Malware Analysis Report

2025-08-11 04:38

Sample ID 250119-pntcmsxlcz
Target JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb
SHA256 a02dc11524f2e6861d13e1901635669e6d5b49e88996df84e9c0271cc8fc88c9
Tags
adware discovery persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

a02dc11524f2e6861d13e1901635669e6d5b49e88996df84e9c0271cc8fc88c9

Threat Level: Shows suspicious behavior

The file JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery persistence spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Installs/modifies Browser Helper Object

Adds Run key to start application

Checks installed software on the system

Drops file in Program Files directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Browser Information Discovery

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies Internet Explorer settings

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-19 12:28

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-19 12:28

Reported

2025-01-19 12:31

Platform

win7-20240903-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Gamevance\gamevance32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Gamevance = "C:\\Program Files (x86)\\Gamevance\\gamevance32.exe a" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ = "Gamevance Text" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3} C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\ = "Gamevance" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Gamevance\gvun.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
File opened for modification C:\Program Files (x86)\Gamevance\ars.cfg C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
File created C:\Program Files (x86)\Gamevance\gvtl.dll C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
File created C:\Program Files (x86)\Gamevance\gvff.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
File created C:\Program Files (x86)\Gamevance\ars.cfg C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
File created C:\Program Files (x86)\Gamevance\gamevance32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
File created C:\Program Files (x86)\Gamevance\icon.ico C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
File created C:\Program Files (x86)\Gamevance\gamevancelib32.dll C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
File opened for modification C:\Program Files (x86)\Gamevance\ars.cfg C:\Program Files (x86)\Gamevance\gamevance32.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Gamevance\gamevance32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Gamevance\gamevance32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Program Files (x86)\Gamevance\gamevance32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Gamevance\gamevance32.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Gamevance\gamevance32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct C:\Program Files (x86)\Gamevance\gamevance32.exe N/A
Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "443451621" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FE4E0081-D660-11EF-A2A1-C60424AAF5E1} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 007403d36d6adb01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006d05a3b3b4da2d4794ccc3c2cda6caee00000000020000000000106600000001000020000000d2c6da9d1d2ca1da6cf98d2ad9d87f02d45010385bc6fc55650b16cdfae6f207000000000e8000000002000020000000c5e043ceb229bff29995fc506b862f7272249df9680b3bc2bf7bba9c903d3d8b90000000f1d5f31f395b84b80576a6b760e685266e1557cd3029c2c29030669ae6428e628bc2c17e6dc07e2ff38a36ff7d075760027a3d2180add75c265a11f5e13babe73df7782e28c736dfd502ece2aeb725a631ec27ac23785b20b82b17b09e5a840696e5ee0e3598b3f1691998f5180d5e223151f03641fe3a723a55d47dc771c3ac392e70791b0d9ae8c18b05deb0ce055440000000846c770af716cfdc6fdfe3335a3bf868cc9fa298c600bc4946321f72a7de092406e52f79542c446dde4760c056db6a7df02690b2560447f438e2bbf6e418ba0e C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006d05a3b3b4da2d4794ccc3c2cda6caee00000000020000000000106600000001000020000000542892096ae5d88b32a538dabbbb1db7084f0b9f1e1d3515d599ca578c8056a2000000000e80000000020000200000008c6b691843d5eddf460b8871fa75866e7d3001b59bf60ae14ed15460d07ad173200000004fda240069bb384f298c633201b64a218ed3ef191fdb5e47c34e772385d93acd4000000061652863202025ced8017b8bf04b3299830d4911c4d88b15f45f59a927ba31c4dc6e6d8f6d32e5b0830fb66fc7aae0f08da787e24abf6bbdda11869ed8dfd798 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CurVer\ = "GamevanceText.Linker.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ProgID\ = "GamevanceText.Linker.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\InprocServer32\ = "C:\\Program Files (x86)\\Gamevance\\gamevancelib32.dll" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CLSID\ = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL\AppID = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\ = "Gamevance Text" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3} C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL\ = "GamevanceText" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\VersionIndependentProgID\ = "GamevanceText.Linker" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32\ = "C:\\Program Files (x86)\\Gamevance\\gvtl.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\ = "Gamevance" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\CLSID\ = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\ = "Gamevance Text" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ = "Gamevance Text" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\TypeLib\ = "{014C4232-6904-47B9-9144-7E0FB7277444}" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Program Files (x86)\Gamevance\gamevance32.exe N/A
N/A N/A C:\Program Files (x86)\Gamevance\gamevance32.exe N/A
N/A N/A C:\Program Files (x86)\Gamevance\gamevance32.exe N/A
N/A N/A C:\Program Files (x86)\Gamevance\gamevance32.exe N/A
N/A N/A C:\Program Files (x86)\Gamevance\gamevance32.exe N/A
N/A N/A C:\Program Files (x86)\Gamevance\gamevance32.exe N/A
N/A N/A C:\Program Files (x86)\Gamevance\gamevance32.exe N/A
N/A N/A C:\Program Files (x86)\Gamevance\gamevance32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2104 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe C:\Windows\SysWOW64\cmd.exe
PID 2104 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe C:\Windows\SysWOW64\cmd.exe
PID 2104 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe C:\Windows\SysWOW64\cmd.exe
PID 2104 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Gamevance\gamevance32.exe
PID 2844 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Gamevance\gamevance32.exe
PID 2844 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Gamevance\gamevance32.exe
PID 2844 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Gamevance\gamevance32.exe
PID 2104 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe C:\Windows\SysWOW64\cmd.exe
PID 2104 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe C:\Windows\SysWOW64\cmd.exe
PID 2104 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe C:\Windows\SysWOW64\cmd.exe
PID 2104 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2624 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2624 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2624 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2624 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2624 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2624 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2104 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2104 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2104 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2104 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2412 wrote to memory of 1656 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2412 wrote to memory of 1656 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2412 wrote to memory of 1656 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2412 wrote to memory of 1656 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Program Files (x86)\Gamevance\gamevance32.exe"

