Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/01/2025, 12:20
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe
-
Size
2.2MB
-
MD5
c7a1ca0494dfe29af1bcda95bbba62bd
-
SHA1
0655e57ae451a5df2a3cdac24a3c12cea0a352b1
-
SHA256
170f244f5040337b0c5919e3fce1f6c3d9cefbb6ec05531c3c92ac501a1e92e7
-
SHA512
1fe05c8af2fdd76837d6e69cb2859d056b172e3e5b2571ed8676fda299f9f04262152a618828bc96ac7821cd0d6a266629cd5986467d1974654a62824e82bf56
-
SSDEEP
49152:++7plv3oZz1m/WOVwPuNcIO6QOnIqno7IJg9N2AtI2DON:zpp3oZ8eYK+QOVnMIJgG+I4Q
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2736 gamevance32.exe -
Loads dropped DLL 4 IoCs
pid Process 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2832 cmd.exe 2736 gamevance32.exe 696 regsvr32.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Gamevance = "C:\\Program Files (x86)\\Gamevance\\gamevance32.exe a" JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 8 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\NoExplorer = "1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3} JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\ = "Gamevance" JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\NoExplorer = "1" JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ = "Gamevance Text" regsvr32.exe -
Drops file in Program Files directory 9 IoCs
description ioc Process File created C:\Program Files (x86)\Gamevance\ars.cfg JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe File created C:\Program Files (x86)\Gamevance\gamevancelib32.dll JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe File created C:\Program Files (x86)\Gamevance\gamevance32.exe JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe File created C:\Program Files (x86)\Gamevance\gvff.tmp JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe File created C:\Program Files (x86)\Gamevance\gvun.exe JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe File opened for modification C:\Program Files (x86)\Gamevance\ars.cfg JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe File opened for modification C:\Program Files (x86)\Gamevance\ars.cfg gamevance32.exe File created C:\Program Files (x86)\Gamevance\icon.ico JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe File created C:\Program Files (x86)\Gamevance\gvtl.dll JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gamevance32.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 gamevance32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier gamevance32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString gamevance32.exe Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct gamevance32.exe Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS gamevance32.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D50C9ED1-D65F-11EF-9BF0-D60C98DC526F} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "443451123" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20bfe5a96c6adb01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000948daf569cb5394295313afa243e0997000000000200000000001066000000010000200000006609ae82a207be3972d8fb4c42aae13edc1178125ef41ad050666a085fe97814000000000e8000000002000020000000c55aa92fb9ae82b543ea9308c2bbb7c90b2dc17d2a2430bf2cfe3335af45b53490000000d574d5359edfcad3488aac4dfc7e7a7683de41f46c81960733a871f8644995ec3e905bfbcc2163eebb9f59d8d92baac4a59d1160be9953306676fe429688d596b6874c9aca48e1eb87e5651cdcca9b5f2ba6b49282f1ab43045d7c096e22ecd443b42c077560e968bc80fdd9e94f6691c14280c62004ef94ba1ae35fe0ddb9c644bc3a8bc0ff8e2fb40b5302e3317e214000000032db01c1d127d04af75bc6bd7dbfb1d8329b9a842aa35b793801c1cd617d401d6d425ba92c97b30a8af5b258bbae3d986cefd609d0cca6350aed5ffb7bc97a52 