Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/01/2025, 12:28
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe
-
Size
2.1MB
-
MD5
c7cf059aeb75b6b322aa6e214f6ecedb
-
SHA1
d21d65268b7c6844545c0cbd870e6d1fc278e41e
-
SHA256
a02dc11524f2e6861d13e1901635669e6d5b49e88996df84e9c0271cc8fc88c9
-
SHA512
86e65315039134f338ce0dff0c511f02f51e683edaf22d5c55490dc72f30f992319ef803f713c2be88a02951b6abec98c20fd6b6b8af032c00606445038eeb11
-
SSDEEP
49152:LejPDPnwqB4WcAssPeWZLkjhVdSV/zHQiuxR+vSXkzbgXwRV:yjPDh4nAtkvOzHQnxAvvzbgXw/
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2812 gamevance32.exe -
Loads dropped DLL 4 IoCs
pid Process 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2844 cmd.exe 2812 gamevance32.exe 2688 regsvr32.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Gamevance = "C:\\Program Files (x86)\\Gamevance\\gamevance32.exe a" JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 8 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\NoExplorer = "1" JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ = "Gamevance Text" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\NoExplorer = "1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3} JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\ = "Gamevance" JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe -
Drops file in Program Files directory 9 IoCs
description ioc Process File created C:\Program Files (x86)\Gamevance\gvun.exe JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe File opened for modification C:\Program Files (x86)\Gamevance\ars.cfg JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe File created C:\Program Files (x86)\Gamevance\gvtl.dll JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe File created C:\Program Files (x86)\Gamevance\gvff.tmp JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe File created C:\Program Files (x86)\Gamevance\ars.cfg JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe File created C:\Program Files (x86)\Gamevance\gamevance32.exe JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe File created C:\Program Files (x86)\Gamevance\icon.ico JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe File created C:\Program Files (x86)\Gamevance\gamevancelib32.dll JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe File opened for modification C:\Program Files (x86)\Gamevance\ars.cfg gamevance32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gamevance32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 gamevance32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier gamevance32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString gamevance32.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS gamevance32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct gamevance32.exe Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "443451621" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FE4E0081-D660-11EF-A2A1-C60424AAF5E1} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 007403d36d6adb01 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006d05a3b3b4da2d4794ccc3c2cda6caee00000000020000000000106600000001000020000000d2c6da9d1d2ca1da6cf98d2ad9d87f02d45010385bc6fc55650b16cdfae6f207000000000e8000000002000020000000c5e043ceb229bff29995fc506b862f7272249df9680b3bc2bf7bba9c903d3d8b90000000f1d5f31f395b84b80576a6b760e685266e1557cd3029c2c29030669ae6428e628bc2c17e6dc07e2ff38a36ff7d075760027a3d2180add75c265a11f5e13babe73df7782e28c736dfd502ece2aeb725a631ec27ac23785b20b82b17b09e5a840696e5ee0e3598b3f1691998f5180d5e223151f03641fe3a723a55d47dc771c3ac392e70791b0d9ae8c18b05deb0ce055440000000846c770af716cfdc6fdfe3335a3bf868cc9fa298c600bc4946321f72a7de092406e52f79542c446dde4760c056db6a7df02690b2560447f438e2bbf6e418ba0e iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006d05a3b3b4da2d4794ccc3c2cda6caee00000000020000000000106600000001000020000000542892096ae5d88b32a538dabbbb1db7084f0b9f1e1d3515d599ca578c8056a2000000000e80000000020000200000008c6b691843d5eddf460b8871fa75866e7d3001b59bf60ae14ed15460d07ad173200000004fda240069bb384f298c633201b64a218ed3ef191fdb5e47c34e772385d93acd4000000061652863202025ced8017b8bf04b3299830d4911c4d88b15f45f59a927ba31c4dc6e6d8f6d32e5b0830fb66fc7aae0f08da787e24abf6bbdda11869ed8dfd798 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe -
Modifies registry class 31 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CurVer\ = "GamevanceText.Linker.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ProgID\ = "GamevanceText.Linker.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\InprocServer32\ = "C:\\Program Files (x86)\\Gamevance\\gamevancelib32.dll" JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\InprocServer32\ThreadingModel = "Apartment" JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CLSID\ = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL\AppID = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\ = "Gamevance Text" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CurVer regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3} JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\InprocServer32 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL\ = "GamevanceText" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\VersionIndependentProgID\ = "GamevanceText.Linker" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32\ = "C:\\Program Files (x86)\\Gamevance\\gvtl.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\ = "Gamevance" JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\CLSID\ = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\ = "Gamevance Text" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ = "Gamevance Text" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\TypeLib\ = "{014C4232-6904-47B9-9144-7E0FB7277444}" regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 2812 gamevance32.exe 2812 gamevance32.exe 2812 gamevance32.exe 2812 gamevance32.exe 2812 gamevance32.exe 2812 gamevance32.exe 2812 gamevance32.exe 2812 gamevance32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2412 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2412 iexplore.exe 2412 iexplore.exe 1656 IEXPLORE.EXE 1656 IEXPLORE.EXE 1656 IEXPLORE.EXE 1656 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2104 wrote to memory of 2844 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 30 PID 2104 wrote to memory of 2844 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 30 PID 2104 wrote to memory of 2844 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 30 PID 2104 wrote to memory of 2844 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 30 PID 2844 wrote to memory of 2812 2844 cmd.exe 32 PID 2844 wrote to memory of 2812 2844 cmd.exe 32 PID 2844 wrote to memory of 2812 2844 cmd.exe 32 PID 2844 wrote to memory of 2812 2844 cmd.exe 32 PID 2104 wrote to memory of 2624 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 33 PID 2104 wrote to memory of 2624 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 33 PID 2104 wrote to memory of 2624 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 33 PID 2104 wrote to memory of 2624 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 33 PID 2624 wrote to