Analysis Overview
SHA256
170f244f5040337b0c5919e3fce1f6c3d9cefbb6ec05531c3c92ac501a1e92e7
Threat Level: Shows suspicious behavior
The file JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Installs/modifies Browser Helper Object
Checks installed software on the system
Drops file in Program Files directory
Browser Information Discovery
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Modifies registry class
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-19 12:20
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-19 12:20
Reported
2025-01-19 12:23
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Gamevance\gamevance32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Gamevance\gamevance32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Gamevance = "C:\\Program Files (x86)\\Gamevance\\gamevance32.exe a" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe | N/A |
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\ = "Gamevance" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ = "Gamevance Text" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\NoExplorer = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe | N/A |
Drops file in Program Files directory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Gamevance\gamevance32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\Gamevance\gamevance32.exe | N/A |
| Key created | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe | N/A |
| Key created | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\Gamevance\gamevance32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Program Files (x86)\Gamevance\gamevance32.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Gamevance\gamevance32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct | C:\Program Files (x86)\Gamevance\gamevance32.exe | N/A |
| Key created | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\TypeLib\ = "{014C4232-6904-47B9-9144-7E0FB7277444}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\ = "Gamevance" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32\ = "C:\\Program Files (x86)\\Gamevance\\gvtl.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL\ = "GamevanceText" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CurVer\ = "GamevanceText.Linker.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\InprocServer32\ = "C:\\Program Files (x86)\\Gamevance\\gamevancelib32.dll" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\ = "Gamevance Text" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ = "Gamevance Text" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\CLSID\ = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CLSID\ = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ProgID\ = "GamevanceText.Linker.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL\AppID = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\ = "Gamevance Text" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\VersionIndependentProgID\ = "GamevanceText.Linker" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Program Files (x86)\Gamevance\gamevance32.exe"
C:\Program Files (x86)\Gamevance\gamevance32.exe
"C:\Program Files (x86)\Gamevance\gamevance32.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c regsvr32.exe /s "C:\Program Files (x86)\Gamevance\gvtl.dll"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\Gamevance\gvtl.dll"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.gamevance.com/aj/ty.php?p=srKz%2F8rHwsH0srLK0M%2FL0dfKzrHk0uHL%2F7HFs8a1usW1sca2wMe6srD%2Fo%2F%2Bzs7Ozs7Ozs%2F%2FMyA