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000948daf569cb5394295313afa243e099700000000020000000000106600000001000020000000f3141c9191d666059f45fa5bd1b8e4c3ed9d2e628e050667a904d5f4e514bfbd000000000e8000000002000020000000b52fe9ec594c811b65080f939a93be425b8fee8b6dbdc896e859281b82d300e7200000009d017ec526e4f970b3954569eddfa3832758d6785ca1d81516d86ab1144a041140000000798a4066253a71e7793d1cb20ace5ce26e1ad5f901cf57c707a1a4e69adbbd4af156ebc283d60044434539683ebdcaa0a6e064035bf081df4c97a11500887e9d iexplore.exe -
Modifies registry class 31 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL\ = "GamevanceText" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL\AppID = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\VersionIndependentProgID\ = "GamevanceText.Linker" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32\ = "C:\\Program Files (x86)\\Gamevance\\gvtl.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CurVer regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ProgID\ = "GamevanceText.Linker.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3} JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\InprocServer32\ThreadingModel = "Apartment" JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\ = "Gamevance Text" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CLSID\ = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CurVer\ = "GamevanceText.Linker.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\CLSID\ = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\ = "Gamevance" JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\InprocServer32 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\ = "Gamevance Text" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\InprocServer32\ = "C:\\Program Files (x86)\\Gamevance\\gamevancelib32.dll" JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ = "Gamevance Text" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\TypeLib\ = "{014C4232-6904-47B9-9144-7E0FB7277444}" regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 2736 gamevance32.exe 2736 gamevance32.exe 2736 gamevance32.exe 2736 gamevance32.exe 2736 gamevance32.exe 2736 gamevance32.exe 2736 gamevance32.exe 2736 gamevance32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2728 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2728 iexplore.exe 2728 iexplore.exe 1440 IEXPLORE.EXE 1440 IEXPLORE.EXE 1440 IEXPLORE.EXE 1440 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2692 wrote to memory of 2832 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 28 PID 2692 wrote to memory of 2832 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 28 PID 2692 wrote to memory of 2832 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 28 PID 2692 wrote to memory of 2832 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 28 PID 2832 wrote to memory of 2736 2832 cmd.exe 30 PID 2832 wrote to memory of 2736 2832 cmd.exe 30 PID 2832 wrote to memory of 2736 2832 cmd.exe 30 PID 2832 wrote to memory of 2736 2832 cmd.exe 30 PID 2692 wrote to memory of 576 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 31 PID 2692 wrote to memory of 576 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 31 PID 2692 wrote to memory of 576 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 31 PID 2692 wrote to memory of 576 