memory of 2688 2624 cmd.exe 35 PID 2624 wrote to memory of 2688 2624 cmd.exe 35 PID 2624 wrote to memory of 2688 2624 cmd.exe 35 PID 2624 wrote to memory of 2688 2624 cmd.exe 35 PID 2624 wrote to memory of 2688 2624 cmd.exe 35 PID 2624 wrote to memory of 2688 2624 cmd.exe 35 PID 2624 wrote to memory of 2688 2624 cmd.exe 35 PID 2104 wrote to memory of 2412 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 38 PID 2104 wrote to memory of 2412 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 38 PID 2104 wrote to memory of 2412 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 38 PID 2104 wrote to memory of 2412 2104 JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe 38 PID 2412 wrote to memory of 1656 2412 iexplore.exe 39 PID 2412 wrote to memory of 1656 2412 iexplore.exe 39 PID 2412 wrote to memory of 1656 2412 iexplore.exe 39 PID 2412 wrote to memory of 1656 2412 iexplore.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Program Files (x86)\Gamevance\gamevance32.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Program Files (x86)\Gamevance\gamevance32.exe"C:\Program Files (x86)\Gamevance\gamevance32.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:2812
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c regsvr32.exe /s "C:\Program Files (x86)\Gamevance\gvtl.dll"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\Gamevance\gvtl.dll"3⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2688
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.gamevance.com/aj/ty.php?p=srKz%2F8uwwsH0srLyzfLi9PPlsPHq8Lfq%2F8bHxcbCssCxurW3sMaysbX%2Fo%2F%2Bzs7Oys7Ozs%2F%2FMyA2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2412 CREDAT:275457 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1656
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Browser Extensions
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95B
MD5de13722e53a4d128d2109aaf940f364f
SHA1c308930b84b27153a8b1e5ad346f5bbcd09cdab4
SHA256fbb3dc61e44330b0f09c1ff65bd1e41a2e765e5176b3320c3c47983ff9e786df
SHA512d4c3cd8ec57a987a6f3ea6ed6d3e6216bf10842896667ead7f193c89d6d0e11ae05f8cc7797b8faca5fccf96a93f6c15e1b8b8791c8f925dcf55ec93b74b556d
-
Filesize
107B
MD55f915fa9a4bbc0f252162fdaaa959ffb
SHA1d02b52916496e645bb38746592c5f3907f52407f
SHA256b7b77efde0be00f3a36026f6b46d275f346b27aedcbeef6a3d56ecef779f8886
SHA5129e6b140080fff7c4ee10a4504cfb3134702244bf6830eb82be94f657337ac861a6f42bbafd885bbedb37166c71e700a4d4767de08d5b7b7c91c93a5726653b9f
-
Filesize
166B
MD5f60b17c6b8c77ffd5c4865d1cb640bfa
SHA14d2ac85f835c842e661b806851be356189787913
SHA2563723bdb6aca990db233d263f623f6c9c2199243d0fe0f91569bb9e2c2ab32921
SHA512a8c6dfa56d45a0e0094a1c4722d4e23ea22129f81ccc8776bbc08f3b45ab4b16f7f984f2c7bf6deb23d89b1d000133de3bd3a9d9c99ee120eaf285d7ac4c9c95
-
Filesize
264KB
MD511f314dd3f2065861795dc2fc87546a7
SHA1b55f49ba59ccd222ba66c23b49658bf95a59ddd7
SHA25642875bb3bd897c426ef0fe844dc67a1d580be23163fa041cf22e3116d468e7c4
SHA5120a5d1ee83820df623d3244dcb912262506cde1136a31923fdccfd233eb72e329da4877ed25d1d72b47b988d10a02af6e1d88b706938c09b59a15f3b349d9e007
-
Filesize
259KB
MD5b126603ec41fe49d06066c315fe047b6
SHA11c7b5521e15cc5c9bb07baef0983f84a0533f1f8
SHA2569380d43bec215da1be7f88586154bbba40bfbdca0088d83cc216570579292560
SHA512061807cc6c76004e04a4f6ba88bb748f6d33da1357d890e5d5637d493843e8320c34709de1e8b0977cea9988ce6edbf9d2348b8f52bade19d694860601f6b3a3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e8dadb5059841394f6703ab595b75b22
SHA1fc8c06b1320573ed4e45039c8da80f288c66103b
SHA25658d018868979319abd7ece4b9210fdd4f7c9c05c0760c4f4d5cdef8c5eeaf56a
