pandastealer | da506fa70f7953e840f3eba28faf557a2038e0b3d0a5105a0ebe3434ee5e9e61

Analysis

max time kernel
189s
max time network
453s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-12-2024 18:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adobe-air-51-1-1-3.exe
Size

5.9MB
MD5

34dba7939065022ad74458acbae28abd
SHA1

5f4e6e7cc0f2970068ff1c05189a8dc6881b8d33
SHA256

da506fa70f7953e840f3eba28faf557a2038e0b3d0a5105a0ebe3434ee5e9e61
SHA512

6271f67b486c7273fd391e4379f987fcce3042947909e97d05290d04469588a94bd501685f686037a400b788d6693e73f7d7799069c772b80da9556322c6cc79
SSDEEP

98304:FOB7drLD5C522D5K6O6DWT9dCrVodEdhIW5LkrNcBByeTTC3qdqH2pjin6uYRjUI:gB7drxU22DJVAbAeOIyBBNiKqMbZUI

Score

10^/10

pandastealer discovery phishing stealer

Malware Config

Signatures

Panda Stealer payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0005000000019667-4161.dat	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer
Pandastealer family
pandastealer
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	3312	msiexec.exe
5	3312	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 30 IoCs

Web Service

T1102

flow	ioc
278	yandex.com
241	yandex.com
243	yandex.com
265	yandex.com
125	yandex.com
228	yandex.com
289	yandex.com
267	yandex.com
124	yandex.com
209	yandex.com
256	yandex.com
292	yandex.com
126	yandex.com
219	yandex.com
244	yandex.com
199	yandex.com
264	yandex.com
271	yandex.com
288	yandex.com
290	yandex.com
235	yandex.com
238	yandex.com
242	yandex.com
261	yandex.com
286	yandex.com
287	yandex.com
291	yandex.com
201	yandex.com
229	yandex.com
266	yandex.com

Drops file in Program Files directory 39 IoCs

description	ioc	Process
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\setup.swf	msiexec.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe Root Certificate.cer	msiexec.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\digest.s	msiexec.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	msiexec.exe
File created	C:\Program Files (x86)\Transformice\icone16.png	msiexec.exe
File created	C:\Program Files (x86)\Transformice\META-INF\AIR\application.xml	msiexec.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.swf	msiexec.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\template.exe	msiexec.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\WebKit.dll	msiexec.exe
File created	C:\Program Files (x86)\Transformice\Transformice.exe	msiexec.exe
File created	C:\Program Files (x86)\Transformice\META-INF\AIR\hash	msiexec.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\template.msi	msiexec.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Thawte Root Certificate.cer	msiexec.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\airappinstaller.exe	msiexec.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Thawte Root Certificate.cer	msiexec.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll	msiexec.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	msiexec.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll	msiexec.exe
File created	C:\Program Files (x86)\Transformice\TransformiceAIR.swf	msiexec.exe
File created	C:\Program Files (x86)\Transformice\mimetype	msiexec.exe
File created	C:\Program Files (x86)\Transformice\icone48.png	msiexec.exe
File created	C:\Program Files (x86)\Transformice\icone32.png	msiexec.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.swf	msiexec.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\digest.s	msiexec.exe
File created	\??\c:\Program Files (x86)\Adobe\Flash Player\AddIns\airappinstaller\airappinstaller.exe	msiexec.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	msiexec.exe
File created	C:\Program Files (x86)\Transformice\META-INF\signatures.xml	msiexec.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\sentinel	msiexec.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	msiexec.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe Root Certificate.cer	msiexec.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\NPSWF32.dll	msiexec.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\setup.swf	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\setup.msi	adobe air installer.exe
File created	C:\Program Files (x86)\.airInstallTmpFile.tmp	Adobe AIR Application Installer.exe
File created	C:\Program Files (x86)\Transformice\icone128.png	msiexec.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe	msiexec.exe
File created	\??\c:\Program Files (x86)\Adobe\Flash Player\AddIns\airappinstaller\digest.s	msiexec.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\sentinel	msiexec.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\stylesNative.swf	msiexec.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File created	\??\c:\Windows\Installer\f76af26.ipi	msiexec.exe
File created	\??\c:\Windows\Installer\$PatchCache$\Managed\8663020007180A44EB446B23AFD487F0\1.0.8\air.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\f76af3f.ipi	msiexec.exe
File created	\??\c:\Windows\Installer\$PatchCache$\Managed\8663020007180A44EB446B23AFD487F0\CacheSize.txt	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6EF6.tmp	msiexec.exe
File created	\??\c:\Windows\Installer\f76af23.msi	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\$PatchCache$\Managed\8663020007180A44EB446B23AFD487F0\1.0.8\AdobeAIR.dll	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\$PatchCache$\Managed\8663020007180A44EB446B23AFD487F0\1.0.8\air.exe	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\f76af26.ipi	msiexec.exe
File created	C:\Windows\Installer\f76af3f.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\f76af41.msi	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\f76af23.msi	msiexec.exe
File created	\??\c:\Windows\Installer\$PatchCache$\Managed\8663020007180A44EB446B23AFD487F0\1.0.8\air.swf	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\$PatchCache$\Managed\8663020007180A44EB446B23AFD487F0\1.0.8\air.swf	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB304.tmp	msiexec.exe
File created	\??\c:\Windows\Installer\f76af2c.msi	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\$PatchCache$\Managed\8663020007180A44EB446B23AFD487F0\CacheSize.txt	msiexec.exe
File created	C:\Windows\Installer\f76af3c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76af3c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB1CA.tmp	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\$PatchCache$\Managed\8663020007180A44EB446B23AFD487F0	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\$PatchCache$\Managed\8663020007180A44EB446B23AFD487F0\1.0.8	msiexec.exe
File created	\??\c:\Windows\Installer\$PatchCache$\Managed\8663020007180A44EB446B23AFD487F0\1.0.8\AdobeAIR.dll	msiexec.exe