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 31 PID 576 wrote to memory of 696 576 cmd.exe 33 PID 576 wrote to memory of 696 576 cmd.exe 33 PID 576 wrote to memory of 696 576 cmd.exe 33 PID 576 wrote to memory of 696 576 cmd.exe 33 PID 576 wrote to memory of 696 576 cmd.exe 33 PID 576 wrote to memory of 696 576 cmd.exe 33 PID 576 wrote to memory of 696 576 cmd.exe 33 PID 2692 wrote to memory of 2728 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 34 PID 2692 wrote to memory of 2728 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 34 PID 2692 wrote to memory of 2728 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 34 PID 2692 wrote to memory of 2728 2692 JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe 34 PID 2728 wrote to memory of 1440 2728 iexplore.exe 35 PID 2728 wrote to memory of 1440 2728 iexplore.exe 35 PID 2728 wrote to memory of 1440 2728 iexplore.exe 35 PID 2728 wrote to memory of 1440 2728 iexplore.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Program Files (x86)\Gamevance\gamevance32.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Program Files (x86)\Gamevance\gamevance32.exe"C:\Program Files (x86)\Gamevance\gamevance32.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:2736
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c regsvr32.exe /s "C:\Program Files (x86)\Gamevance\gvtl.dll"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\Gamevance\gvtl.dll"3⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:696
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.gamevance.com/aj/ty.php?p=srKz%2F8rHwsH0srLK0M%2FL0dfKzrHk0uHL%2F7G7s8Kzs7K3tLrHtrqzwcb%2Fo%2F%2Bzs7Oys7Ozs%2F%2FMyA2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2728 CREDAT:275457 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1440
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Browser Extensions
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95B
MD5fc384ff7e53d059d8f896ac0e0cb7154
SHA1f0036a4ba7732e258151f661d1441be4b185bf62
SHA2567810cf62a304899d8ae93d8078dc66226aceb5f6fc1395a687fd7aaf660694e8
SHA51237fd4e8d7fb428fda8eb84ac8e233db170f1c68812a5e22e13fe105f39391704bdce9b447438cfccb47dad7316d0c402cd46532d14b416c59efeeb82a6236f61
-
Filesize
107B
MD5d323db5135cf6272a602a9f3ac1f5829
SHA1a059ec65f7a45fb2b98aab00386d28b8bcee8aa0
SHA256f96de2c4d6abb48f74aecb048ef9675d40da7e43666960afc22330be77725acb
SHA512db88ed4404b8156ca192d6fd4fe2c51bbe3ce225764851cd5e6ca02edac0fe0981575112cd905c6be48624f7abaf06709094299c171d671a68638f10baa6720f
-
Filesize
166B
MD54d3feb43ed328e6f3d24cc8cf92e461a
SHA1f4bc06928c14037433b02808d3d6faeb57acac46
SHA256ff5b33bd6359c9dbd71525919419c132ab64eec252a43845019ddbb3c6f6b02e
SHA51283635ecd89c0a45cc925f1482834b21d485c343b6fc06429d64ff4bed3857c5c419050eb76ad2faf4b5451ec4da9af31ec3ecaba9320a7e04a8aaacd8e8365fe
-
Filesize
269KB
MD543be89de704ecea3000c6baed53680f9
SHA17847c83377f5cae6fc4cc5cb8335edf424598abb
SHA2569509317f20ffa2b8451773c3a71af1e1148a0f66f8a00af00e97e03a8379183e
SHA512a096e1092f56b1cd4164883e9169d53ed5f3a133276a2099fc3ee28ff1ea2fee07dae619fc488bc73d79e09f952173589213257418bcf4a57e8793e7c9116e09
-
Filesize
267KB
MD509a266a5beb4f75e61e866dd21adb9ea
SHA14b0ef3d3ccfb54116aba706b281ba55ab6814d01
SHA25651e0a1f158476630a3eda0a4add10e5916154660b2e0dc043de38d992963815f
SHA51214f311ce1510a96937b64b66b4c30832c6a7c5ed8ba27d1dd302360ae5ef0f562e10c0e1b5bf2f5afde1bf8fafad32bf460a8874ffb126db7e2fd8417f362bb4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD568433c1892f316d5f9b3e42664cc0dcd