C:\Program Files (x86)\Gamevance\gamevance32.exe

"C:\Program Files (x86)\Gamevance\gamevance32.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c regsvr32.exe /s "C:\Program Files (x86)\Gamevance\gvtl.dll"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\Program Files (x86)\Gamevance\gvtl.dll"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.gamevance.com/aj/ty.php?p=srKz%2F8uwwsH0srLyzfLi9PPlsPHq8Lfq%2F8bHxcbCssCxurW3sMaysbX%2Fo%2F%2Bzs7Oys7Ozs%2F%2FMyA

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2412 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.gamevance.com udp
US 13.248.169.48:80 www.gamevance.com tcp
US 13.248.169.48:80 www.gamevance.com tcp
US 13.248.169.48:80 www.gamevance.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

\Program Files (x86)\Gamevance\gamevancelib32.dll

MD5 223a60b6e30a8689e4334acbf5ff7345
SHA1 cdf69582add5d78ac6c8e79c868f1ba2778f8142
SHA256 4deda894563aec2cb53e537809012a1db6c057c549009ca3284290f2926e3863
SHA512 d021b2d78311aecce21adcd110a35e91a76ce564c8e8e7477a0d9de428deeec0a0839272d464839c958d9d5dc4dd97369d5a7d6a32e71b85aee8ef4d486af376

C:\Program Files (x86)\Gamevance\ars.cfg

MD5 de13722e53a4d128d2109aaf940f364f
SHA1 c308930b84b27153a8b1e5ad346f5bbcd09cdab4
SHA256 fbb3dc61e44330b0f09c1ff65bd1e41a2e765e5176b3320c3c47983ff9e786df
SHA512 d4c3cd8ec57a987a6f3ea6ed6d3e6216bf10842896667ead7f193c89d6d0e11ae05f8cc7797b8faca5fccf96a93f6c15e1b8b8791c8f925dcf55ec93b74b556d

\Program Files (x86)\Gamevance\gamevance32.exe

MD5 fceda117399e71ae8e85bd46e09f3e0a
SHA1 27acadfb7bd37cc8161d80fdd2ecd089eadc17e6
SHA256 f8c1d9eb73704bacaaf165c5185157c3569ba65f39b94febebbf00a1634310c2
SHA512 3523e57fe7913c1ccadf1d112cf2756c15cb9717f3d0ba84187b4b53002d436b37b7fdb1da972ec4fb9cbfcbbf8b732829df873c0c52af040db2792a7052e547