Executes dropped EXE 8 IoCs

pid	Process
2224	Adobe AIR Installer.exe
912	adobe air installer.exe
6512	Adobe AIR Updater.exe
6368	Transformice.exe
2696	Install Transformice.exe
6168	Adobe AIR Application Installer.exe
6084	Transformice.exe
7464	Transformice.exe

Loads dropped DLL 31 IoCs

pid	Process
2564	adobe-air-51-1-1-3.exe
2564	adobe-air-51-1-1-3.exe
2564	adobe-air-51-1-1-3.exe
2564	adobe-air-51-1-1-3.exe
2224	Adobe AIR Installer.exe
2224	Adobe AIR Installer.exe
912	adobe air installer.exe
2224	Adobe AIR Installer.exe
6512	Adobe AIR Updater.exe
6512	Adobe AIR Updater.exe
6512	Adobe AIR Updater.exe
6512	Adobe AIR Updater.exe
6512	Adobe AIR Updater.exe
6368	Transformice.exe
6368	Transformice.exe
6368	Transformice.exe
6368	Transformice.exe
2696	Install Transformice.exe
2696	Install Transformice.exe
2696	Install Transformice.exe
6168	Adobe AIR Application Installer.exe
6168	Adobe AIR Application Installer.exe
6168	Adobe AIR Application Installer.exe
6168	Adobe AIR Application Installer.exe
6168	Adobe AIR Application Installer.exe
6168	Adobe AIR Application Installer.exe
6168	Adobe AIR Application Installer.exe
6168	Adobe AIR Application Installer.exe
6168	Adobe AIR Application Installer.exe
6084	Transformice.exe
7464	Transformice.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobe air installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adobe AIR Updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Transformice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adobe AIR Application Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Transformice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobe-air-51-1-1-3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adobe AIR Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Transformice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install Transformice.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Transformice.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Transformice.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Adobe AIR Installer.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Adobe AIR Application Installer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Adobe AIR Application Installer.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Adobe AIR Updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Adobe AIR Updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Transformice.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Transformice.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Adobe AIR Installer.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	adobe air installer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	adobe air installer.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	Adobe AIR Installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Adobe AIR Installer.exe = "32767"	Adobe AIR Installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_IMG\Adobe AIR Installer.exe = "1"	Adobe AIR Installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_OBJECT\Adobe AIR Installer.exe = "1"	Adobe AIR Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT	Adobe AIR Installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT\Adobe AIR Installer.exe = "1"	Adobe AIR Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	Adobe AIR Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	Adobe AIR Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_IMG	Adobe AIR Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_OBJECT	Adobe AIR Installer.exe