SHA512677aa5c0dfb89d6beee75ea2ce0f5b72e0d8f82ebd9751a747e85761e634f2f7a6e8f416325f74ddae67bd2515d616e87ad75499a731441869bec94198f573a2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5edf6634c083ed9672eef25869fcd6a9f
SHA16c52daf8bed0a33886cdb9f3083855a12b4c06a4
SHA2565badef74a057b5fdecbab7314fca328f8a416952ed0db98588a0f4954e6099c0
SHA512a1ccf05040f1a7898d691c8eb06798d0d030b417d513526bb0ab1492b4e9b462c1ff001575f5d2234df8d4dfc9dbc229407879bdea93acd129e6b2ce810d2f82
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD581dd0279e0fc86387fdbd38d00839d29
SHA1c2374867007f582dbd85bf86f0283cec18b4af0c
SHA256a3dff755f4fd72bf8716e45c9108e87e2f0b9b77c92f513ca715a294a7787b79
SHA512b5ede2c2d281702c7128b614826e396d0f3a8e214934504ee49f59333c27fdd78a1666f3c2119a68ae88ec541dbc713b38b8bfa36cabdc6fe078588fe84e4981
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a147c4e45b23b800dba076e571a3f51a
SHA18e913c7e10bda6b8d0e31db845215f027a025a67
SHA2563e66c20d2bd317bb6fc6aea879b5435edb3dc18832e260c15e19a8dd8cf71101
SHA512bf1889addef8fcf26d81acc0382b0df788fd6df0faeded12fd16ca863e071507d4faefb64f0a58ead442b384fe28c74a36f243a8fee9dc90a2dfca02e759dd5b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD512e319b6eb1835a922c10e3473546fd1
SHA1ed5b95c4af858a14a808dd105c6cc92cc93b8a26
SHA256676f963da9434b7977ac281ae465bacfa920704514ebedc7f5012a333ab9b507
SHA512f038621cffc01c4ad304f9b009217f9de40c3cd9ef86380f35ce7921d63636ebd3c6be57ec82025a1b6fe3ed63a770032604b6de556016fae072cd50d9b11879
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57c27a9d706ae5c85988060f936a63cb4
SHA1a29fa36cb305f18f9f00dd3f8a4e1f8a34e5553e
SHA2561f665dedca0b6ca62c7461a6868577166707cba7ed2fc66b7cc760eda0129814
SHA512feac36a58f4ec6de7dc9ad3a4dabae96f8504a314848c0d9ff60d2ddfc853ab028b5a4c260a6b1fda3b420e27c6c0cc3d424429c9f5693573de92be76b2260d3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d8b5a8baac26dfcc0d87731673778d80
SHA1893a23e311f503ec75203ee0cd67ae3bcedc8aa4
SHA25611c1845d561b341196df9bcd04190df42483d288c542ab1987a23a5ff2c98c93
SHA5128e9473eb9b96f18ee81fabb336eb31e2691df0309de3e5d34caa5668e9e80a9b8f621d41f9d4544b6686c5ae5d7fed31fcc14081d0a8d857ea91ae498d33134b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c799b98cd41ceec61660d28b6d4f940c
SHA1ea06ec5571d6edcfc12c9f15859557922b30c0d1
SHA256a9d4f4b87793aa9bac85240f69af3ea7ab1485e4e748ec5748fdf71e8a57930e
SHA512c0608cacfd189294ac4ff5c9a55559baedbd411d1aa6ca09122d96601f9d3a21642ba6ff35b94011597e67a1e927499147fc9bb5a40e231ae91aa6f5bbfff1a4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD541768bf20232dbac263a37cbef52746c
SHA17a0a092d83862bf5491d2350798b4321330904d2
SHA25658c9e59c891b3cf5fa9626a74ec90fcca39063d7d861cd32eba29bac79210aac
SHA512c4c748b67249a3df6a8bafd988df4171653078f23ebf1d60898e25439a1b5cfec7b8305adaf3fa2844c8dde988163c5937d9a81ac553b698e13dc83637f7e637
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD533e3cdfc305829a44047d90b976ed7b7
SHA12a31eda1ff81307ae570a5ea061e4c18f7e41c51
SHA256e0681f77c353ad43aced9d5c74892d9d6c2b42303aa28ec9280165922999be2a
SHA5121ceda7abde834e8fb28ea143b60a025dded2814e2d88cee7416a9a4bcd9a4b875ef348d22abe7faed5fcbbf57ec179beedd4ffb610c2eccbc869c354e2f536db
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51f3cae727767ad1c508d58c15f1b282e
SHA1ae180a3a2bf356ac026e058e042fc7a2b8e0b715
SHA2565918fe9abca30ed371a7a60ef08b344ba2c30621a888a0d66dc83381635d37b0
SHA5126c59ce5f5c94e9b513ba22dc007587d941b0fc0fede6353b489db9531ae0a3724e8f55b950b4136c0dd7c41e013b5bba67fa21d3f3a9eef861dff762cd0b952a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52a7d5bf5e314ffa7fa28fb64f86837cb
