Analysis Overview
SHA256
624650db8278744c40f1c924592a1e98551a6bfeee9e7982e6c77b947813bf66
Threat Level: Shows suspicious behavior
The file JaffaCakes118_5c43d1b3bd3443495544f876ae42a014 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
Adds Run key to start application
Drops file in Program Files directory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
Enumerates system info in registry
Suspicious use of SendNotifyMessage
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of WriteProcessMemory
Checks processor information in registry
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-15 16:31
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-15 16:31
Reported
2025-01-15 16:34
Platform
win7-20241010-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Gamevance\gamevance32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Gamevance\gamevance32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Gamevance = "C:\\Program Files (x86)\\Gamevance\\gamevance32.exe a" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe | N/A |
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ = "Gamevance Text" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\NoExplorer = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Drops file in Program Files directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Gamevance\gamevance32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\Gamevance\gamevance32.exe | N/A |
| Key created | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe | N/A |
| Key created | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\Gamevance\gamevance32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Program Files (x86)\Gamevance\gamevance32.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe | N/A |
| Key created | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Gamevance\gamevance32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct | C:\Program Files (x86)\Gamevance\gamevance32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{32797571-D35E-11EF-B4EC-5E7C7FDA70D7} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "443120583" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c883bd70e948c54bad71671c6040e51100000000020000000000106600000001000020000000694ad429025ba7d5929bedec2002994233dfe7429df315c581e8dd2294867ec5000000000e8000000002000020000000287dbf5c550912bb618787e49ecab8f6248cbb8e6f4716ee606f8e79f2d6a5eb9000000002486180b5cfd9a79548faf72ae2598b634deea5f41058136a99b54840bc8e3dedc03716de1ca1c29075e92059971b815ed9d4c252d363303d95d8bc534785066d9894dc7d162dd0c920eb40d2afeec10e4b2e589c67b49f9394bbf10b3ab0f63fd595f905e782bdb0a8663e8b044be9c6803825cb1cd7a063079859b86443d5d81bf4def773cdcc9195e416b31aee5b40000000bcbea754052a1c166f82609d680a66b79815920f102550bbe3c6a2829def9f110a2caaab7dabd51a3ceea120c6b49790a199a250c428097bb14384d3f48eb9c4 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c883bd70e948c54bad71671c6040e5110000000002000000000010660000000100002000000092d848e203bdcca0410542a57f3119deaad12df9c5360ff2fcd4ff626240f448000000000e8000000002000020000000c33364ace5acfac1194d64b232550bc520b187c29722bbbcbdd7b631bd556fba20000000206bef35c29130568fcc2e276b7425294a128ac17d4c4230665a55a2f6c6a09d400000000d75effebb4becd4a44a2fabc6693ed6e973ca7278ba8401e433426dcbe366667e06d0fe89173e6cf537a92c607b30c42bab897c68415aa4061202f4a2dd6bb2 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 901ef9076b67db01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32\ = "C:\\Program Files (x86)\\Gamevance\\gvtl.