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\30	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8663020007180A44EB446B23AFD487F0\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D23A06E79DA76FC73187F2CBBD3BE717	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D23A06E79DA76FC73187F2CBBD3BE717	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D23A06E79DA76FC73187F2CBBD3BE717\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\SourceList\PackageName = "setup.msi"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8663020007180A44EB446B23AFD487F0\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D23A06E79DA76FC73187F2CBBD3BE717\Application	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D23A06E79DA76FC73187F2CBBD3BE717\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D23A06E79DA76FC73187F2CBBD3BE717\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\AIR50A0.tmp\\Transformice\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.air\OpenWithProgids\AIR.InstallerPackage	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\AuthorizedLUAApp = "0"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D23A06E79DA76FC73187F2CBBD3BE717\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D23A06E79DA76FC73187F2CBBD3BE717\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\EE6F249802136F443B6919B0C761E42A\Management	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\ProductName = "Adobe AIR"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D23A06E79DA76FC73187F2CBBD3BE717\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.air\OpenWithProgids	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D23A06E79DA76FC73187F2CBBD3BE717\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D23A06E79DA76FC73187F2CBBD3BE717\Version = "16777216"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AIR.InstallerPackage\shell\open	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\InstanceType = "0"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8663020007180A44EB446B23AFD487F0	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D23A06E79DA76FC73187F2CBBD3BE717\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D23A06E79DA76FC73187F2CBBD3BE717\PackageCode = "D23A06E79DA76FC73187F2CBBD3BE717"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D23A06E79DA76FC73187F2CBBD3BE717\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AIR50A0.tmp\\Transformice\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\EE6F249802136F443B6919B0C761E42A\Runtime	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0449CE60EFC8852D9C0992133D806BBE	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AIR.InstallerPackage\DefaultIcon\ = "c:\\PROGRA~2\\COMMON~1\\ADOBEA~1\\Versions\\1.0\\ADOBEA~1.EXE,1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\Version = "855703553"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\DeploymentFlags = "3"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8663020007180A44EB446B23AFD487F0\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.air\Content Type = "application/vnd.adobe.air-application-installer-package+zip"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\PackageCode = "BBD26563A231C6047BF676630876766C"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5D029AD8C14C0E24FB1378AB9489E44E	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D23A06E79DA76FC73187F2CBBD3BE717\DesktopShortcut	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D23A06E79DA76FC73187F2CBBD3BE717\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.air	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AIR.InstallerPackage\DefaultIcon	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AIR.InstallerPackage\shell\open\ = "Install"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AIR.InstallerPackage\shell\open\command\ = "c:\\PROGRA~2\\COMMON~1\\ADOBEA~1\\Versions\\1.0\\ADOBEA~1.EXE \"%1\""	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D23A06E79DA76FC73187F2CBBD3BE717\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\SourceList\Media\1 = ";"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8663020007180A44EB446B23AFD487F0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D23A06E79DA76FC73187F2CBBD3BE717\ProductName = "Transformice"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D23A06E79DA76FC73187F2CBBD3BE717\SourceList\PackageName = "setup.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D23A06E79DA76FC73187F2CBBD3BE717\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AIR.InstallerPackage	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AIR.InstallerPackage\ = "Installer Package"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\SourceList\Net\1 = "c:\\users\\admin\\appdata\\local\\temp\\air818f.tmp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\SourceList\LastUsedSource = "n;1;c:\\users\\admin\\appdata\\local\\temp\\air818f.tmp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D23A06E79DA76FC73187F2CBBD3BE717\ProgramShortcut	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D23A06E79DA76FC73187F2CBBD3BE717\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\EE6F249802136F443B6919B0C761E42A	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5D029AD8C14C0E24FB1378AB9489E44E\EE6F249802136F443B6919B0C761E42A	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0449CE60EFC8852D9C0992133D806BBE\D23A06E79DA76FC73187F2CBBD3BE717	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AIR.InstallerPackage\shell\open\command	msiexec.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Adobe AIR Updater.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280\Blob = 0300000001000000140000009e99a48a9960b14926bb7f3b02e22da2b0ab72801400000001000000140000009c5f00dfaa01d7302b3888a2b86d4a9cf2119183040000000100000010000000c6150925cfea5941ddc7ff2a0a5066920f00000001000000200000008408d5e5010ab8da67eb33a7d79ace944dd0ac103ae6ead3ff30dec571066b0319000000010000001000000014d4b19434670e6dc091d154abb20edc180000000100000010000000fd960962ac6938e0d4b0769aa1a64e264b0000000100000044000000420036003600320034003000420030004600360043003800340042004400340038003500370041004200410036003000430046003500430045003400410030005f000000200000000100000079040000308204753082035da003020102020900a70e4a4c3482b77f300d06092a864886f70d01010b05003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3039303930323030303030305a170d3334303632383137333931365a308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d50c3ac42af94ee2f5be19975f8e8853b11f3fcbcf9f20136d293ac80f7d3cf76b763863d93660a89b5e5c0080b22f597ff687f9254386e7691b529a90e171e3d82d0d4e6ff6c849d9b6f31a56ae2bb67414ebcffb26e31aba1d962e6a3b5894894756ff25a093705383da847414c3679e04683adf8e405a1d4a4ecf43913be756d60070cb52ee7b7dae3ae7bc31f945f6c260cf1359022b80cc3447dfb9de90656d02cf2c91a6a6e7de8518497c664ea33a6da9b5ee342eba0d03b833df47ebb16b8d25d99bce81d1454632967087de020e494385b66c73bb64ea6141acc9d454df872fc722b226cc9f5954689ffcbe2a2fc4551c75406017850255398b7f050203010001a381f03081ed300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604149c5f00dfaa01d7302b3888a2b86d4a9cf2119183301f0603551d23041830168014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7304f06082b0601050507010104433041301c06082b060105050730018610687474703a2f2f6f2e7373322e75732f302106082b060105050730028615687474703a2f2f782e7373322e75732f782e63657230260603551d1f041f301d301ba019a0178615687474703a2f2f732e7373322e75732f722e63726c30110603551d20040a300830060604551d2000300d06092a864886f70d01010b05000382010100231de38a57ca7de917794cf11e55fdcc536e3e470fdfc655f2b20436ed801f53c45d34286bbec755fc67eacb3f7f90b233cd1b58108202f8f82ff51360d405cef18108c1dda775974f18b96ddef7939108ba7e402cedc1eabb769e3306771d0d087f53dd1b64ab8227f169d54d5eaef4a1c375a758442df23c7098acba69b695777f0f315e2cfca0873a4769f0795ff41454a4955e1178126027ce9fc277ff2353775dbaffea59e7dbcfaf9296ef249a35107a9c91c60e7d99f63f19dff57254e115a907597b83bf522e468cb20064761c48d3d879e86e56ccae2c0390d7193899e4ca09195bff0796b0a87f3449df56a9f7b05fed33ed8c47b730035df4038c	Adobe AIR Updater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	Adobe AIR Updater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	Adobe AIR Updater.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Adobe AIR Updater.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Adobe AIR Updater.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280	Adobe AIR Updater.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Adobe AIR Updater.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Adobe AIR Updater.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3312	msiexec.exe