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc1efb46f8,0x7ffc1efb4708,0x7ffc1efb4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,430545793209329134,9139544640498468136,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,430545793209329134,9139544640498468136,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,430545793209329134,9139544640498468136,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,430545793209329134,9139544640498468136,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,430545793209329134,9139544640498468136,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,430545793209329134,9139544640498468136,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,430545793209329134,9139544640498468136,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,430545793209329134,9139544640498468136,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,430545793209329134,9139544640498468136,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,430545793209329134,9139544640498468136,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,430545793209329134,9139544640498468136,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,430545793209329134,9139544640498468136,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1364 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.98.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.gamevance.com | udp |
| US | 13.248.169.48:80 | www.gamevance.com | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.169.248.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.gamevance.com | udp |
| US | 13.248.169.48:80 | www.gamevance.com | tcp |
| US | 13.248.169.48:80 | www.gamevance.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.239.69.13.in-addr.arpa | udp |
Files
C:\Program Files (x86)\Gamevance\gamevancelib32.dll
| MD5 | 932741ad52ddae03e4109cc6adf1e50c |
| SHA1 | bffe44d33a8291665e3bd35f89839c1bb6e97dd1 |
| SHA256 | 3aa2b0685394046cfaee95a1d2e733ccd26649587de77cc0d081ca1d79f2f4c7 |
| SHA512 | d76c6232fbf71be866c0122c6bad5275a2953b37e5fc88e53110e0c89a5380409b81caf3fede98ab6e28f7d9becb4c25f213f7cbd972ee9ae127b5cfc891976a |
C:\Program Files (x86)\Gamevance\ars.cfg
| MD5 | 096d8969b04145272e581778f1ec558a |
| SHA1 | 4044481fc9ef0a3806deeac79733f1931461f6c7 |
| SHA256 | c2026bb54698f690e03b43f86d12c87544f39080bedf5f00d3cac5aa1adfddbf |
| SHA512 | 8353e256d629bbeb5df514848022c0a8e99d46243acb1fc29ea1f78e0d0fca4eafcfde72a2ac144e08ade4575a2e118b2833db889bb55fd94263cd4f08acf0f6 |
C:\Program Files (x86)\Gamevance\gamevance32.exe
| MD5 | 40137d72109ee5740d2fb52b6f088bfe |
| SHA1 | b11076dd2f06da894a70f0c7277397a72bf9d078 |
| SHA256 | 53018f61d32adff09c290f282b71a1755b9e9e877e26df3ef6a4506470db0517 |
| SHA512 | bbfa4ae82cec04ddc5a38be3cb19b1964374fcd5ed554e59a1f41db818307d99422094b4d6c14ad947088b75c0cf7d2003c3de1c5326827a6cb263234f34f59f |
C:\Program Files (x86)\Gamevance\ars.cfg
| MD5 | 8391c7f152fa3aef30f2d2623d10ff56 |
| SHA1 | c993ce2063780587efe14217ce23781cb633c9b9 |
| SHA256 | 3a8dac1977e3e79322fa12584115071d47d3b49372055ab66e295795e10c063b |
| SHA512 | 65e07d0a81505c16e0fe7c8528de2729a9d5ff08015273f61dbf1e37d0cbc9539556a9b8beab8cbf40e2715186e5a4cdbb0e1541834c4f88d3e9d850c42888f6 |
C:\Program Files (x86)\Gamevance\ars.cfg