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\ = "Gamevance Text" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CLSID\ = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\VersionIndependentProgID\ = "GamevanceText.Linker" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL\ = "GamevanceText" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ProgID\ = "GamevanceText.Linker.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\TypeLib\ = "{014C4232-6904-47B9-9144-7E0FB7277444}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\ = "Gamevance Text" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CurVer\ = "GamevanceText.Linker.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ = "Gamevance Text" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL\AppID = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\CLSID\ = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Program Files (x86)\Gamevance\gamevance32.exe"
C:\Program Files (x86)\Gamevance\gamevance32.exe
"C:\Program Files (x86)\Gamevance\gamevance32.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c regsvr32.exe /s "C:\Program Files (x86)\Gamevance\gvtl.dll"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\Gamevance\gvtl.dll"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.gamevance.com/aj/ty.php?p=srKz%2F8vQwsH0srLk8cix7OjixLLJ7s7W%2F7LFu8KxtcK3trK3tbrF%2F6P%2Fs7OzsrOzs7P%2FzMg
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2448 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.gamevance.com | udp |
| US | 76.223.54.146:80 | www.gamevance.com | tcp |
| US | 76.223.54.146:80 | www.gamevance.com | tcp |
| US | 76.223.54.146:80 | www.gamevance.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
\Program Files (x86)\Gamevance\gamevancelib32.dll
| MD5 | 6e6612829295b2b8d9da4f10bd5e1cd2 |
| SHA1 | d40d3ca38ef269435410d27b89bc92ffaf09236e |
| SHA256 | 69d2cc722a7e19a614cd7438b38128498bd996eed2a7ff45e43bdcd01476caa2 |
| SHA512 | 9745485dc39ceaf51d6ec58007783ccb61697eb4f63b1bd22cb4c86847162a9e2e6814b3490246447dd90770bed4ae11e11c30f36f71c1dc1e4ec47799890d7b |
C:\Program Files (x86)\Gamevance\ars.cfg
| MD5 | 5a7945400a0794dc5d237bc174f8a752 |
| SHA1 | a824e38ed58522414223515ba4814481d5f61ca8 |
| SHA256 | 6f1a16a8d84d49b0c0b796f11741d791c6a9e54c5b0b8a72d5ea090c5b4ef69e |
| SHA512 | a2f816ce30d90d9f375352f6a86fc6a0fcf21d56200f0760da74f0f5c8fc571ced6efc28bac1c7a4bc4bbb24b5e8e33227e76b96df5df22b6182116f696e5ec4 |
\Program Files (x86)\Gamevance\gamevance32.exe
| MD5 | f036a46d211c23b320cf52285ffbb299 |
| SHA1 | 466ecf46fa78072162d493484a18053652caf15d |
| SHA256 | 041ac2cbc0de6a509f6043db4b1e47bafeb309ea22f1477f270fa516b11d71af |
| SHA512 | f285ffcbcce4c1f0274c46d38312ded082b5520bd7538be3b01f8879656d372ca1118bd400b4ae01deb77170aac27e4fbbe4f69a9b1543d0e6da946f6f636a03 |
C:\Program Files (x86)\Gamevance\ars.cfg
| MD5 | e3d68e5e7e762091f5e845640167abca |
| SHA1 | 4bbd9447bbf004eff5ae764acc5cd8a2d36b7715 |
| SHA256 | 17409dcbc8eca711d7c7b3d71ce0d2589793e147e667bf6a6537855ac7b10c6b |
| SHA512 | 8ef6a01bdf1d83d52d8fba92a36c67eeec30dee550a67bbae9fa8403ba705cfd60cb85aa5f0fd520ec33c76733620cf7fc542e7a51f8805258ae5de254fa74b7 |
C:\Program Files (x86)\Gamevance\ars.cfg
| MD5 | ba83ab968ef86375bdef1d4b277f9a01 |
| SHA1 | 41ff9bb1ccb51174337839dc86fb6169d9291a49 |
| SHA256 | 10381dec1ef3ed5005a403218d7c280a2492abaff313dd5ad269e3b5dbddbabb |
| SHA512 | 14a376448a135e4297e06ec8c63a50d6a299a0c701abc450a9a27c1650eee71f9f558b903494b94a9f352a5d6cf34758fa47c33a9e927f9d426afff7f888e526 |
C:\Program Files (x86)\Gamevance\gvun.exe