3312	msiexec.exe
3312	msiexec.exe
3312	msiexec.exe
7764	chrome.exe
7764	chrome.exe
3312	msiexec.exe
3312	msiexec.exe
2036	chrome.exe
2036	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	912	adobe air installer.exe
Token: SeIncreaseQuotaPrivilege	912	adobe air installer.exe
Token: SeRestorePrivilege	3312	msiexec.exe
Token: SeTakeOwnershipPrivilege	3312	msiexec.exe
Token: SeSecurityPrivilege	3312	msiexec.exe
Token: SeCreateTokenPrivilege	912	adobe air installer.exe
Token: SeAssignPrimaryTokenPrivilege	912	adobe air installer.exe
Token: SeLockMemoryPrivilege	912	adobe air installer.exe
Token: SeIncreaseQuotaPrivilege	912	adobe air installer.exe
Token: SeMachineAccountPrivilege	912	adobe air installer.exe
Token: SeTcbPrivilege	912	adobe air installer.exe
Token: SeSecurityPrivilege	912	adobe air installer.exe
Token: SeTakeOwnershipPrivilege	912	adobe air installer.exe
Token: SeLoadDriverPrivilege	912	adobe air installer.exe
Token: SeSystemProfilePrivilege	912	adobe air installer.exe
Token: SeSystemtimePrivilege	912	adobe air installer.exe
Token: SeProfSingleProcessPrivilege	912	adobe air installer.exe
Token: SeIncBasePriorityPrivilege	912	adobe air installer.exe
Token: SeCreatePagefilePrivilege	912	adobe air installer.exe
Token: SeCreatePermanentPrivilege	912	adobe air installer.exe
Token: SeBackupPrivilege	912	adobe air installer.exe
Token: SeRestorePrivilege	912	adobe air installer.exe
Token: SeShutdownPrivilege	912	adobe air installer.exe
Token: SeDebugPrivilege	912	adobe air installer.exe
Token: SeAuditPrivilege	912	adobe air installer.exe
Token: SeSystemEnvironmentPrivilege	912	adobe air installer.exe
Token: SeChangeNotifyPrivilege	912	adobe air installer.exe
Token: SeRemoteShutdownPrivilege	912	adobe air installer.exe
Token: SeUndockPrivilege	912	adobe air installer.exe
Token: SeSyncAgentPrivilege	912	adobe air installer.exe
Token: SeEnableDelegationPrivilege	912	adobe air installer.exe
Token: SeManageVolumePrivilege	912	adobe air installer.exe
Token: SeImpersonatePrivilege	912	adobe air installer.exe
Token: SeCreateGlobalPrivilege	912	adobe air installer.exe
Token: SeRestorePrivilege	3312	msiexec.exe
Token: SeTakeOwnershipPrivilege	3312	msiexec.exe
Token: SeRestorePrivilege	3312	msiexec.exe
Token: SeTakeOwnershipPrivilege	3312	msiexec.exe
Token: SeRestorePrivilege	3312	msiexec.exe
Token: SeTakeOwnershipPrivilege	3312	msiexec.exe
Token: SeRestorePrivilege	3312	msiexec.exe
Token: SeTakeOwnershipPrivilege	3312	msiexec.exe
Token: SeRestorePrivilege	3312	msiexec.exe
Token: SeTakeOwnershipPrivilege	3312	msiexec.exe
Token: SeRestorePrivilege	3312	msiexec.exe
Token: SeTakeOwnershipPrivilege	3312	msiexec.exe
Token: SeRestorePrivilege	3312	msiexec.exe
Token: SeTakeOwnershipPrivilege	3312	msiexec.exe
Token: SeRestorePrivilege	3312	msiexec.exe
Token: SeTakeOwnershipPrivilege	3312	msiexec.exe
Token: SeRestorePrivilege	3312	msiexec.exe
Token: SeTakeOwnershipPrivilege	3312	msiexec.exe
Token: SeRestorePrivilege	3312	msiexec.exe
Token: SeTakeOwnershipPrivilege	3312	msiexec.exe
Token: SeRestorePrivilege	3312	msiexec.exe
Token: SeTakeOwnershipPrivilege	3312	msiexec.exe
Token: SeRestorePrivilege	3312	msiexec.exe
Token: SeTakeOwnershipPrivilege	3312	msiexec.exe
Token: SeRestorePrivilege	3312	msiexec.exe
Token: SeTakeOwnershipPrivilege	3312	msiexec.exe
Token: SeRestorePrivilege	3312	msiexec.exe
Token: SeTakeOwnershipPrivilege	3312	msiexec.exe
Token: SeRestorePrivilege	3312	msiexec.exe
Token: SeTakeOwnershipPrivilege	3312	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
6084	Transformice.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
7764	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2224	Adobe AIR Installer.exe
2224	Adobe AIR Installer.exe
2224	Adobe AIR Installer.exe
912	adobe air installer.exe
6512	Adobe AIR Updater.exe
6168	Adobe AIR Application Installer.exe
6084	Transformice.exe
7464	Transformice.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 2224	2564	adobe-air-51-1-1-3.exe	30
PID 2564 wrote to memory of 2224	2564	adobe-air-51-1-1-3.exe	30
PID 2564 wrote to memory of 2224	2564	adobe-air-51-1-1-3.exe	30
PID 2564 wrote to memory of 2224	2564	adobe-air-51-1-1-3.exe	30
PID 2564 wrote to memory of 2224	2564	adobe-air-51-1-1-3.exe	30
PID 2564 wrote to memory of 2224	2564	adobe-air-51-1-1-3.exe	30
PID 2564 wrote to memory of 2224	2564	adobe-air-51-1-1-3.exe	30
PID 2224 wrote to memory of 912	2224	Adobe AIR Installer.exe	31
PID 2224 wrote to memory of 912	2224	Adobe AIR Installer.exe	31
PID 2224 wrote to memory of 912	2224	Adobe AIR Installer.exe	31
PID 2224 wrote to memory of 912	2224	Adobe AIR Installer.exe	31
PID 2224 wrote to memory of 912	2224	Adobe AIR Installer.exe	31
PID 2224 wrote to memory of 912	2224	Adobe AIR Installer.exe	31
PID 2224 wrote to memory of 912	2224	Adobe AIR Installer.exe	31
PID 2224 wrote to memory of 6512	2224	Adobe AIR Installer.exe	34
PID 2224 wrote to memory of 6512	2224	Adobe AIR Installer.exe	34
PID 2224 wrote to memory of 6512	2224	Adobe AIR Installer.exe	34
PID 2224 wrote to memory of 6512	2224	Adobe AIR Installer.exe	34
PID 2224 wrote to memory of 6512	2224	Adobe AIR Installer.exe	34
PID 2224 wrote to memory of 6512	2224	Adobe AIR Installer.exe	34
PID 2224 wrote to memory of 6512	2224	Adobe AIR Installer.exe	34
PID 7764 wrote to memory of 7808	7764	chrome.exe	36
PID 7764 wrote to memory of 7808	7764	chrome.exe	36
PID 7764 wrote to memory of 7808	7764	chrome.exe	36
PID 7764 wrote to memory of 8104	7764	chrome.exe	38
PID 7764 wrote to memory of 8104	7764	chrome.exe	38
PID 7764 wrote to memory of 8104	7764	chrome.exe	38
PID 7764 wrote to memory of 8104	7764	chrome.exe	38
PID 7764 wrote to memory of 8104	7764	chrome.exe	38
PID 7764 wrote to memory of 8104	7764	chrome.exe	38
PID 7764 wrote to memory of 8104	7764	chrome.exe	38
PID 7764 wrote to memory of 8104	7764	chrome.exe	38
PID 7764 wrote to memory of 8104	7764	chrome.exe	38
PID 7764 wrote to memory of 8104	7764	chrome.exe	38
PID 7764 wrote to memory of 8104	7764	chrome.exe	38
PID 7764 wrote to memory of 8104	7764	chrome.exe	38
PID 7764 wrote to memory of 8104	7764	chrome.exe	38
PID 7764 wrote to memory of 8104	7764	chrome.exe	38
PID 7764 wrote to memory of 8104	7764	chrome.exe	38
PID 7764 wrote to memory of 8104	7764	chrome.exe	38
PID 7764 wrote to memory of 8104	7764	chrome.exe	38
PID 7764 wrote to memory of 8104	7764	chrome.exe	38
PID 7764 wrote to memory of 8104	7764	chrome.exe	38
PID 7764 wrote to memory of 8104	7764	chrome.exe	38
PID 7764 wrote to memory of 8104	7764	chrome.exe	38
PID 7764 wrote to memory of 8104	7764	chrome.exe	38
PID 7764 wrote to memory of 8104	7764	chrome.exe	38
PID 7764 wrote to memory of 8104	7764	chrome.exe	38
PID 7764 wrote to memory of 8104	7764	chrome.exe	38
PID 7764 wrote to memory of 8104	7764	chrome.exe	38
PID 7764 wrote to memory of 8104	7764	chrome.exe	38
PID 7764 wrote to memory of 8104	7764	chrome.exe	38
PID 7764 wrote to memory of 8104	7764	chrome.exe	38
PID 7764 wrote to memory of 8104	7764	chrome.exe	38
PID 7764 wrote to memory of 8104	7764	chrome.exe	38
PID 7764 wrote to memory of 8104	7764	chrome.exe	38
PID 7764 wrote to memory of 8104	7764	chrome.exe	38
PID 7764 wrote to memory of 8104	7764	chrome.exe	38
PID 7764 wrote to memory of 8104	7764	chrome.exe	38
PID 7764 wrote to memory of 8104	7764	chrome.exe	38
PID 7764 wrote to memory of 8104	7764	chrome.exe	38
PID 7764 wrote to memory of 8104	7764	chrome.exe	38
PID 7764 wrote to memory of 8104	7764	chrome.exe	38
PID 7764 wrote to memory of 8120	7764	chrome.exe	39