SHA12d5a56137f2047c540319445b8038471a589034f
SHA2564edce67bd91e528f0dc0ad3c6bd0682018e1c7e002b08b33ffa5fb155dd6dff3
SHA5122f98d3533600a0b2800d445bcd0daa0b920bd1b472fc3f14541528a01f9598e4e63de0ba5ca2cc0fe586da033cbeeb377da01afa964d62fcb659a428895e63c7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5dc92968ffc79a1b05501ba24bfdbb095
SHA144f94b7d32c75df55bda4eddded6dec9c9cf6ecb
SHA2563f8bc6b610969d35facacd20d441e9911415c5edce19849ffa05a5c245211016
SHA512ed5cd05ed069232f247b0adf8bf78cc85e8722c1303aacd01599c1dee4b39b22625f26fb6074112bce2692642a4400eae8fe7b93bbb4e60392f96390deffb100
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD516e56a75d521c6db6aa3b752d78a424b
SHA1955ffa3c00f73ed43418f440c71864e2cc5bd23d
SHA256b5a4c8649471b8203ff28864c62fae6bd31e1e2d22e57a38a92bc0cce7c13151
SHA512fc0de0b75e5ff3963e19e4cebcdda6dfc5ad8771cc1d7f63c26bef4a60704af28be28894c304000ee220138fcb9d5241ea0a3689aada5d50b77cf5fed5fc3695
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58b07f58b8669227dec46ef032ef194b5
SHA11f009af4fc542a61853df3430b5a92ef0e27f78d
SHA256790607c412dfff4d7347f9c195713207d588bd6c28170674803f52f43e3f0af3
SHA5121a45bf00e29279ed9c2aec43646e1fdacf28cb47ae6ec86d8a808ea19ad74245404e04ae2d3f62a7fe977330f8607a0e2c47397442c262f40a91caea74d7ab74
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD593815afb11c2ba960067c84a00860047
SHA1564b723ebd406d8525339f033582a3fc20174589
SHA2560cfc8b2fc6f7bea140f4d48fab38f8dfbdaca6ceda18f121b1ea19e6c9bfb6c7
SHA5126e685904a6ece4a0894f8be0de47fc6feade0ded93337098b54b7ec24a0f2fe779f53436724d405c10690f4d9859f3f441658426db4a84637d6a212c8ab6325b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD544aa258775084489ee8fc000e1a3abf3
SHA1cdb5f7eb8f965bdd828505bd725508b293b1c39b
SHA2560b59413d7b29132f70036192dbced90d4bdc1784565817280bdd2aa07e9be251
SHA512f92a3a3010eb8d9da0a6bc3b489e866d0f5729d6891d7304203cef38d34340fd4fb5366a1bdbd2adbcf4b361d8eb1dce48116679f42f0e788db01607f63228e1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58f43eb39b5a119673cfcd32411c594f9
SHA13558e5d25fdf02f31f07237481b6ea071157fd5e
SHA256ae10250bd0c0b4f56f0f8710c33cef91de73a3cfe1e55f655bb450eff9c1a787
SHA5128569fd874ca9323c9e52e18ddc287c13daa623452bf33d7fd0299f0e4e3a2c4ecc7d72b073dd62a31a0c557c6abc795afc921b51bc517450ad006ab435a6537a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a26da2687b5b6ea182b8bd5483248807
SHA17c91751f9b9e790a72e53292ec85e54dcf152cdf
SHA25694af59a9b303c6575b6458ef2c306b032838015350fbe26a5067dc45b911804c
SHA512ab00224bf648cd4c784da5dd9ede63aa6facebaab017e7cd44f647990be242f1dee109bd27a7a9b800ceaed0e4ef259115546d9d850d5a6fc14f9544fcfd5fc1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5159230703b4391707d9cd5bfbd36b549
SHA14f873b625e196590559fde6a8fdc368848fc334f
SHA2560bd3389494ac3623faedd3cad771eed910ec9f4c139f52a7947e972bc3a27b9c
SHA512892b474a5861572edf085508599f5521ccb63e1ea884f2be03f0f1a4c74ac48b9a10eafe0410ad360e5d5e5465bfdd5e0bbe7687d4b815635f41557d86f954e8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53fdb935a06e2ea5a7ea20c9c3869b7fa
SHA1d2d62e26fedd304fdd5da09d1a58b12e5991d1ae
SHA256e37ce8b7d9c1d5032b217123822df02d5150327a83682c4b6147e43246d71255
SHA5122ca0f1a1569856e5c032af20df62ab0283b1dc98ddf122171e0f7b0a68a9c002cf3dce0728ac54dff5e79b511e990fe963fc60bea92d8195a0024e2d54a5f4e1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54197a5695887f26107203fbf817ac0a1
SHA1d5d50e2f2a2e3354a723ad51d6a12d1d03751e6a
SHA2563c93a2975727b6b2915fb8162877d013402b1ae2fc02508fd80019ebcf91145c