| MD5 | 52d920d775537b6e5abeae273bdc0bc6 |
| SHA1 | c93d781dd58e7ba2711717a05d771263281cb23d |
| SHA256 | 5232cabba2c58b0ad4c00378395287f519e2ec9282daa654a714fae7a5c601d4 |
| SHA512 | e9be004b77d36994c20bb05c310681288b2fd8f61af7e29ec7638195e1e89a1fdeb9e612c3fd5382b77f44f9e2743a4728e488c4771bfb05f358931c2d10bc96 |
C:\Program Files (x86)\Gamevance\gvtl.dll
| MD5 | 016675c37e90e8761aa528884c0d961c |
| SHA1 | df6056ed2ccfdd65c27970c40f243d18c7206c43 |
| SHA256 | 5ca7b8b39eb09b5dc2f349fc6d507d34deb5ac926b85997ee0fc6ad4ca69d101 |
| SHA512 | 1afb18453c181d7c5b660306b557d4f25ed9274e6b7c7bc983c72e65601e620e5d2402547c090e199666f39404ec2377f5060d441c5f0639b839b8135b4d3c00 |
C:\Users\Admin\AppData\Local\Temp\Cab7774.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar7842.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7726e4932f3d398f55791d171c2be109 |
| SHA1 | c8c02bfc40da924f25664b14ea7893c8560d6d1f |
| SHA256 | 94b35df04292beeeb75b086d4d5b87635920aed3e9fc9f472c56f7c83f4c9a13 |
| SHA512 | db63889405b75f096d51ef8e40ea1b860e461acf8fce131b7ec494a70e7de433dae1081a8c031e2c2adf57fb89c6ab212c9125f59a5d6777abea51df5705535c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 09c94c5239d3130331bb23fa4dd02242 |
| SHA1 | 92f174dad7d82d5609dd7b00a3cc19ba255b7032 |
| SHA256 | 2bab13be3dd94dd8050e7f7502c96223d1fbe8df4878c936f7942fd9d64d8a12 |
| SHA512 | d27abd27181a9b8517a360008c7cbfe521edce4c998918c3476d6dfa90ea4cb0367b0c38fc46b160c8e1a0e125a7ebf67c6d852f380448c84fae58adc5a9fd7b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 06004f97d6846b7a873619890eff50fc |
| SHA1 | bf325d88a21262a83a583195476fa2f4f44b1f0b |
| SHA256 | 3c2f4cdd48b692b22582cb394346f2af78dafccce6766f256679a36e83ee5112 |
| SHA512 | 6b2b9fa69eee41bba8fb3e10b191d762fe87059c73f23830fbe2c4ba78d429dfbb4194c411623875de704d54b63c47a3a4f42a2ec954bb850188b843e002357a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c094c540d18d07ded74cfa8f669df3e0 |
| SHA1 | 444a16be30acb03c60330f63ff1d44498f191f6e |
| SHA256 | 2ca1c1a00ebb12fcb7873e5a4543eb87b91957e6dc9ba7122f6e4a4368f7bd56 |
| SHA512 | 6ad9cfc234ecb8c69aae2d87e11192d64663f7ddcb56313294e0cc2dd03b1f9a0f1862ac2cb9ddbd9e9892885c9f900460ef82b336bc578f11e9933b7f7f9930 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3719c502a4fa1ec4f0aa870384c90e4c |
| SHA1 | eee4b39b5396ad3e5c7415c7f41ab51c7503996f |
| SHA256 | fbd68a2e11047f5c09e44ebc0e673fefdb483171c8a253ef91cdb99a83c23602 |
| SHA512 | 6e1fc65c47c8985d82c5faa37f0c54daf079cfa48302d9a1dbe60faa1c71ccd3ff0d5d5687d8fba56fb44edeebbf8cdd1d9714cda367b9aae36daedf9902d273 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e5ae0964e6cd4a9938ef847783263f15 |
| SHA1 | 5ad773317d56ad39d4fe7e39c007e824b2dfb04b |
| SHA256 | 6b70006f6424999c0e1be6e56f4bc79c0ec5f9be63bb079ba4eb3d019be5b355 |
| SHA512 | 42512d426504d80533bc0e1424c6af996aa94d726178fd3b2b8cc61283ca1975045fb143658ab18712add55728c1a44879c961de8774ca1bb1d7b857f4aa5311 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a672ab5d8859eecee5359576dbcdea97 |
| SHA1 | 8be8343aff166ba75d1129adf73aeb7444ef67ea |
| SHA256 | 82de32b8c846e029b88309031ef2e3a4023341058698737afbdd111b970e92ad |
| SHA512 | 22dd35e6a8a566153f9129c18e2d1e19531dd03eee2f3e11477579c6682d82cb6da26a9192f1862b6f3e1f0c3fb8762ee91fe60d6b47def873031388de3d9eea |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5a31a702109e1db1f7ddc96f73b3622b |
| SHA1 | 7022276d6781d4c4a6c95a91e65f5fdd31ca8d18 |
| SHA256 | 3c75124f8b3a5b9ec8caeb1ee0a955fa748fd670246752b0bf9459c5ae73d600 |