SHA1e0f3c2e7b9087ee21fc2fce21b05d11192acd191
SHA256f6153f1fbe22cd7f4ec0ee306f3757ab415583229229995a45aa11285f5eb735
SHA5123318c74194b28987e0126a400a4b38b2517f2c266a631a4c1e75367aeca2151be6d06d89db93cf5fe1d67ff4c3d28f5f0d3079e6f550ef946717ea0c0209fc24
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f64d16a2c3b26cde781eafb1a1966062
SHA13ee70016f76e697552c1b036318d4318ec5365ca
SHA256925bfadbbe91ac66770a6ace50f5d71d2fd1b4d34f9c6230195322ad7b565182
SHA512e24c92d6de5d38d12210988e3aef525cb60fe6d4a4ea0a175c327e214ffdd26c2702c247e880cc8064816cd26af38a4a8e9d4524a8b2f3101b3fc22647f737fd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD519ffb5c399ac882c03058686313fe6d9
SHA132b1c7261492d66c45ddbce8790bf75b10908ba3
SHA2564057e61e398fca6dce89d66658ce360b8cafdb955258a244a1de9fdd64c9f4ca
SHA5124841d3fce76c8db08e4ca6df77f78a558e2ec1e7d5e62be4df3bd5578cd812230190bd2d59bbafdcf7937989862a8186299db45fe422ea4bbb546bb1f92fc9a0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ef87196e3fe1ec3f9ad47b084e30b811
SHA1ba209bc0653326f7d58239e1c20f7623e10d3aa7
SHA256e09dedf70d200ae399a0bdfb6468adc4c94c5ec9f32a189c9bc7e780cbdeca4b
SHA5120a24eab4267ba0d27c4fd055226dc5b6cf1ea19c244fb925932fa3169c839fb8ed46578a9ab13d97aa68bfb082d8af3e58c29cff68985f43074b44cb990feed5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD516b9be40c3cc40a2702aa779f18e7b4f
SHA17ad38be125652615632c23e4acfc785a5d1b4ba3
SHA256d594ddde478a6042ae27e7718d9e40aea324527b65921e4b66e4d8a1645f15ab
SHA51201c81cedec75a03ce6126303cd53acfbd1d9212f0a2b7331f5b98e801da04711c5a0d99e3321950cd82384108a77a9d911e8f250b676bf1b6cffde5017e79243
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cacdce597d48556b7fee4d7d41611046
SHA1da965e19a1687f7fed7930a07593e188bbff092a
SHA2561403a54613b3de28ca98f5a43f19e76961111bd65c9a5abe3ea2f054d7f602f6
SHA5128c34d053984f8b3114c9fd380c914036b30af807532a5c4b4f24e0ad3e9e7bed35046c7599e1da81a2c0d80663ea4a82c9fdf00d536104855f8580df4b83ae87
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD552f552dd947a49b2a1c71381813cff25
SHA1ee3614ae501543320fa060560634838149c5d667
SHA2563e96cfc966cac7497123b59f230b169b8681e818219529894844a3c7a26727b8
SHA51207a3eb15a4263376a0f070ca4f5ee56c3f085a9b48246859aceac87300050aa0069c5ccc5a81475bad79b33964858ba289067755bfbe656610d3abad0ec1b4d8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56eef437c968fbf401528577c0711a3aa
SHA15acda9e05288675b293a36cc9060365df11f419f
SHA25694a1a6e8adb29b15719db62da75c92c3c51112388f0e08530012990cfa330168
SHA5128b7f42d83ee0232be9b2428adaaa96f81ac0fab8d367f2534ad32dcb07029d463946cbafa1c75a5905e492f2c1d68a50fc0007cd1a6384287e88920f224ea08b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD564de55efe026a3f10132783a0c8e669e
SHA101a3bf9306835ce8b6c9cb0c47eaf24101616d44
SHA256d84f6575f708c1aae890b4cae4d7281bdcac8b25e80c8919acf3f02eca29a72d
SHA512c67fcc1503303e9874b705fa6a8cbeda0ca0b39a212fb73421ca218215a9c9e41b9f6c6d8bb4699ceb9b5455b7465829a8e681f9ea20fa1a044d98103821b1df
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
232KB
MD5fceda117399e71ae8e85bd46e09f3e0a
SHA127acadfb7bd37cc8161d80fdd2ecd089eadc17e6
SHA256f8c1d9eb73704bacaaf165c5185157c3569ba65f39b94febebbf00a1634310c2
SHA5123523e57fe7913c1ccadf1d112cf2756c15cb9717f3d0ba84187b4b53002d436b37b7fdb1da972ec4fb9cbfcbbf8b732829df873c0c52af040db2792a7052e547
-
Filesize
230KB
MD5223a60b6e30a8689e4334acbf5ff7345
SHA1cdf69582add5d78ac6c8e79c868f1ba2778f8142
SHA2564deda894563aec2cb53e537809012a1db6c057c549009ca3284290f2926e3863
SHA512d021b2d78311aecce21adcd110a35e91a76ce564c8e8e7477a0d9de428deeec0a0839272d464839c958d9d5dc4dd97369d5a7d6a32e71b85aee8ef4d486af376