SHA5125c5f1cf1554e42b639f88e38f10e5370b78bb1c8d66d49df261d1304fd64af6a78237945033f211e662470401e91f9f62ba28875c90040514472304c178a4af6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50aa00ee6a7905d59232dfae48f68444b
SHA1fb078e6255219b6c0cf38dca97bde33182c03459
SHA256827e7cfc4165ad5743290e813612375254243dd820f35540f40dcc934e210d59
SHA512e937f36c3bcac4cdf7787f0646266862c1d2defbb72356dad8645eecc8d583c6f50241e96f4f010c160c050eeb20863bed3e34eeb589e4639513650169c9ab20
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b396e04aacc743d27b2cb383222b8578
SHA1bb40305fadd166f59e6b0c1a3c59148d6aeb57b3
SHA256279ffcf532b432ca875026c404388f06e76bd806dfc9d09cb2359c4a5acd83eb
SHA512abb9cff77c734d813f3a6cabb8003042361f98f7d1b588d9ea01be41305b592c9c2eb2163965c18acfbd9c38c94eef240dc485525e9b4336955f6887900144df
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53eedf51bad286bb871270c5a69c03fbe
SHA16e41aa169ecdef0411d5a1304747c171c6e9e5f4
SHA25673136c10be0ca37de1c82b71a32603187e6525c132cefc0f4531c90048385c91
SHA51270d07099b820629218c1efc5659fa96d8f419b970ee72d4873b7682709b1e1b8711bdd03527229b3cefe30f046b756e9c64031c9b3a72478b5dab53a4074552b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5993df4f64eab2c8e0c20358aed6a47f1
SHA1c2a9e18860cb599d838a05f3726642f528421e5b
SHA256818f917ec1a2063b020732d6d0af684ad12eff2cf10fd9ace29ae60c47af13eb
SHA512c21397874e07e689326fde184cce6acbcf8c9761d05b3d00c7d89394121d48f23150912b352ca758b9662838992f40400dd8cc241ae2ddddb139bdbcb0d9badd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD583c5539000f810e073c06d8c99ea89b8
SHA1ac271772366136a3462a8d7ea710b42f2879776c
SHA256d21c1c666421b4e83ee5f06f90c344f0b0e06575bba08b96fa83b0e20d1c5788
SHA5120e6bfdf52cdcbf1785c3950beb031ed4b0a56d0de67774218e365b2cee0b6a5d2151409e29f3f29e90a8817fbd77233e7a672bc81419bdd0702dd53c825785bf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b9b579e1e196451c33512416b547c577
SHA1bc66a99b56cae4c55a3f7b5a8dce5001ef9a2935
SHA256b2cb0345b345892e5ab3e2082f263a565d5d4c4aeb9e4740dbab0225e9f5e176
SHA512c9eefca574bc0e91449d0caace6e5a898426aa491fa52aedd70e41cbff74684bbc57fb923cebe0c74a49bfd1b45fdf3e8beadd80e46126c51641fbe62327c86f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58dcb4c006582d20761db1adda59dc8fa
SHA1f99172c187e8e51f3434ee3fcca2349f7f1016f6
SHA256d9cce782a180d435d68e0c4505cad0211ac493987e7b1143b7b778c66eb92223
SHA51235bdf2d8446fa51ffaa9d28d80a05f8a4daf6a5623d50a2c88b79a3014d07f4e61cadae162e3bbd1eb9214aace725df54b00918f355f9a06f09ad440bd1cefc1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59dc7055b16095c13cacda7264f81f351
SHA122a9be2342f1d00f6e1be7bf6a493f60c71ccca3
SHA2564a9f3e36d02ae657020cf28fc3aa307059f72e5e17c85a0c5e2a23012f729e0f
SHA512b7c7c047d635dbcb483d0fa6c1078421f1bee63c00c007ec987401a546f8eb9c534f1d26368be6e77c8a33e1300917ed031b148ed9102534dac414ceb5715fb5
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
234KB
MD52d6cb47b2aadf2d7c5fd2f1559938157
SHA1ca4a51904662d7482a24dad09cadef93f7a418eb
SHA256c788788f1b98d94b8fab20033950a3336cb1eb8050bc0adb02ce88ad94de1abd
SHA5128cb19ef4388058cfe4a2ce53e2df411fbc91523ba669bd757bd4429c45b3499c36af57023624ba52c041c1ccbbafdb02fabb44b08314a33457df7bf11b76f06e
-
Filesize
237KB
MD548cefc371ef39cf96d3f37cd0f70bd5d
SHA1d3d75f6398ea4d7bee64bc7275aa74e142f7e092
SHA256667a92f10015a29a5126360c9ad031b71de302eab6cc32598eff17652a5ce1e4
SHA512beda67d9d445f85e04fc1d3b3fb3d31bd19b0f89bfd0a5b4b0d211e27f6b9e1ec95990e55e1268d622e344ac6395b353ba2b77ab7ecade2bfc1ab3b3d0eae796