| MD5 | 05eadab4c9da8f33c3e40ec89d5069f0 |
| SHA1 | deae813362dfaba60e38cfaf0865eb7e2d450b38 |
| SHA256 | c77532491f9b46d6552d579cfb78a92fcdceec9a10f63bc3b497b20772206595 |
| SHA512 | 517f5d73946bc55791e0e062e619bd581d0a2a003794db63b7f7cfc6f33da99b02cfbbcc7cdb221bbb8f23f81aafd087b06f5a254fa355caae2c896875f6f50e |
C:\Program Files (x86)\Gamevance\gvun.exe
| MD5 | 21af4552cda665784f95b1c40fe5f67a |
| SHA1 | 25c3ee1a91723a477db35f61d2cc5aeb1f627a32 |
| SHA256 | 7d9d3c422384052b0cd6737c5c334660946f8ec75bf21f0463d733ee4bfa7a2a |
| SHA512 | 54d225cba38e01352886c8fc62e8240b8de6aa8beae0aff39578851069e667cafbc5aeadaabaabca60e5767474d57c586e3881cca81f03a8fee7033d048fe498 |
C:\Program Files (x86)\Gamevance\gvtl.dll
| MD5 | 43be89de704ecea3000c6baed53680f9 |
| SHA1 | 7847c83377f5cae6fc4cc5cb8335edf424598abb |
| SHA256 | 9509317f20ffa2b8451773c3a71af1e1148a0f66f8a00af00e97e03a8379183e |
| SHA512 | a096e1092f56b1cd4164883e9169d53ed5f3a133276a2099fc3ee28ff1ea2fee07dae619fc488bc73d79e09f952173589213257418bcf4a57e8793e7c9116e09 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 37f660dd4b6ddf23bc37f5c823d1c33a |
| SHA1 | 1c35538aa307a3e09d15519df6ace99674ae428b |
| SHA256 | 4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8 |
| SHA512 | 807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d |
\??\pipe\LOCAL\crashpad_1844_GQZRYSCRTDUSEDKT
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | d7cb450b1315c63b1d5d89d98ba22da5 |
| SHA1 | 694005cd9e1a4c54e0b83d0598a8a0c089df1556 |
| SHA256 | 38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031 |
| SHA512 | df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 99ac4e8ac4bc92eb93be3568441dec0d |
| SHA1 | d3f80b8e00f45d61072e7ec2a88a476e3da53eb1 |
| SHA256 | 1fd1acf3271fb90e9ab64a519c4e7af2bb16157fb9947166302801b4a4f3f593 |
| SHA512 | dec72ccbfb3956b53890f7e6fef85937e642705e775a718983178e95c802b17bdddf5ad8187083d9cad9106d1baa6ef644fd44b3b4449899164350071f9d0bb9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 451b766250add5d1d9c4f40525d775e8 |
| SHA1 | 19ac26d5c81679136883e2d63382cad7f670c8d9 |
| SHA256 | 7c715aea29952bd3b34ed86204986910d6ce149813d0eee781245912e0a24241 |
| SHA512 | 1c8850c2823fb54745b4af10a31aebdb2cf5b9607eb70bd316859f4afb4b7fe5ac5151de42e167509bd0a2b662e79f31f3d9337946920b282c6421b4a9318517 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 729b88ff541220b50b22bd10c93cd214 |
| SHA1 | 2f5c0fdaefee5b790777bc14bb8fb28adf61d83f |
| SHA256 | 448720f494a0aad9d08efd2a6ea2b6a4a1cd8bd7de35f24bf554272c1560b290 |
| SHA512 | cfeedaa75e88d30a46271d97d285dc46322eb9990331e2817d133f677956b8c0798fdac522c058703213272b7af90ad5049f3566fa56e929526d8e74ae63bc3b |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-19 12:20
Reported
2025-01-19 12:23
Platform
win7-20240903-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Gamevance\gamevance32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Gamevance\gamevance32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Gamevance = "C:\\Program Files (x86)\\Gamevance\\gamevance32.exe a" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe | N/A |