| SHA512 | a095daa84d442d78561d356abbb8c944de04e7382c5e3c62fcc62fa5e344bb6fbe77652267cfbb525c31ab3bc0385b8415ddda6f06f6428f814e2d15bdfeae98 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4a27b7b0b577e3d6feeb5042500ca747 |
| SHA1 | 9d17d99f0cd558c2f0082612226cd0d575b534d9 |
| SHA256 | e3bd2e4e6380001892be5f54a3e3a8b1a105e96a6aef5323e2fde5df58ecc08f |
| SHA512 | 5088b9638337a4875356881521133210764a916e7b128266ad441ce451d4a3636c57b94c196654986a9619eab290dccd622f1cd513787ff15a99793a8a68957a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4febca962e86453953ae8ff48856a12d |
| SHA1 | e35e6d7e7d41aa87ae347df5c2474e4ede3bf6fb |
| SHA256 | d2f804233b8d39dbbf219e73bbc72c54079ea31f1abb9bdb07d29eea6c2b1de5 |
| SHA512 | fc284fee7dcc01dbac33ac9d8f3a643691e081f63a0c5701b5473efa3bb7fd7a232637d1d4cb2221fba9a13df283a61bc8a78b6b6b00495cb4cc40170e95cd0f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2d5b6af8802301746952f08ff209aef5 |
| SHA1 | b524f2875dbb19d368695b0f18fb322baa8af25c |
| SHA256 | 8da4b1510cf54d8724fc8e23852b609fcffa8a9333bc1b5a98fd5cfc245a6a52 |
| SHA512 | 91912d143c035cb095ef0dc394e8307488304171620a66622dd6152a97214df43615b27afc6a792e95c703c463ca86d0a098cc7b035d366c4ab44310b04c10ee |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3b2ba96b68f018e9b3b3181221b9608a |
| SHA1 | d20e188ad8d85826f46857343181b78c5adc5865 |
| SHA256 | ef3a0ca3003b7dc0a8b0f6f090d24422f0d98bb49e0762aac211ee5447c1a374 |
| SHA512 | b5afcaf99c448a90549a64320d80cad5e8a9ada1fe69c4fe622e61e6b88e83c63a69677c10970ce8bd43af16cd4c0339f42ec4e58ca9f4cdb4eebfaeb74e9fcb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7023b7548379f099d1ca1a432c791426 |
| SHA1 | c79218143c3522daca35da394f710600f9c7e80e |
| SHA256 | 43067f78423e4347cc7f05ad073c8013d8dfcf8996463929a822d1d99fd59e85 |
| SHA512 | e280db28cfb49db41f6bffca0c8aa4e05da62c8237e472b7a7361dba0a14b204923c368bd1f11d04f7b2fd8f6e80560f7fcb8a55ecabb8761ca3729f809524ec |
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-15 16:31
Reported
2025-01-15 16:34
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
145s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Gamevance\gamevance32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Gamevance\gamevance32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Gamevance = "C:\\Program Files (x86)\\Gamevance\\gamevance32.exe a" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe | N/A |
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ = "Gamevance Text" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\NoExplorer = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Drops file in Program Files directory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Gamevance\gamevance32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\Gamevance\gamevance32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Program Files (x86)\Gamevance\gamevance32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\Gamevance\gamevance32.exe | N/A |
| Key created | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Gamevance\gamevance32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct | C:\Program Files (x86)\Gamevance\gamevance32.exe | N/A |