C:\Program Files (x86)\Gamevance\ars.cfg

MD5 5f915fa9a4bbc0f252162fdaaa959ffb
SHA1 d02b52916496e645bb38746592c5f3907f52407f
SHA256 b7b77efde0be00f3a36026f6b46d275f346b27aedcbeef6a3d56ecef779f8886
SHA512 9e6b140080fff7c4ee10a4504cfb3134702244bf6830eb82be94f657337ac861a6f42bbafd885bbedb37166c71e700a4d4767de08d5b7b7c91c93a5726653b9f

C:\Program Files (x86)\Gamevance\gvun.exe

MD5 b126603ec41fe49d06066c315fe047b6
SHA1 1c7b5521e15cc5c9bb07baef0983f84a0533f1f8
SHA256 9380d43bec215da1be7f88586154bbba40bfbdca0088d83cc216570579292560
SHA512 061807cc6c76004e04a4f6ba88bb748f6d33da1357d890e5d5637d493843e8320c34709de1e8b0977cea9988ce6edbf9d2348b8f52bade19d694860601f6b3a3

C:\Program Files (x86)\Gamevance\ars.cfg

MD5 f60b17c6b8c77ffd5c4865d1cb640bfa
SHA1 4d2ac85f835c842e661b806851be356189787913
SHA256 3723bdb6aca990db233d263f623f6c9c2199243d0fe0f91569bb9e2c2ab32921
SHA512 a8c6dfa56d45a0e0094a1c4722d4e23ea22129f81ccc8776bbc08f3b45ab4b16f7f984f2c7bf6deb23d89b1d000133de3bd3a9d9c99ee120eaf285d7ac4c9c95

C:\Program Files (x86)\Gamevance\gvtl.dll

MD5 11f314dd3f2065861795dc2fc87546a7
SHA1 b55f49ba59ccd222ba66c23b49658bf95a59ddd7
SHA256 42875bb3bd897c426ef0fe844dc67a1d580be23163fa041cf22e3116d468e7c4
SHA512 0a5d1ee83820df623d3244dcb912262506cde1136a31923fdccfd233eb72e329da4877ed25d1d72b47b988d10a02af6e1d88b706938c09b59a15f3b349d9e007

C:\Users\Admin\AppData\Local\Temp\CabE63C.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarE6AD.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e8dadb5059841394f6703ab595b75b22
SHA1 fc8c06b1320573ed4e45039c8da80f288c66103b
SHA256 58d018868979319abd7ece4b9210fdd4f7c9c05c0760c4f4d5cdef8c5eeaf56a
SHA512 677aa5c0dfb89d6beee75ea2ce0f5b72e0d8f82ebd9751a747e85761e634f2f7a6e8f416325f74ddae67bd2515d616e87ad75499a731441869bec94198f573a2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 edf6634c083ed9672eef25869fcd6a9f
SHA1 6c52daf8bed0a33886cdb9f3083855a12b4c06a4
SHA256 5badef74a057b5fdecbab7314fca328f8a416952ed0db98588a0f4954e6099c0
SHA512 a1ccf05040f1a7898d691c8eb06798d0d030b417d513526bb0ab1492b4e9b462c1ff001575f5d2234df8d4dfc9dbc229407879bdea93acd129e6b2ce810d2f82

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 81dd0279e0fc86387fdbd38d00839d29
SHA1 c2374867007f582dbd85bf86f0283cec18b4af0c
SHA256 a3dff755f4fd72bf8716e45c9108e87e2f0b9b77c92f513ca715a294a7787b79
SHA512 b5ede2c2d281702c7128b614826e396d0f3a8e214934504ee49f59333c27fdd78a1666f3c2119a68ae88ec541dbc713b38b8bfa36cabdc6fe078588fe84e4981

