5283_JaffaCakes118.exe	101
PID 4888 wrote to memory of 4880	4888	msedge.exe	102
PID 4888 wrote to memory of 4880	4888	msedge.exe	102
PID 4888 wrote to memory of 4804	4888	msedge.exe	103
PID 4888 wrote to memory of 4804	4888	msedge.exe	103
PID 4888 wrote to memory of 4804	4888	msedge.exe	103
PID 4888 wrote to memory of 4804	4888	msedge.exe	103
PID 4888 wrote to memory of 4804	4888	msedge.exe	103
PID 4888 wrote to memory of 4804	4888	msedge.exe	103
PID 4888 wrote to memory of 4804	4888	msedge.exe	103
PID 4888 wrote to memory of 4804	4888	msedge.exe	103
PID 4888 wrote to memory of 4804	4888	msedge.exe	103
PID 4888 wrote to memory of 4804	4888	msedge.exe	103
PID 4888 wrote to memory of 4804	4888	msedge.exe	103
PID 4888 wrote to memory of 4804	4888	msedge.exe	103
PID 4888 wrote to memory of 4804	4888	msedge.exe	103
PID 4888 wrote to memory of 4804	4888	msedge.exe	103
PID 4888 wrote to memory of 4804	4888	msedge.exe	103
PID 4888 wrote to memory of 4804	4888	msedge.exe	103
PID 4888 wrote to memory of 4804	4888	msedge.exe	103
PID 4888 wrote to memory of 4804	4888	msedge.exe	103
PID 4888 wrote to memory of 4804	4888	msedge.exe	103
PID 4888 wrote to memory of 4804	4888	msedge.exe	103
PID 4888 wrote to memory of 4804	4888	msedge.exe	103
PID 4888 wrote to memory of 4804	4888	msedge.exe	103
PID 4888 wrote to memory of 4804	4888	msedge.exe	103
PID 4888 wrote to memory of 4804	4888	msedge.exe	103
PID 4888 wrote to memory of 4804	4888	msedge.exe	103
PID 4888 wrote to memory of 4804	4888	msedge.exe	103
PID 4888 wrote to memory of 4804	4888	msedge.exe	103
PID 4888 wrote to memory of 4804	4888	msedge.exe	103
PID 4888 wrote to memory of 4804	4888	msedge.exe	103
PID 4888 wrote to memory of 4804	4888	msedge.exe	103
PID 4888 wrote to memory of 4804	4888	msedge.exe	103
PID 4888 wrote to memory of 4804	4888	msedge.exe	103
PID 4888 wrote to memory of 4804	4888	msedge.exe	103
PID 4888 wrote to memory of 4804	4888	msedge.exe	103
PID 4888 wrote to memory of 4804	4888	msedge.exe	103
PID 4888 wrote to memory of 4804	4888	msedge.exe	103
PID 4888 wrote to memory of 4804	4888	msedge.exe	103
PID 4888 wrote to memory of 4804	4888	msedge.exe	103
PID 4888 wrote to memory of 4804	4888	msedge.exe	103
PID 4888 wrote to memory of 4804	4888	msedge.exe	103
PID 4888 wrote to memory of 2108	4888	msedge.exe	104
PID 4888 wrote to memory of 2108	4888	msedge.exe	104
PID 4888 wrote to memory of 244	4888	msedge.exe	105
PID 4888 wrote to memory of 244	4888	msedge.exe	105
PID 4888 wrote to memory of 244	4888	msedge.exe	105
PID 4888 wrote to memory of 244	4888	msedge.exe	105
PID 4888 wrote to memory of 244	4888	msedge.exe	105
PID 4888 wrote to memory of 244	4888	msedge.exe	105

C:\Users\Admin\AppData\Local\Temp\44984716689d71db1360e6b2722a5283_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\44984716689d71db1360e6b2722a5283_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:412
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "C:\Program Files (x86)\Gamevance\gamevance32.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Program Files (x86)\Gamevance\gamevance32.exe
    "C:\Program Files (x86)\Gamevance\gamevance32.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:1004
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c regsvr32.exe /s "C:\Program Files (x86)\Gamevance\gvtl.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1376
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\Gamevance\gvtl.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.gamevance.com/aj/ty.php?p=srKz%2F8T1wsH0srLv%2BbLPxtLVy%2FDo7fnX%2F8DFu7TAtbu0sMe0u7K1tsD%2Fo%2F%2Bzs7Ozs7Ozs%2F%2FMyA
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4888
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc822346f8,0x7ffc82234708,0x7ffc82234718
    3⤵
    PID:4880
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,706415407045964296,3013090818938250593,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
    3⤵
    PID:4804
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,706415407045964296,3013090818938250593,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
    3⤵
    PID:2108
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,706415407045964296,3013090818938250593,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
    3⤵
    PID:244
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,706415407045964296,3013090818938250593,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
    3⤵
    PID:1364
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,706415407045964296,3013090818938250593,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
    3⤵
    PID:1248
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,706415407045964296,3013090818938250593,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
    3⤵
    PID:1828
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,706415407045964296,3013090818938250593,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:1
    3⤵
    PID:4216
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,706415407045964296,3013090818938250593,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
    3⤵
    PID:1876
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,706415407045964296,3013090818938250593,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5832 /prefetch:8
    3⤵
    PID:2788
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,706415407045964296,3013090818938250593,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5832 /prefetch:8
    3⤵
    PID:4260
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,706415407045964296,3013090818938250593,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
    3⤵
    PID:4732
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,706415407045964296,3013090818938250593,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
    3⤵
    PID:4852
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,706415407045964296,3013090818938250593,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:1
    3⤵
    PID:5260
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,706415407045964296,3013090818938250593,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
    3⤵
    PID:5268
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,706415407045964296,3013090818938250593,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4900 /prefetch:2
    3⤵
    PID:4776