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\adobe-air-51-1-1-3.exe
"C:\Users\Admin\AppData\Local\Temp\adobe-air-51-1-1-3.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Users\Admin\AppData\Local\Temp\AIR818F.tmp\Adobe AIR Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\AIR818F.tmp\Adobe AIR Installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Users\Admin\appdata\local\temp\air818f.tmp\adobe air installer.exe
    "C:\Users\Admin\appdata\local\temp\air818f.tmp\adobe air installer.exe" -stdio \\.\pipe\AIR_2224_0 -ei
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:912
- - \??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe
    "c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe" -installupdatecheck
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Modifies system certificate store
    - Suspicious use of SetWindowsHookEx
    PID:6512

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:7764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5929758,0x7fef5929768,0x7fef5929778
  2⤵
  PID:7808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1112 --field-trial-handle=1352,i,2312036212403483804,18308958108320257748,131072 /prefetch:2
  2⤵
  PID:8104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1476 --field-trial-handle=1352,i,2312036212403483804,18308958108320257748,131072 /prefetch:8
  2⤵
  PID:8120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1580 --field-trial-handle=1352,i,2312036212403483804,18308958108320257748,131072 /prefetch:8
  2⤵
  PID:8140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2280 --field-trial-handle=1352,i,2312036212403483804,18308958108320257748,131072 /prefetch:1
  2⤵
  PID:5416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2292 --field-trial-handle=1352,i,2312036212403483804,18308958108320257748,131072 /prefetch:1
  2⤵
  PID:5408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1444 --field-trial-handle=1352,i,2312036212403483804,18308958108320257748,131072 /prefetch:2
  2⤵
  PID:4120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1292 --field-trial-handle=1352,i,2312036212403483804,18308958108320257748,131072 /prefetch:1
  2⤵
  PID:4500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3660 --field-trial-handle=1352,i,2312036212403483804,18308958108320257748,131072 /prefetch:8
  2⤵
  PID:956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3784 --field-trial-handle=1352,i,2312036212403483804,18308958108320257748,131072 /prefetch:1
  2⤵
  PID:3856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3704 --field-trial-handle=1352,i,2312036212403483804,18308958108320257748,131072 /prefetch:1
  2⤵
  PID:3364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3700 --field-trial-handle=1352,i,2312036212403483804,18308958108320257748,131072 /prefetch:1
  2⤵
  PID:3180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3764 --field-trial-handle=1352,i,2312036212403483804,18308958108320257748,131072 /prefetch:1
  2⤵
  PID:1424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3868 --field-trial-handle=1352,i,2312036212403483804,18308958108320257748,131072 /prefetch:1
  2⤵
  PID:1448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2328 --field-trial-handle=1352,i,2312036212403483804,18308958108320257748,131072 /prefetch:1
  2⤵
  PID:1576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2996 --field-trial-handle=1352,i,2312036212403483804,18308958108320257748,131072 /prefetch:8
  2⤵
  PID:2636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3904 --field-trial-handle=1352,i,2312036212403483804,18308958108320257748,131072 /prefetch:8
  2⤵
  PID:4032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=2920 --field-trial-handle=1352,i,2312036212403483804,18308958108320257748,131072 /prefetch:1
  2⤵
  PID:4768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=2340 --field-trial-handle=1352,i,2312036212403483804,18308958108320257748,131072 /prefetch:1
  2⤵
  PID:4760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=2392 --field-trial-handle=1352,i,2312036212403483804,18308958108320257748,131072 /prefetch:1
  2⤵
  PID:6148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4164 --field-trial-handle=1352,i,2312036212403483804,18308958108320257748,131072 /prefetch:8
  2⤵
  PID:6364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4352 --field-trial-handle=1352,i,2312036212403483804,18308958108320257748,131072 /prefetch:8
  2⤵
  PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4376 --field-trial-handle=1352,i,2312036212403483804,18308958108320257748,131072 /prefetch:8
  2⤵
  PID:6384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4380 --field-trial-handle=1352,i,2312036212403483804,18308958108320257748,131072 /prefetch:8
  2⤵
  PID:6208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4384 --field-trial-handle=1352,i,2312036212403483804,18308958108320257748,131072 /prefetch:8
  2⤵
  PID:5892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4400 --field-trial-handle=1352,i,2312036212403483804,18308958108320257748,131072 /prefetch:8
  2⤵
  PID:5080
- C:\Users\Admin\Downloads\Transformice.exe
  "C:\Users\Admin\Downloads\Transformice.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:6368
- - C:\Users\Admin\AppData\Local\Temp\AIR50A0.tmp\Install Transformice.exe
    "C:\Users\Admin\AppData\Local\Temp\AIR50A0.tmp\Install Transformice.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2696
  - - \??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe
      "Adobe AIR Application Installer.exe" "C:\Users\Admin\AppData\Local\Temp\AIR50A0.tmp\Transformice"
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious use of SetWindowsHookEx
      PID:6168
    - - C:\Program Files (x86)\Transformice\Transformice.exe
        