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\NoExplorer = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\ = "Gamevance" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ = "Gamevance Text" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Drops file in Program Files directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Gamevance\gamevance32.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\Gamevance\gamevance32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Program Files (x86)\Gamevance\gamevance32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\Gamevance\gamevance32.exe | N/A |
| Key created | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct | C:\Program Files (x86)\Gamevance\gamevance32.exe | N/A |
| Key created | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe | N/A |
| Key created | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Gamevance\gamevance32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D50C9ED1-D65F-11EF-9BF0-D60C98DC526F} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "443451123" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20bfe5a96c6adb01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000948daf569cb5394295313afa243e0997000000000200000000001066000000010000200000006609ae82a207be3972d8fb4c42aae13edc1178125ef41ad050666a085fe97814000000000e8000000002000020000000c55aa92fb9ae82b543ea9308c2bbb7c90b2dc17d2a2430bf2cfe3335af45b53490000000d574d5359edfcad3488aac4dfc7e7a7683de41f46c81960733a871f8644995ec3e905bfbcc2163eebb9f59d8d92baac4a59d1160be9953306676fe429688d596b6874c9aca48e1eb87e5651cdcca9b5f2ba6b49282f1ab43045d7c096e22ecd443b42c077560e968bc80fdd9e94f6691c14280c62004ef94ba1ae35fe0ddb9c644bc3a8bc0ff8e2fb40b5302e3317e214000000032db01c1d127d04af75bc6bd7dbfb1d8329b9a842aa35b793801c1cd617d401d6d425ba92c97b30a8af5b258bbae3d986cefd609d0cca6350aed5ffb7bc97a52 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000948daf569cb5394295313afa243e099700000000020000000000106600000001000020000000f3141c9191d666059f45fa5bd1b8e4c3ed9d2e628e050667a904d5f4e514bfbd000000000e8000000002000020000000b52fe9ec594c811b65080f939a93be425b8fee8b6dbdc896e859281b82d300e7200000009d017ec526e4f970b3954569eddfa3832758d6785ca1d81516d86ab1144a041140000000798a4066253a71e7793d1cb20ace5ce26e1ad5f901cf57c707a1a4e69adbbd4af156ebc283d60044434539683ebdcaa0a6e064035bf081df4c97a11500887e9d | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL\ = "GamevanceText" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL\AppID = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\VersionIndependentProgID\ = "GamevanceText.Linker" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32\ = "C:\\Program Files (x86)\\Gamevance\\gvtl.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ProgID\ = "GamevanceText.Linker.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\ = "Gamevance Text" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CLSID\ = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CurVer\ = "GamevanceText.Linker.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\CLSID\ = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\ = "Gamevance" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\ = "Gamevance Text" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\InprocServer32\ = "C:\\Program Files (x86)\\Gamevance\\gamevancelib32.dll" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ = "Gamevance Text" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\TypeLib\ = "{014C4232-6904-47B9-9144-7E0FB7277444}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7a1ca0494dfe29af1bcda95bbba62bd.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Program Files (x86)\Gamevance\gamevance32.exe"