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a147c4e45b23b800dba076e571a3f51a
SHA1 8e913c7e10bda6b8d0e31db845215f027a025a67
SHA256 3e66c20d2bd317bb6fc6aea879b5435edb3dc18832e260c15e19a8dd8cf71101
SHA512 bf1889addef8fcf26d81acc0382b0df788fd6df0faeded12fd16ca863e071507d4faefb64f0a58ead442b384fe28c74a36f243a8fee9dc90a2dfca02e759dd5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 12e319b6eb1835a922c10e3473546fd1
SHA1 ed5b95c4af858a14a808dd105c6cc92cc93b8a26
SHA256 676f963da9434b7977ac281ae465bacfa920704514ebedc7f5012a333ab9b507
SHA512 f038621cffc01c4ad304f9b009217f9de40c3cd9ef86380f35ce7921d63636ebd3c6be57ec82025a1b6fe3ed63a770032604b6de556016fae072cd50d9b11879

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7c27a9d706ae5c85988060f936a63cb4
SHA1 a29fa36cb305f18f9f00dd3f8a4e1f8a34e5553e
SHA256 1f665dedca0b6ca62c7461a6868577166707cba7ed2fc66b7cc760eda0129814
SHA512 feac36a58f4ec6de7dc9ad3a4dabae96f8504a314848c0d9ff60d2ddfc853ab028b5a4c260a6b1fda3b420e27c6c0cc3d424429c9f5693573de92be76b2260d3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d8b5a8baac26dfcc0d87731673778d80
SHA1 893a23e311f503ec75203ee0cd67ae3bcedc8aa4
SHA256 11c1845d561b341196df9bcd04190df42483d288c542ab1987a23a5ff2c98c93
SHA512 8e9473eb9b96f18ee81fabb336eb31e2691df0309de3e5d34caa5668e9e80a9b8f621d41f9d4544b6686c5ae5d7fed31fcc14081d0a8d857ea91ae498d33134b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c799b98cd41ceec61660d28b6d4f940c
SHA1 ea06ec5571d6edcfc12c9f15859557922b30c0d1
SHA256 a9d4f4b87793aa9bac85240f69af3ea7ab1485e4e748ec5748fdf71e8a57930e
SHA512 c0608cacfd189294ac4ff5c9a55559baedbd411d1aa6ca09122d96601f9d3a21642ba6ff35b94011597e67a1e927499147fc9bb5a40e231ae91aa6f5bbfff1a4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 41768bf20232dbac263a37cbef52746c
SHA1 7a0a092d83862bf5491d2350798b4321330904d2
SHA256 58c9e59c891b3cf5fa9626a74ec90fcca39063d7d861cd32eba29bac79210aac
SHA512 c4c748b67249a3df6a8bafd988df4171653078f23ebf1d60898e25439a1b5cfec7b8305adaf3fa2844c8dde988163c5937d9a81ac553b698e13dc83637f7e637

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 33e3cdfc305829a44047d90b976ed7b7
SHA1 2a31eda1ff81307ae570a5ea061e4c18f7e41c51
SHA256 e0681f77c353ad43aced9d5c74892d9d6c2b42303aa28ec9280165922999be2a
SHA512 1ceda7abde834e8fb28ea143b60a025dded2814e2d88cee7416a9a4bcd9a4b875ef348d22abe7faed5fcbbf57ec179beedd4ffb610c2eccbc869c354e2f536db

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1f3cae727767ad1c508d58c15f1b282e
SHA1 ae180a3a2bf356ac026e058e042fc7a2b8e0b715
SHA256 5918fe9abca30ed371a7a60ef08b344ba2c30621a888a0d66dc83381635d37b0
SHA512 6c59ce5f5c94e9b513ba22dc007587d941b0fc0fede6353b489db9531ae0a3724e8f55b950b4136c0dd7c41e013b5bba67fa21d3f3a9eef861dff762cd0b952a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2a7d5bf5e314ffa7fa28fb64f86837cb
SHA1 e0f3c2e7b9087ee21fc2fce21b05d11192acd191
SHA256 f6153f1fbe22cd7f4ec0ee306f3757ab415583229229995a45aa11285f5eb735
SHA512 3318c74194b28987e0126a400a4b38b2517f2c266a631a4c1e75367aeca2151be6d06d89db93cf5fe1d67ff4c3d28f5f0d3079e6f550ef946717ea0c0209fc24