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4984

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Gamevance\ars.cfg

Filesize
95B

MD5
494adb583d97d0ee9fde3bd893480125

SHA1
4ddfd13fb122dd2ba9b57634d2d29d31f209f2ce

SHA256
58e6113732c3d85664d5d5cf7973a37db9aa8f811bdb95361e246498ee252f87

SHA512
dbdbe9603ded8edf061e464ac342cb83bbbc77e009277844de31fd778bfe53cd87da6c304914bc6be0e9d3ec5794ffc536eea3083cc5ab8b0cb43430428bea72

Download Submit
C:\Program Files (x86)\Gamevance\ars.cfg

Filesize
107B

MD5
b54157cde5ca4851200a4d4dfd6d905e

SHA1
686144c0e5872c9b4864e2b235bcbf17b52bcad9

SHA256
79057360f76cf5aaac16d7c9535ff1dd3551af858261916de0a1547dc48a2449

SHA512
31f33113c25ed9c25dd6971083c3eb255357506ce450c8b91aac574b6fa9debbedb842f9992e794c60dcdcf061f63823d813ce4531894c6f3fbb4dc909873c34

Download Submit
C:\Program Files (x86)\Gamevance\ars.cfg

Filesize
166B

MD5
658cdf3266eb9630831a1a123a7a5f20

SHA1
f07f7ff8e8ff77f0bfc8df06644b9a326137a5f6

SHA256
fe8fd2109855c757f726fcdaffb78f75806908398b19b9c5d69d3f3960e020c0

SHA512
2a4d08ea988da6dd391f2cfdc2ae3ebb03370ef8e6398acc3f82e6eda5f166c0fe1675773ea057807c990cf5c3391ab15f993ee96d770ff8016ba9034fb3cb56

Download Submit
C:\Program Files (x86)\Gamevance\gamevance32.exe

Filesize
234KB

MD5
7706ed3cf01c6ae63c89d640ef8f292f

SHA1
695d1d9d09388cdb0ca0098ae0a184b66171de9f

SHA256
6237bc4ba5fcec98ccb707c796a02ce71b5c1def9716732f12d2b9762e6b8359

SHA512
e5e8388da4eba54637ec5d3a551b77ce3ffe6f7730bcc2c8a36648c377caa39c4fe576bf75dfec97e59058952643d83138e50ed358776fb09f7051b20c85db7b

Download Submit
C:\Program Files (x86)\Gamevance\gamevancelib32.dll

Filesize
223KB

MD5
d23db0b2d94c39aa730998de00ba68b4

SHA1
a6d6334e8f44a59605cb75859faf4d45042b8e08

SHA256
8d5ad8454024b0027d638a472219b4757fab19d4244cf46ed2928a1c661bd26f

SHA512
f3633aeef781c21123049dae54a6037e351dfcb5b02b36fbc951a639cad19209d1a5e0f51cb4fd4369da4acbf986bc0a9b57c571bb8634cf367ac8ad23a514f6

Download Submit
C:\Program Files (x86)\Gamevance\gvtl.dll

Filesize
154KB

MD5
c6ecec4f180f5cf57a13e338015dc0a2

SHA1
dfab483824956bddd46e61b5f6db3536fcc0ac64

SHA256
ae939f3c64886fe24081c1070e3a7eaf04f2864db451e682efd1ff5cf546d007

SHA512
a878b12487e5062441e2f23c7a72f9eec23e590e80db60c9c6c03e270e7e6283c951663adf7212ecbd649bdabf62b09ce1ae827b4d0b0a54c924aa129ebda72d

Download Submit
C:\Program Files (x86)\Gamevance\gvun.exe

Filesize
256KB

MD5
078036615e2d9a94ddef08399d57b623

SHA1
3caa4a3fb30d1d6f20df859d5e36efbd075ab952

SHA256
8f94b3124ddaeaf38d66d40057cb6f92aae6b7779644cdf01c35f962fcdaa7c5

SHA512
d957f081476aa94dc1e1f6b29cef1ef06ffa871db768056e1721b63d54c50448c35bfc15ae01589690b99547f5a165bbb200d4e9456177190be43b2a27d16db0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\061004c4-78bf-46a1-811b-d573370d42d5.tmp