| Key created | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\VersionIndependentProgID\ = "GamevanceText.Linker" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL\ = "GamevanceText" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL\AppID = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ = "Gamevance Text" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ProgID\ = "GamevanceText.Linker.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32\ = "C:\\Program Files (x86)\\Gamevance\\gvtl.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\CLSID\ = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CLSID\ = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\TypeLib\ = "{014C4232-6904-47B9-9144-7E0FB7277444}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\ = "Gamevance Text" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CurVer\ = "GamevanceText.Linker.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\WOW6432Node\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\ = "Gamevance Text" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c43d1b3bd3443495544f876ae42a014.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Program Files (x86)\Gamevance\gamevance32.exe"
C:\Program Files (x86)\Gamevance\gamevance32.exe
"C:\Program Files (x86)\Gamevance\gamevance32.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c regsvr32.exe /s "C:\Program Files (x86)\Gamevance\gvtl.dll"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\Gamevance\gvtl.dll"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.gamevance.com/aj/ty.php?p=srKz%2F8vQwsH0srLk8cix7OjixLLJ7s7W%2F8DHurO1urq7ssWwu7bGu7H%2Fo%2F%2Bzs7Ozs7Ozs%2F%2FMyA
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd5bc346f8,0x7ffd5bc34708,0x7ffd5bc34718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,12282755431808453246,6434045097787501134,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,12282755431808453246,6434045097787501134,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2028,12282755431808453246,6434045097787501134,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,12282755431808453246,6434045097787501134,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,12282755431808453246,6434045097787501134,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,12282755431808453246,6434045097787501134,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,12282755431808453246,6434045097787501134,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,12282755431808453246,6434045097787501134,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,12282755431808453246,6434045097787501134,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,12282755431808453246,6434045097787501134,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,12282755431808453246,6434045097787501134,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,12282755431808453246,6434045097787501134,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.gamevance.com | udp |
| US | 76.223.54.146:80 | www.gamevance.com | tcp |
| US | 8.8.8.8:53 | www.gamevance.com | udp |
| US | 76.223.54.146:80 | www.gamevance.com | tcp |
| US | 76.223.54.146:80 | www.gamevance.com | tcp |
| US | 8.8.8.8:53 | 146.54.223.76.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.153.16.2.in-addr.arpa | udp |
Files
C:\Program Files (x86)\Gamevance\gamevancelib32.dll
| MD5 | 0664fa736f67a69b540efb81748b75eb |
| SHA1 | 343de97ac1e0c988ce666c9ff0ba1ff3f9c2f509 |
| SHA256 | 5d72e2a90c1c9910d7ce9a8a34b0f608ce93faaefdaa5b16df4d00b424b0bb64 |
| SHA512 | abfcf97949f8da71b61fda65b03ccbc59f299b8f93b19699510963efbfa7950ff9197aa0f1b24c1087fd847213a25ded5267923e831a1a683014b4cb0b5c6fca |
C:\Program Files (x86)\Gamevance\ars.cfg
| MD5 | 97dea8c4ca77cecf7448de9c9a0090c2 |
| SHA1 | 85c2382bb8e53abe3ee188e05080056702d800cf |
| SHA256 | 6e8d7bc117c8c99f5574d858d764f0fb6f5db2d386d911b1d675bce8da7e2761 |