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f64d16a2c3b26cde781eafb1a1966062
SHA1 3ee70016f76e697552c1b036318d4318ec5365ca
SHA256 925bfadbbe91ac66770a6ace50f5d71d2fd1b4d34f9c6230195322ad7b565182
SHA512 e24c92d6de5d38d12210988e3aef525cb60fe6d4a4ea0a175c327e214ffdd26c2702c247e880cc8064816cd26af38a4a8e9d4524a8b2f3101b3fc22647f737fd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 19ffb5c399ac882c03058686313fe6d9
SHA1 32b1c7261492d66c45ddbce8790bf75b10908ba3
SHA256 4057e61e398fca6dce89d66658ce360b8cafdb955258a244a1de9fdd64c9f4ca
SHA512 4841d3fce76c8db08e4ca6df77f78a558e2ec1e7d5e62be4df3bd5578cd812230190bd2d59bbafdcf7937989862a8186299db45fe422ea4bbb546bb1f92fc9a0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ef87196e3fe1ec3f9ad47b084e30b811
SHA1 ba209bc0653326f7d58239e1c20f7623e10d3aa7
SHA256 e09dedf70d200ae399a0bdfb6468adc4c94c5ec9f32a189c9bc7e780cbdeca4b
SHA512 0a24eab4267ba0d27c4fd055226dc5b6cf1ea19c244fb925932fa3169c839fb8ed46578a9ab13d97aa68bfb082d8af3e58c29cff68985f43074b44cb990feed5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 16b9be40c3cc40a2702aa779f18e7b4f
SHA1 7ad38be125652615632c23e4acfc785a5d1b4ba3
SHA256 d594ddde478a6042ae27e7718d9e40aea324527b65921e4b66e4d8a1645f15ab
SHA512 01c81cedec75a03ce6126303cd53acfbd1d9212f0a2b7331f5b98e801da04711c5a0d99e3321950cd82384108a77a9d911e8f250b676bf1b6cffde5017e79243

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cacdce597d48556b7fee4d7d41611046
SHA1 da965e19a1687f7fed7930a07593e188bbff092a
SHA256 1403a54613b3de28ca98f5a43f19e76961111bd65c9a5abe3ea2f054d7f602f6
SHA512 8c34d053984f8b3114c9fd380c914036b30af807532a5c4b4f24e0ad3e9e7bed35046c7599e1da81a2c0d80663ea4a82c9fdf00d536104855f8580df4b83ae87

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 52f552dd947a49b2a1c71381813cff25
SHA1 ee3614ae501543320fa060560634838149c5d667
SHA256 3e96cfc966cac7497123b59f230b169b8681e818219529894844a3c7a26727b8
SHA512 07a3eb15a4263376a0f070ca4f5ee56c3f085a9b48246859aceac87300050aa0069c5ccc5a81475bad79b33964858ba289067755bfbe656610d3abad0ec1b4d8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6eef437c968fbf401528577c0711a3aa
SHA1 5acda9e05288675b293a36cc9060365df11f419f
SHA256 94a1a6e8adb29b15719db62da75c92c3c51112388f0e08530012990cfa330168
SHA512 8b7f42d83ee0232be9b2428adaaa96f81ac0fab8d367f2534ad32dcb07029d463946cbafa1c75a5905e492f2c1d68a50fc0007cd1a6384287e88920f224ea08b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 64de55efe026a3f10132783a0c8e669e
SHA1 01a3bf9306835ce8b6c9cb0c47eaf24101616d44
SHA256 d84f6575f708c1aae890b4cae4d7281bdcac8b25e80c8919acf3f02eca29a72d
SHA512 c67fcc1503303e9874b705fa6a8cbeda0ca0b39a212fb73421ca218215a9c9e41b9f6c6d8bb4699ceb9b5455b7465829a8e681f9ea20fa1a044d98103821b1df