        "C:\Program Files (x86)\Transformice\Transformice.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:6084

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5792

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:7048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5929758,0x7fef5929768,0x7fef5929778
  2⤵
  PID:1832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1196 --field-trial-handle=1172,i,8503010908008678201,14253872113378371200,131072 /prefetch:2
  2⤵
  PID:6600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1480 --field-trial-handle=1172,i,8503010908008678201,14253872113378371200,131072 /prefetch:8
  2⤵
  PID:6576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 --field-trial-handle=1172,i,8503010908008678201,14253872113378371200,131072 /prefetch:8
  2⤵
  PID:1472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2216 --field-trial-handle=1172,i,8503010908008678201,14253872113378371200,131072 /prefetch:1
  2⤵
  PID:3680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2224 --field-trial-handle=1172,i,8503010908008678201,14253872113378371200,131072 /prefetch:1
  2⤵
  PID:3688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1604 --field-trial-handle=1172,i,8503010908008678201,14253872113378371200,131072 /prefetch:2
  2⤵
  PID:3508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1404 --field-trial-handle=1172,i,8503010908008678201,14253872113378371200,131072 /prefetch:1
  2⤵
  PID:5028
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:3400
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x13f9c7688,0x13f9c7698,0x13f9c76a8
    3⤵
    PID:3784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3780 --field-trial-handle=1172,i,8503010908008678201,14253872113378371200,131072 /prefetch:1
  2⤵
  PID:3772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=2632 --field-trial-handle=1172,i,8503010908008678201,14253872113378371200,131072 /prefetch:1
  2⤵
  PID:1944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3452 --field-trial-handle=1172,i,8503010908008678201,14253872113378371200,131072 /prefetch:8
  2⤵
  PID:3984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3492 --field-trial-handle=1172,i,8503010908008678201,14253872113378371200,131072 /prefetch:8
  2⤵
  PID:6812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3288 --field-trial-handle=1172,i,8503010908008678201,14253872113378371200,131072 /prefetch:1
  2⤵
  PID:1540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3868 --field-trial-handle=1172,i,8503010908008678201,14253872113378371200,131072 /prefetch:1
  2⤵
  PID:6420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3956 --field-trial-handle=1172,i,8503010908008678201,14253872113378371200,131072 /prefetch:1
  2⤵
  PID:4168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4136 --field-trial-handle=1172,i,8503010908008678201,14253872113378371200,131072 /prefetch:8
  2⤵
  PID:6088

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4300

C:\Program Files (x86)\Transformice\Transformice.exe
"C:\Program Files (x86)\Transformice\Transformice.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:7464