C:\Program Files (x86)\Gamevance\gamevance32.exe
"C:\Program Files (x86)\Gamevance\gamevance32.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c regsvr32.exe /s "C:\Program Files (x86)\Gamevance\gvtl.dll"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\Gamevance\gvtl.dll"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.gamevance.com/aj/ty.php?p=srKz%2F8rHwsH0srLK0M%2FL0dfKzrHk0uHL%2F7G7s8Kzs7K3tLrHtrqzwcb%2Fo%2F%2Bzs7Oys7Ozs%2F%2FMyA
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2728 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.gamevance.com | udp |
| US | 13.248.169.48:80 | www.gamevance.com | tcp |
| US | 13.248.169.48:80 | www.gamevance.com | tcp |
| US | 13.248.169.48:80 | www.gamevance.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
\Program Files (x86)\Gamevance\gamevancelib32.dll
| MD5 | 48cefc371ef39cf96d3f37cd0f70bd5d |
| SHA1 | d3d75f6398ea4d7bee64bc7275aa74e142f7e092 |
| SHA256 | 667a92f10015a29a5126360c9ad031b71de302eab6cc32598eff17652a5ce1e4 |
| SHA512 | beda67d9d445f85e04fc1d3b3fb3d31bd19b0f89bfd0a5b4b0d211e27f6b9e1ec95990e55e1268d622e344ac6395b353ba2b77ab7ecade2bfc1ab3b3d0eae796 |
C:\Program Files (x86)\Gamevance\ars.cfg
| MD5 | fc384ff7e53d059d8f896ac0e0cb7154 |
| SHA1 | f0036a4ba7732e258151f661d1441be4b185bf62 |
| SHA256 | 7810cf62a304899d8ae93d8078dc66226aceb5f6fc1395a687fd7aaf660694e8 |
| SHA512 | 37fd4e8d7fb428fda8eb84ac8e233db170f1c68812a5e22e13fe105f39391704bdce9b447438cfccb47dad7316d0c402cd46532d14b416c59efeeb82a6236f61 |
\Program Files (x86)\Gamevance\gamevance32.exe
| MD5 | 2d6cb47b2aadf2d7c5fd2f1559938157 |
| SHA1 | ca4a51904662d7482a24dad09cadef93f7a418eb |
| SHA256 | c788788f1b98d94b8fab20033950a3336cb1eb8050bc0adb02ce88ad94de1abd |
| SHA512 | 8cb19ef4388058cfe4a2ce53e2df411fbc91523ba669bd757bd4429c45b3499c36af57023624ba52c041c1ccbbafdb02fabb44b08314a33457df7bf11b76f06e |
C:\Program Files (x86)\Gamevance\ars.cfg
| MD5 | d323db5135cf6272a602a9f3ac1f5829 |
| SHA1 | a059ec65f7a45fb2b98aab00386d28b8bcee8aa0 |
| SHA256 | f96de2c4d6abb48f74aecb048ef9675d40da7e43666960afc22330be77725acb |
| SHA512 | db88ed4404b8156ca192d6fd4fe2c51bbe3ce225764851cd5e6ca02edac0fe0981575112cd905c6be48624f7abaf06709094299c171d671a68638f10baa6720f |
C:\Program Files (x86)\Gamevance\gvun.exe
| MD5 | 09a266a5beb4f75e61e866dd21adb9ea |
| SHA1 | 4b0ef3d3ccfb54116aba706b281ba55ab6814d01 |
| SHA256 | 51e0a1f158476630a3eda0a4add10e5916154660b2e0dc043de38d992963815f |
| SHA512 | 14f311ce1510a96937b64b66b4c30832c6a7c5ed8ba27d1dd302360ae5ef0f562e10c0e1b5bf2f5afde1bf8fafad32bf460a8874ffb126db7e2fd8417f362bb4 |
C:\Program Files (x86)\Gamevance\ars.cfg
| MD5 | 4d3feb43ed328e6f3d24cc8cf92e461a |
| SHA1 | f4bc06928c14037433b02808d3d6faeb57acac46 |
| SHA256 | ff5b33bd6359c9dbd71525919419c132ab64eec252a43845019ddbb3c6f6b02e |
| SHA512 | 83635ecd89c0a45cc925f1482834b21d485c343b6fc06429d64ff4bed3857c5c419050eb76ad2faf4b5451ec4da9af31ec3ecaba9320a7e04a8aaacd8e8365fe |
C:\Program Files (x86)\Gamevance\gvtl.dll
| MD5 | 43be89de704ecea3000c6baed53680f9 |
| SHA1 | 7847c83377f5cae6fc4cc5cb8335edf424598abb |
| SHA256 | 9509317f20ffa2b8451773c3a71af1e1148a0f66f8a00af00e97e03a8379183e |
| SHA512 | a096e1092f56b1cd4164883e9169d53ed5f3a133276a2099fc3ee28ff1ea2fee07dae619fc488bc73d79e09f952173589213257418bcf4a57e8793e7c9116e09 |
C:\Users\Admin\AppData\Local\Temp\Cab99D1.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar9A91.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 68433c1892f316d5f9b3e42664cc0dcd |