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-19 12:28

Reported

2025-01-19 12:34

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Gamevance\gamevance32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Gamevance = "C:\\Program Files (x86)\\Gamevance\\gamevance32.exe a" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ = "Gamevance Text" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3} C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\ = "Gamevance" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883} C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Gamevance\ars.cfg C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
File created C:\Program Files (x86)\Gamevance\gamevance32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
File opened for modification C:\Program Files (x86)\Gamevance\ars.cfg C:\Program Files (x86)\Gamevance\gamevance32.exe N/A
File created C:\Program Files (x86)\Gamevance\gvtl.dll C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
File created C:\Program Files (x86)\Gamevance\gvff.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
File created C:\Program Files (x86)\Gamevance\gamevancelib32.dll C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
File created C:\Program Files (x86)\Gamevance\gvun.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
File opened for modification C:\Program Files (x86)\Gamevance\ars.cfg C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
File created C:\Program Files (x86)\Gamevance\icon.ico C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Gamevance\gamevance32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Program Files (x86)\Gamevance\gamevance32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Gamevance\gamevance32.exe N/A
Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Gamevance\gamevance32.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Gamevance\gamevance32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct C:\Program Files (x86)\Gamevance\gamevance32.exe N/A
Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\ = "Gamevance Text" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ = "Gamevance Text" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\InprocServer32\ = "C:\\Program Files (x86)\\Gamevance\\gamevancelib32.dll" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CurVer\ = "GamevanceText.Linker.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ProgID\ = "GamevanceText.Linker.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\ = "Gamevance" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32\ = "C:\\Program Files (x86)\\Gamevance\\gvtl.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\TypeLib\ = "{014C4232-6904-47B9-9144-7E0FB7277444}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL\AppID = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\CLSID\ = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL\ = "GamevanceText" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\VersionIndependentProgID\ = "GamevanceText.Linker" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3} C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\ = "Gamevance Text" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CLSID\ = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4740 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe C:\Windows\SysWOW64\cmd.exe
PID 4740 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe C:\Windows\SysWOW64\cmd.exe
PID 4740 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe C:\Windows\SysWOW64\cmd.exe
PID 4812 wrote to memory of 1236 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Gamevance\gamevance32.exe
PID 4812 wrote to memory of 1236 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Gamevance\gamevance32.exe
PID 4812 wrote to memory of 1236 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Gamevance\gamevance32.exe
PID 4740 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe C:\Windows\SysWOW64\cmd.exe
PID 4740 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe C:\Windows\SysWOW64\cmd.exe
PID 4740 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe C:\Windows\SysWOW64\cmd.exe
PID 1340 wrote to memory of 540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1340 wrote to memory of 540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1340 wrote to memory of 540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4740 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4740 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2208 wrote to memory of 5000 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2208 wrote to memory of 5000 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2208 wrote to memory of 3496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2208 wrote to memory of 3496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2208 wrote to memory of 3496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2208 wrote to memory of 3496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2208 wrote to memory of 3496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2208 wrote to memory of 3496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2208 wrote to memory of 3496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2208 wrote to memory of 3496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2208 wrote to memory of 3496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2208 wrote to memory of 3496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2208 wrote to memory of 3496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2208 wrote to memory of 3496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2208 wrote to memory of 3496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2208 wrote to memory of 3496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2208 wrote to memory of 3496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2208 wrote to memory of 3496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2208 wrote to memory of 3496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2208 wrote to memory of 3496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2208 wrote to memory of 3496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2208 wrote to memory of 3496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2208 wrote to memory of 3496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2208 wrote to memory of 3496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2208 wrote to memory of 3496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2208 wrote to memory of 3496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2208 wrote to memory of 3496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2208 wrote to memory of 3496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2208 wrote to memory of 3496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2208 wrote to memory of 3496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2208 wrote to memory of 3496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2208 wrote to memory of 3496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2208 wrote to memory of 3496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2208 wrote to memory of 3496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2208 wrote to memory of 3496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2208 wrote to memory of 3496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2208 wrote to memory of 3496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2208 wrote to memory of 3496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2208 wrote to memory of 3496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2208 wrote to memory of 3496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2208 wrote to memory of 3496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2208 wrote to memory of 3496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2208 wrote to memory of 4996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2208 wrote to memory of 4996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2208 wrote to memory of 2496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2208 wrote to memory of 2496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2208 wrote to memory of 2496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2208 wrote to memory of 2496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2208 wrote to memory of 2496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2208 wrote to memory of 2496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7cf059aeb75b6b322aa6e214f6ecedb.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Program Files (x86)\Gamevance\gamevance32.exe"