Filesize
6KB

MD5
e059ddd437b7388ecb3f88ca62bb5134

SHA1
c592da946ca20e14429c438305d9167718dc938b

SHA256
5723c949de37f9e7fa20b45ecd25a28007f03942e9c97f8eb3c78c91fcfb5f85

SHA512
897831bf8ec5bf43d42c17107fb6891bb285f11dc28846b30243d90cb8d1b10596eecd6feadeae77f326f7894253759025fba43d4197164c0f68f6430958c778

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
215KB

MD5
1585c4c0ffdb55b2a4fdc0b0f5c317be

SHA1
aac0e0f12332063c75c690458b2cfe5acb800d0a

SHA256
18a1cfc3b339903a71e6a68791cde83fca626a4c1a22be5cb7755c9f2343e2a5

SHA512
7021ed87f0c97edc3a8ff838202fa444841eafcbfa4e00e722b723393a1ac679279aa744e8edde237a05be6060527a0c7e64a36148bd2d1316d5589d78d08e23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
648B

MD5
e6e4f176f8ddd1605ffb482dd8d2ee80

SHA1
ff2ca66b816504ffc24bff872aeaca1759e396f7

SHA256
8543c84ac7b42ec5aca17f1b6bff58936ed7391c424986ad8c292e54585dfbee

SHA512
63c2d1282dcce29ae8957306e9ba02294538679db6127d44a0b336051d3996e92d1db78005c6ad79b7a12e5adc06f4297775663a9cdbb125c8bcd06a0adb311c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
9576475096bc9821bfd2c20aa7621b7c

SHA1
af2447dc5d586a15e90e5bae8bb18a8a11634a39

SHA256
e9de34c6bfbd4e2cbaa4a8d144842c57c4feb64334304f2a42962167711edd1d

SHA512
f0f15a329c4c42e072e3e2c7b6ae987c2fb2b38a98f3ddeb4fd6a4583d886082b0dfc87af9c86b87761034b5e91761385e04cbe0874195c11e6ebf811f51bc20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
17e62e28b57bd83303d0746fe42f0230

SHA1
07d9d6d273b2ca0a0c150cfd07b7f92ab9a7c48e

SHA256
eabb40d36cabcca91e58c6b68409d553b42ac1e10ae07b7cc662af6f7165ce02

SHA512
0a108d0d735885549c4376e6fda88118a79984455c90268993675396ad713a8c395b2e8fd03eaf97115c0caf37bbcbd62e8ab365788a84183dec868caf927d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
850f071eab1e285f6dab10d995eb78a3

SHA1
48b559ec9c09e7e0f6b995034adf7aeb9f6ceeb9

SHA256
79825c2277e0740f6949bcf64bac986040a2b966c4c8e876634e1dc02882050c

SHA512
a9930e701d129d751f07493dabf8a96ddf2dd20c779a00daf1152c9925522f1254f021a9678861259e718f65545c4c2f8ad50a286a0354cd509ef4b39d2142b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5808d5.TMP

Filesize
1KB

MD5
1ff5e590c148237a9ae833cf16fbd915

SHA1
cded1670bedaf43eaaa55a0ccad66e3bc73e548a

SHA256
1afa23f97a0918169cdfe84495f7eccd0f6e30cc92f1907496b4f410c2d74da6

SHA512
3d9081ab756231640b90e4b5289d8595d7ef463fbb19ddeb7b084245bfecc411c79e24eec31e242fa1840c865c7ca1471bfd91d2021d1a840726a1a3f17d237c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
305fff6d5a79670389b70d506e8ce7e5

SHA1
1fc4c4e7cd76e61e19fda42c8c6d6acde66e48e5

SHA256
11a8c1333250677c7632567215b5384d6d25b58c98c2ecf924f9954764625f1f

SHA512
bae47e94fee54ce8675aadfe36ce2094e0a51f0f611eb65b1e602bb6f48a05c7bc42a207b1cc391218665c2afcc33a099a29c6ee1cbed0fdef9617524a51e879

Download Submit
memory/412-81-0x0000000000400000-0x0000000000788000-memory.dmp

Filesize
3.5MB

Download
memory/412-157-0x0000000067000000-0x0000000067044000-memory.dmp

Filesize
272KB

Download
memory/412-0-0x0000000000400000-0x0000000000788000-memory.dmp

Filesize
3.5MB

Download
memory/412-1-0x0000000000400000-0x0000000000788000-memory.dmp

Filesize
3.5MB

Download
memory/412-14-0x0000000067000000-0x0000000067044000-memory.dmp

Filesize
272KB

Download
memory/412-55-0x0000000000400000-0x0000000000788000-memory.dmp

Filesize
3.5MB

Download
memory/1004-174-0x0000000067000000-0x0000000067044000-memory.dmp

Filesize
272KB

Download
memory/1004-61-0x0000000000850000-0x000000000089E000-memory.dmp

Filesize
312KB

Download
memory/1004-38-0x0000000067000000-0x0000000067044000-memory.dmp

Filesize
272KB

Download