C:\Program Files (x86)\Transformice\Transformice.exe
"C:\Program Files (x86)\Transformice\Transformice.exe"
1⤵
PID:1900

C:\Program Files (x86)\Transformice\Transformice.exe
"C:\Program Files (x86)\Transformice\Transformice.exe"
1⤵
PID:5580

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
1⤵
PID:7248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76af27.rbs

Filesize
14KB

MD5
80305b68c795bcd34c1ed33d76130b72

SHA1
e56bcc616a67bc44638eba4837e123be54cb848a

SHA256
5fc421b28f122e6f48551876d92c675773e8ead93f83ed1ac4b3dc623d6ad0a5

SHA512
24c759d491a388af859a8991059e1bd13ca63cd609a26e910cbdf07c8f2f6271e7433dd933a7aa38872cfd2332c3d17ab00d479da7e82e62252aea4474d6d35d

Download Submit
C:\Config.Msi\f76af2f.rbs

Filesize
11KB

MD5
7105ceed55ed6f82a3a6efbf3e6df439

SHA1
a96ee58785590baf9fe3737d12abb31198a271a3

SHA256
391e4f53397d1c98f3d54328448154c230fafdc160c428c414f4ed66eac8b780

SHA512
80cd3bebdcc119a3f32532bc23cd647d1a781e6616c0879a73be3416f12ff6afcceef237786fa88aa23a66a253dcc1e871739aa102009e496003a24ede116138

Download Submit
C:\Config.Msi\f76af3b.rbf

Filesize
3B

MD5
21438ef4b9ad4fc266b6129a2f60de29

SHA1
5eb8e2242eeb4f5432beeec8b873f1ab0a6b71fd

SHA256
13bf7b3039c63bf5a50491fa3cfd8eb4e699d1ba1436315aef9cbe5711530354

SHA512
37436ced85e5cd638973e716d6713257d692f9dd2e1975d5511ae3856a7b3b9f0d9e497315a058b516ab31d652ea9950938c77c1ad435ea8d4b49d73427d1237

Download Submit
C:\Config.Msi\f76af40.rbs

Filesize
9KB

MD5
2217c5e58f3720d90ab8642681018f64

SHA1
a8f66ac2e138a2afc41a07bf6b5c55e29354c93b

SHA256
8b71c406a68ca7faf9abc62c8426793cd4bc40f3b78ddeb531b22ccb67fe4261

SHA512
bd7a40b4f13307c7c486966af56adeaf4c8d8b613a8c0fb30efda707d9b1b5361d9115a2d518212816a7d662569be63b2bb2624745272ac91fe598f11ad3adbf

Download Submit
C:\Program Files (x86)\Transformice\Transformice.exe

Filesize
139KB

MD5
055a34bd625727d3e1f9fc15e2ff6c3b

SHA1
d9f23f91240c6ebdb6cb88f25b43ac68da40d6be

SHA256
a0c992369f8bf35c5856d1fd4930ac72c682bb74d8f6764466e4630b1a6a9347

SHA512
28afec89c505bc01592774e1a2eb14b4d104a13c2e351cd3c468cec7314be0af86561b8e1684765ef254f776416dd69009b9cdd1a577ce63e2ee5af4d44904ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a294c1266e03a2c8227399b89008aa05

SHA1
bd60823ff34d89d555e88622c0ad636e9a39ccdf

SHA256
70fdaefbf315de3f3acfed6ed08fd2149caad47d4be50fb372c36b851a95c59d

SHA512
bcc6ea85cd5884c6c0cdd3588ec4903c1ac15cc8b02d3f4f431bfafe2dee70598628f38e8c6d44872e05dcbb83dfc7c42eb0a03d27307154adfd4b5fce6401fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
62ae240914b2a8dec9c929d7f80ac52b

SHA1
cdc3eb7fe6f7b7e5c7282aaa10dbb9c37eecf5cb

SHA256
a49c0f83667285806c3f64426ebd98adead3b5a8c90dcbf107bb4a2968e08f21

SHA512
297ee01f466f68f7ca7ce479fa780ab6e3a532855086709030f98e53ebb1387feca7c88f4150af7b9cfd7ad1933b5ff606aedd326d57ccdc67368fe3daf7305f

Download Submit
C:\Users\Admin\AppData\Local\Adobe\AIR\logs\Install.log

Filesize
581B

MD5
39ce94ff375b73437c31f77f218e6364

SHA1
eb6ee22127c0b85f4b0797ddaa8362a98c173f92

SHA256
4ede8c3472f84ed9ae239d55889c69c1717553c49b75f2a8e93b05631b7fe248

SHA512
f8cd65a78bd937e6549544dd8d746c4e8d12def32eda9c636cc7f24a42f6bffa2bc99b74b20b7ead04061e46d5f421bfaa5dc99457f33ce83d273e4a89475393

Download Submit
C:\Users\Admin\AppData\Local\Adobe\AIR\logs\Install.log

Filesize
1KB

MD5
b36580b2db043b677a6e499815bbf580

SHA1
b5ac1f17a073670e9a79eb742ed7142846098b65

SHA256
a2c90b47acc05c8850fb695173f59766d8c13bb6ef6e78fd6d2b79f085c5a8a9

SHA512
0e92b61a527c4df139b107417abd4383760d1ac008499a407a21af1eb9ab2277ccce64dd402397af6019c91f111ed2190dbfb56b3809309f6a269cd1b366b775