| SHA1 | 2d5a56137f2047c540319445b8038471a589034f |
| SHA256 | 4edce67bd91e528f0dc0ad3c6bd0682018e1c7e002b08b33ffa5fb155dd6dff3 |
| SHA512 | 2f98d3533600a0b2800d445bcd0daa0b920bd1b472fc3f14541528a01f9598e4e63de0ba5ca2cc0fe586da033cbeeb377da01afa964d62fcb659a428895e63c7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | dc92968ffc79a1b05501ba24bfdbb095 |
| SHA1 | 44f94b7d32c75df55bda4eddded6dec9c9cf6ecb |
| SHA256 | 3f8bc6b610969d35facacd20d441e9911415c5edce19849ffa05a5c245211016 |
| SHA512 | ed5cd05ed069232f247b0adf8bf78cc85e8722c1303aacd01599c1dee4b39b22625f26fb6074112bce2692642a4400eae8fe7b93bbb4e60392f96390deffb100 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 16e56a75d521c6db6aa3b752d78a424b |
| SHA1 | 955ffa3c00f73ed43418f440c71864e2cc5bd23d |
| SHA256 | b5a4c8649471b8203ff28864c62fae6bd31e1e2d22e57a38a92bc0cce7c13151 |
| SHA512 | fc0de0b75e5ff3963e19e4cebcdda6dfc5ad8771cc1d7f63c26bef4a60704af28be28894c304000ee220138fcb9d5241ea0a3689aada5d50b77cf5fed5fc3695 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8b07f58b8669227dec46ef032ef194b5 |
| SHA1 | 1f009af4fc542a61853df3430b5a92ef0e27f78d |
| SHA256 | 790607c412dfff4d7347f9c195713207d588bd6c28170674803f52f43e3f0af3 |
| SHA512 | 1a45bf00e29279ed9c2aec43646e1fdacf28cb47ae6ec86d8a808ea19ad74245404e04ae2d3f62a7fe977330f8607a0e2c47397442c262f40a91caea74d7ab74 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 93815afb11c2ba960067c84a00860047 |
| SHA1 | 564b723ebd406d8525339f033582a3fc20174589 |
| SHA256 | 0cfc8b2fc6f7bea140f4d48fab38f8dfbdaca6ceda18f121b1ea19e6c9bfb6c7 |
| SHA512 | 6e685904a6ece4a0894f8be0de47fc6feade0ded93337098b54b7ec24a0f2fe779f53436724d405c10690f4d9859f3f441658426db4a84637d6a212c8ab6325b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 44aa258775084489ee8fc000e1a3abf3 |
| SHA1 | cdb5f7eb8f965bdd828505bd725508b293b1c39b |
| SHA256 | 0b59413d7b29132f70036192dbced90d4bdc1784565817280bdd2aa07e9be251 |
| SHA512 | f92a3a3010eb8d9da0a6bc3b489e866d0f5729d6891d7304203cef38d34340fd4fb5366a1bdbd2adbcf4b361d8eb1dce48116679f42f0e788db01607f63228e1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8f43eb39b5a119673cfcd32411c594f9 |
| SHA1 | 3558e5d25fdf02f31f07237481b6ea071157fd5e |
| SHA256 | ae10250bd0c0b4f56f0f8710c33cef91de73a3cfe1e55f655bb450eff9c1a787 |
| SHA512 | 8569fd874ca9323c9e52e18ddc287c13daa623452bf33d7fd0299f0e4e3a2c4ecc7d72b073dd62a31a0c557c6abc795afc921b51bc517450ad006ab435a6537a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a26da2687b5b6ea182b8bd5483248807 |
| SHA1 | 7c91751f9b9e790a72e53292ec85e54dcf152cdf |
| SHA256 | 94af59a9b303c6575b6458ef2c306b032838015350fbe26a5067dc45b911804c |
| SHA512 | ab00224bf648cd4c784da5dd9ede63aa6facebaab017e7cd44f647990be242f1dee109bd27a7a9b800ceaed0e4ef259115546d9d850d5a6fc14f9544fcfd5fc1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 159230703b4391707d9cd5bfbd36b549 |
| SHA1 | 4f873b625e196590559fde6a8fdc368848fc334f |
| SHA256 | 0bd3389494ac3623faedd3cad771eed910ec9f4c139f52a7947e972bc3a27b9c |
| SHA512 | 892b474a5861572edf085508599f5521ccb63e1ea884f2be03f0f1a4c74ac48b9a10eafe0410ad360e5d5e5465bfdd5e0bbe7687d4b815635f41557d86f954e8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3fdb935a06e2ea5a7ea20c9c3869b7fa |
| SHA1 | d2d62e26fedd304fdd5da09d1a58b12e5991d1ae |