C:\Program Files (x86)\Gamevance\gamevance32.exe

"C:\Program Files (x86)\Gamevance\gamevance32.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c regsvr32.exe /s "C:\Program Files (x86)\Gamevance\gvtl.dll"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\Program Files (x86)\Gamevance\gvtl.dll"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.gamevance.com/aj/ty.php?p=srKz%2F8uwwsH0srLyzfLi9PPlsPHq8Lfq%2F8a7tcLBura1tbSyt7TCwLr%2Fo%2F%2Bzs7Ozs7Ozs%2F%2FMyA

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9afde46f8,0x7ff9afde4708,0x7ff9afde4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,538983027741870553,12208360362363369290,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,538983027741870553,12208360362363369290,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,538983027741870553,12208360362363369290,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,538983027741870553,12208360362363369290,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,538983027741870553,12208360362363369290,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,538983027741870553,12208360362363369290,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,538983027741870553,12208360362363369290,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,538983027741870553,12208360362363369290,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,538983027741870553,12208360362363369290,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,538983027741870553,12208360362363369290,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,538983027741870553,12208360362363369290,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,538983027741870553,12208360362363369290,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5276 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 7.98.22.2.in-addr.arpa udp
US 8.8.8.8:53 www.gamevance.com udp
US 13.248.169.48:80 www.gamevance.com tcp
US 8.8.8.8:53 48.169.248.13.in-addr.arpa udp
US 8.8.8.8:53 www.gamevance.com udp
US 76.223.54.146:80 www.gamevance.com tcp
US 76.223.54.146:80 www.gamevance.com tcp
US 8.8.8.8:53 146.54.223.76.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 182.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

C:\Program Files (x86)\Gamevance\gamevancelib32.dll

MD5 f7e8b98c9b0ab72766c1115006f82bd4
SHA1 49b78bd54501e2e3affb2f5822ca6e4c6653cf20
SHA256 5ebd587308ea604f8ea743d3e3042efa8a5af9c48c99fa1b2d9eb4b40583a62d
SHA512 fc1df14ac0a1bc7a8442e18d0c73c3510853ff6e5f0141f71c5eb9a6bac23a3e35866ddbf3404c8c993ca4b4335fee97688aecdf1941efad9d3a757a9921ed02

C:\Program Files (x86)\Gamevance\ars.cfg

MD5 024b74eb5bdbf2e9063f99b9fa8fa64b
SHA1 bc9208857bb5c84f070f742379f0dbd80cd0a122
SHA256 e0bdfdb3ec764e6282bb557dd9469563770995cf358689481b2e3c6d9c0d2f9d
SHA512 8e4366a01945a6f1f1fd2010ff9462f39dfff028f5cf42e1af04becd2ca87d3fc90e556b5b2c5afa11294684150bcf0cc477733495a8ddecd5b730e1fd7a21cc

C:\Program Files (x86)\Gamevance\ars.cfg

MD5 a05d51c08dc6ac2f2e63437cfe732c65
SHA1 98ab2bf23d934745e02fab15bb6cf09a245e92f7
SHA256 c2050c07d4b5e729350d8bc9592ca94b758f90449b63a5cd869d56cabbf0eb10
SHA512 b3bcb17ca94cb48eebea2a1d548375f6537356d903f71be7af51b2229ce9dba62918b87b64533fd6a58b0712c4aac8b97fa06947fa2dc9a1a8a00daa130975f7

C:\Program Files (x86)\Gamevance\gamevance32.exe

MD5 e5f579a3df3eadf404c2b5c5abaf0ac7
SHA1 2dec74baf9ecc106674ae51111bdefa2ce351504
SHA256 95d3f0fc59d97e2ad980ce791d62923540d27fb433a82d2c0012b6a7ef1ceae4
SHA512 3cd3d4aefa733ba1983b4e2f59b5ba948abbe236fff6c74a794c86d4b8e79d41ffd011b296239d77c67019d6b2b1fdfb6dcc088566a09b02edc94ffa760de08d