| SHA512 | a55344b4ce19462729e6b7b9b7793358cadf640004091c3d99bd548ff09b3ed8f3ae2c0d4972284312b826515e86674d4a673101b96741531c3866b7b297d61e |
C:\Program Files (x86)\Gamevance\gamevance32.exe
| MD5 | 7c4638ec516a0f83abf97ca9e5294e3d |
| SHA1 | 379c049164b272cdb0ab1581644845fc7c405f14 |
| SHA256 | ce5f6a79e1b9c88831c52e9dc0a5d75b78cdd706d8ee5418bc552f3f0671c465 |
| SHA512 | 7de72592bab456a48c5c82e1e5fd3371411af727a12b978c12048429834477e59bf3611b4e2380c9e5dfad70fbec3879d17af2c2ccff0eb9b7bca7fdcb0ccc17 |
C:\Program Files (x86)\Gamevance\ars.cfg
| MD5 | 55a5eeea01b9742dc901ee35ecb433fd |
| SHA1 | 7989b368f58e4a012dde6a3848ce4360403ff172 |
| SHA256 | a9fd716d2b9f81b8b77e12249d142a6de2d6138e0b4fe38ec63a14b0afc692ea |
| SHA512 | 09be1354b8dc23796c871b8d09b2b275943645d239c7a123ef5e5ebb8db0fe50d64e88f6d85e61ad775a1eab1cdce8ed9ff269fdf48566e25ea3e5501c7b68c4 |
C:\Program Files (x86)\Gamevance\ars.cfg
| MD5 | 5e495b0bd34b358df6e9599f0e4e1822 |
| SHA1 | 0a796f302515fc55acc3bc0aed9b08e4ce648bff |
| SHA256 | b7803d8e2fc4ff20a9a374a7b857b335147a7732364ce22f553b76ce030e520e |
| SHA512 | b7d78f57fa599947414b10afe05f5e1dc8e38ffd1730dbf3674b1053da354b5808acc5cd47dcbe3c1d1fa6c3e9a12e56ec71ddb87d4aafa19bd492eefa3fd3d3 |
C:\Program Files (x86)\Gamevance\gvun.exe
| MD5 | 8e3cd24d80244913dd5e74ad7e2d84c5 |
| SHA1 | a096cddedf62a29ddf572f94a0671b6cb1c2e4dd |
| SHA256 | 389fcb02005da287f046b174d1e94fd9058efe2d52e9458c53a2166c99eac885 |
| SHA512 | d35088a027a057511e71cdb06bea292099fba3ee1e0f94f0aed35c9d953b2a9e710401e364a329f5857f2607e784e99671710fa0ecc4d7821736d65347aa7519 |
C:\Program Files (x86)\Gamevance\gvtl.dll
| MD5 | 016675c37e90e8761aa528884c0d961c |
| SHA1 | df6056ed2ccfdd65c27970c40f243d18c7206c43 |
| SHA256 | 5ca7b8b39eb09b5dc2f349fc6d507d34deb5ac926b85997ee0fc6ad4ca69d101 |
| SHA512 | 1afb18453c181d7c5b660306b557d4f25ed9274e6b7c7bc983c72e65601e620e5d2402547c090e199666f39404ec2377f5060d441c5f0639b839b8135b4d3c00 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 7de1bbdc1f9cf1a58ae1de4951ce8cb9 |
| SHA1 | 010da169e15457c25bd80ef02d76a940c1210301 |
| SHA256 | 6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e |
| SHA512 | e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c |
\??\pipe\LOCAL\crashpad_1740_CUDYUXJNMPPKRHNS
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 85ba073d7015b6ce7da19235a275f6da |
| SHA1 | a23c8c2125e45a0788bac14423ae1f3eab92cf00 |
| SHA256 | 5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617 |
| SHA512 | eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | ac81dd45a39c4f0133f18983ad155f6f |
| SHA1 | 355056789a1cfa5249d3d900f46154122e7522d5 |
| SHA256 | cd08941efc49548d3e1941e87147494f95594e96b22b264a7d363f515465ea27 |
| SHA512 | 8fa9f0efd100c484a5eb977982829472da4ef620c331016109ae2d8151c818154e734f3f556d15effb6aea947cab78752fa5c7335c3fb649aea821ebdc07c2f2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | d176e37acc6bd6a61deb0dcd122d0870 |
| SHA1 | 450fbb36a3b0038af6051ea18f29de8638b80bee |
| SHA256 | 83c6cef6b1c134bbbef482e77d66f214d0706126178f7735ce394cc66d7c1879 |
| SHA512 | 948668bb7a5637a4d3120cd997f429e4b16b683b86c09e61ef2589aedb7ff53b231378c2d1c4f23a4fdf8ff6549b8294a205df3688cfc226fb2ff68ff192b252 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 36755dd5819b65b1f9e5fe6ee343afbb |
| SHA1 | 2893f8667dda807b58cd0a35f7396b6860db78a7 |
| SHA256 | c840f5ed02897f1789a021fadf32fdef20a2ccc99e74d61228a36bc136dcfe19 |
| SHA512 | 0136453987fa07528764d1e125f18f3dab43b08afd11f8764eb9952b9bc06727da8a9a9f7b528f30e68dc1c9842745bcf1a96b6af37f2a832eb31978d590a199 |