| SHA256 | e37ce8b7d9c1d5032b217123822df02d5150327a83682c4b6147e43246d71255 |
| SHA512 | 2ca0f1a1569856e5c032af20df62ab0283b1dc98ddf122171e0f7b0a68a9c002cf3dce0728ac54dff5e79b511e990fe963fc60bea92d8195a0024e2d54a5f4e1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4197a5695887f26107203fbf817ac0a1 |
| SHA1 | d5d50e2f2a2e3354a723ad51d6a12d1d03751e6a |
| SHA256 | 3c93a2975727b6b2915fb8162877d013402b1ae2fc02508fd80019ebcf91145c |
| SHA512 | 5c5f1cf1554e42b639f88e38f10e5370b78bb1c8d66d49df261d1304fd64af6a78237945033f211e662470401e91f9f62ba28875c90040514472304c178a4af6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0aa00ee6a7905d59232dfae48f68444b |
| SHA1 | fb078e6255219b6c0cf38dca97bde33182c03459 |
| SHA256 | 827e7cfc4165ad5743290e813612375254243dd820f35540f40dcc934e210d59 |
| SHA512 | e937f36c3bcac4cdf7787f0646266862c1d2defbb72356dad8645eecc8d583c6f50241e96f4f010c160c050eeb20863bed3e34eeb589e4639513650169c9ab20 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b396e04aacc743d27b2cb383222b8578 |
| SHA1 | bb40305fadd166f59e6b0c1a3c59148d6aeb57b3 |
| SHA256 | 279ffcf532b432ca875026c404388f06e76bd806dfc9d09cb2359c4a5acd83eb |
| SHA512 | abb9cff77c734d813f3a6cabb8003042361f98f7d1b588d9ea01be41305b592c9c2eb2163965c18acfbd9c38c94eef240dc485525e9b4336955f6887900144df |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3eedf51bad286bb871270c5a69c03fbe |
| SHA1 | 6e41aa169ecdef0411d5a1304747c171c6e9e5f4 |
| SHA256 | 73136c10be0ca37de1c82b71a32603187e6525c132cefc0f4531c90048385c91 |
| SHA512 | 70d07099b820629218c1efc5659fa96d8f419b970ee72d4873b7682709b1e1b8711bdd03527229b3cefe30f046b756e9c64031c9b3a72478b5dab53a4074552b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 993df4f64eab2c8e0c20358aed6a47f1 |
| SHA1 | c2a9e18860cb599d838a05f3726642f528421e5b |
| SHA256 | 818f917ec1a2063b020732d6d0af684ad12eff2cf10fd9ace29ae60c47af13eb |
| SHA512 | c21397874e07e689326fde184cce6acbcf8c9761d05b3d00c7d89394121d48f23150912b352ca758b9662838992f40400dd8cc241ae2ddddb139bdbcb0d9badd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 83c5539000f810e073c06d8c99ea89b8 |
| SHA1 | ac271772366136a3462a8d7ea710b42f2879776c |
| SHA256 | d21c1c666421b4e83ee5f06f90c344f0b0e06575bba08b96fa83b0e20d1c5788 |
| SHA512 | 0e6bfdf52cdcbf1785c3950beb031ed4b0a56d0de67774218e365b2cee0b6a5d2151409e29f3f29e90a8817fbd77233e7a672bc81419bdd0702dd53c825785bf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b9b579e1e196451c33512416b547c577 |
| SHA1 | bc66a99b56cae4c55a3f7b5a8dce5001ef9a2935 |
| SHA256 | b2cb0345b345892e5ab3e2082f263a565d5d4c4aeb9e4740dbab0225e9f5e176 |
| SHA512 | c9eefca574bc0e91449d0caace6e5a898426aa491fa52aedd70e41cbff74684bbc57fb923cebe0c74a49bfd1b45fdf3e8beadd80e46126c51641fbe62327c86f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8dcb4c006582d20761db1adda59dc8fa |
| SHA1 | f99172c187e8e51f3434ee3fcca2349f7f1016f6 |
| SHA256 | d9cce782a180d435d68e0c4505cad0211ac493987e7b1143b7b778c66eb92223 |
| SHA512 | 35bdf2d8446fa51ffaa9d28d80a05f8a4daf6a5623d50a2c88b79a3014d07f4e61cadae162e3bbd1eb9214aace725df54b00918f355f9a06f09ad440bd1cefc1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9dc7055b16095c13cacda7264f81f351 |
| SHA1 | 22a9be2342f1d00f6e1be7bf6a493f60c71ccca3 |
| SHA256 | 4a9f3e36d02ae657020cf28fc3aa307059f72e5e17c85a0c5e2a23012f729e0f |
| SHA512 | b7c7c047d635dbcb483d0fa6c1078421f1bee63c00c007ec987401a546f8eb9c534f1d26368be6e77c8a33e1300917ed031b148ed9102534dac414ceb5715fb5 |