C:\Program Files (x86)\Gamevance\ars.cfg

MD5 cbcdd305c8deb1e8eb68720493a405c3
SHA1 d6a83635866e077dcff2cdab1ade3941665e1c81
SHA256 a20bacff4b42e76b715e47a56270513e4755e126b24fe15d268d1efe0263e723
SHA512 5707b1b7d720bd1bbe7b3b04b5bb11058428c05b325f8a98b4b7e1d3c59cb64b3af5ba926bdcdea3dcd7d7fd86488053946733a28f9a2a69340ba82fe9235294

C:\Program Files (x86)\Gamevance\ars.cfg

MD5 88ad61547ce8e9b53ab91dc230cb7b7b
SHA1 0f606deaba8dc56641ccada52905effa4b8e3636
SHA256 31dd65907f086d590b10fedcef1c45b11ebb344a2e7380e9e4c4ffa8c4a67fc9
SHA512 6beabfb07d7d77805b1c099b20ee34ea443596f1f2f0bc9ee810cf752cfb77a0b05f4bb882a7b4b12ef02cc5e5398742c2925bac706bdcf15231ab43c6abe5b7

C:\Program Files (x86)\Gamevance\gvun.exe

MD5 c3358024c25ce2d2b9f9d2d92d961358
SHA1 b3d82b21db79364db25af0c7bc0ee01aab022302
SHA256 0f4a97faee0aa2f896dc89e88eb95ed9a427f5ff374a734ca88e0e2574d30a80
SHA512 8cecf4bff3882ade46fde1d3e2593895133bc1d21d6dd6bb2dfc5a8c5ddcbddf496e971bf92fd498cb1142485ab9307a2752c0c59c71d29a889e93383b93e7e6

C:\Program Files (x86)\Gamevance\gvtl.dll

MD5 11f314dd3f2065861795dc2fc87546a7
SHA1 b55f49ba59ccd222ba66c23b49658bf95a59ddd7
SHA256 42875bb3bd897c426ef0fe844dc67a1d580be23163fa041cf22e3116d468e7c4
SHA512 0a5d1ee83820df623d3244dcb912262506cde1136a31923fdccfd233eb72e329da4877ed25d1d72b47b988d10a02af6e1d88b706938c09b59a15f3b349d9e007

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ba6ef346187b40694d493da98d5da979
SHA1 643c15bec043f8673943885199bb06cd1652ee37
SHA256 d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73
SHA512 2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

\??\pipe\LOCAL\crashpad_2208_LVTDQUTTWXDZHRBK

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 b8880802fc2bb880a7a869faa01315b0
SHA1 51d1a3fa2c272f094515675d82150bfce08ee8d3
SHA256 467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812
SHA512 e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 76e5b2f4e5d0d9a86de3fb1e447ee7aa
SHA1 a595317a407125c4a69ba1daf9ff7ebb8086b746
SHA256 8c383650892cee63c66cb92d2e31aaf98c180d5d11a5f5348239073d8cd2912e
SHA512 81db7bf56b36ea06236be91efdd26ccc52a8705968d9f393fd4223165fa914e5d8b8ac8dfdff85228c20ec0a1f2591b3b40fe0cdab5de38268c372d875ba7bc2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 a9723af74a6d91e02f197d6c3426a0c7
SHA1 ab0489bddf5c8e6d9ec1ae135a2b717e46924e6e
SHA256 464d6dfdc61f47c9e7a727fed6065045401be0074e2597604f8bd860f5950cc8
SHA512 130c878269d91f65d61f829450645c0691bdaa1d8a7874961d1b86abe7e306e030d4e673a9a28101a30c1fa6cabe0c78cc003843fac0711aeea742f84d2d2e0f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 16f4d18e6a9e71b99932d1455e4c4500
SHA1 1548f9ab2a0cbdaa760c233ef09c345dfb2fad3d
SHA256 78d20ea1e6f684ce58813253aed40125d2fdc610b426f51c52acd55e576abbbd
SHA512 4754053fad154ff696a1c6352e8c88b20e54c04049a59d839daa0269ff3e037b7b90fccf159726baca6697864a67c96ac239beb43e4e7a171be6811d8ad692b9