Download Submit
C:\Users\Admin\AppData\Local\Adobe\AIR\logs\Install.log

Filesize
1KB

MD5
609da754ce859b58de16f9168d0e7075

SHA1
c3652e606f511366b5a95ee633f3cdea77ff38dc

SHA256
93b7a91ae3d72080f0d8012341c1d36ae7eefa7e9f3c52bff348b2101c5664e4

SHA512
091ff0f661225a8c79c13f225af1bda856c6478e068e103d83febe193f011aae974453ab1002d2d62744c94f108d7ce68452b6e398dcf92e7ea04117f456d7e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\5e0fe1b8-281e-41be-a75d-492ba9f4d000.tmp

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
29acc7d11d4391748f3d1253849a2e0b

SHA1
3ff5749dfe8a28085a4a40cb88a60e498cbd9175

SHA256
8e133e9d24921ee093ae9b9b18270faa284d0adb2d88ee326ec85cb0642ba8e5

SHA512
0a6eec4b96e4f9f9886f5607684d94a603f240d5a2964e9f5698bdb8c93eada7c7c6959d0a339c2ebc5c21069412074199b26ef82969222ae1700150134eeaac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000002

Filesize
41KB

MD5
ca9e4686e278b752e1dec522d6830b1f

SHA1
1129a37b84ee4708492f51323c90804bb0dfed64

SHA256
b36086821f07e11041fc44b05d2cafe3fb756633e72b07da453c28bd4735ed26

SHA512
600e5d6e1df68423976b1dcfa99e56cb8b8f5cd008d52482fefb086546256a9822025d75f5b286996b19ee1c7cd254f476abf4de0cf8c6205d9f7d5e49b80671

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\000009.dbtmp

Filesize
16B

MD5
979c29c2917bed63ccf520ece1d18cda

SHA1
65cd81cdce0be04c74222b54d0881d3fdfe4736c

SHA256
b3524365a633ee6d1fa9953638d2867946c515218c497a5ec2dbef7dc44a7c53

SHA512
e38f694fd6ab9f678ae156528230d7a8bfb7b59a13b227f59f9c38ab5617db11ebb6be1276323a905d09c4066a3fe820cf58077ab48bf201f3c467a98516ee7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\001\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000008.dbtmp

Filesize
16B

MD5
589c49f8a8e18ec6998a7a30b4958ebc

SHA1
cd4e0e2a5cb1fd5099ff88daf4f48bdba566332e

SHA256
26d067dbb5e448b16f93a1bb22a2541beb7134b1b3e39903346d10b96022b6b8

SHA512
e73566a037838d1f7db7e9b728eba07db08e079de471baca7c8f863c7af7beb36221e9ff77e0a898ce86d4ef4c36f83fb3af9c35e342061b7a5442ca3b9024d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT~RFf77141d.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\1522785c-df18-44d3-acba-c2daf0e3a112.tmp

Filesize
6KB

MD5
12fbb2469a1f180d83e8b4f87b2254c4

SHA1
513315d914e8d9de202bafb56c3680cd661305af

SHA256
c8c26b35a5d47e85251f87704c662bbbf2e667129671da06120bb9db8bf6f3b1

SHA512
ab1703c48adb174ade598231e93b4ea87209353e3159452bdb75267ec3f2d375642e9331c49b63b6a1a410dc6491fbf89863e8753898065aecaec46ebf4c1b2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
eb4b5102fed533cc52463ac7fd4e700e

SHA1
ecd868e51b97149ca26e1a477c1552478ba48bc0

SHA256
e2753c3555fa313674e5135acfcf2af433a75d48e82f2496f61430a6d08f7db9

SHA512
498b2a70d91d8c774c6f162e8d178dcc4dd19d76f15f4768a461a5b6c881342f03ce5554a3b0a3cd6bfb2217e15ce918d4f20b4f308d97fb237ffc144f95a62b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5b67b34bf06925b4222e680607e72e9c

SHA1
62f4c127e802625f6a5398ee9c7b5d5897b5b483

SHA256
5c945fbcdd4166af07d2319a6d443e01627567c795341cd8d9421c8ca90f9a05

SHA512
02694465e0346cfcb725e29463b89b3f829cf3bb24fab7d9b2c5450f205f8079ec94fcf2bc35b7e16ac6de78a505a3ac0127071cee8d3e4049100106fdd68daf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
cf7a3cedb3b9006fdedcbdd0d94ec08e

SHA1
4ada9fff4d14be02b2489bbc3734733ebc711ef3

SHA256
91417dbc6974482068e7dc9cfb13a15182233c5e0f277e436a22260f5cbd9317

SHA512
3d78aac91d509a400a5098b5cc2d5a5c0a9dbe56965b6d16aaf1ab9e18f5dd9454bfc2dad0c1e2560f1463464fdd50ae19776733314d10728031b0671cec8fed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4945a3b833cf945aa48937117741d96e

SHA1
a95c06477aa53dab6620504464356893361c7566

SHA256
1112656a1309f07e78c2d7a00b242135d843d37c3e32266c9997d3c8ce0e925f

SHA512
c67787ad5add2f967f2ad163f65094f19e4275aff86af0b2f5ddf6ed00119dc93486a47eb9c4d81aec51b01763ce5f005e9c0388546656efe6096db85fe6a303

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
df238efa491b3d3e8945d68f325716bc

SHA1
d54a91ea28d658024a15addca2e215bef402a84e

SHA256
3507d218d44a96f31770ffe9a986d302be30cb8dc87cbe8b2ab2bac890f864db

SHA512
28bb80f7b25e3b9251b8e6d319d2777f19e393fbf1319da361010905128cb99eda4958b0e7cb622ab91bf3ad9a3e39d6365b1598acf68f240dc61f5f04b9af46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
0b2c96755b59484225f3c500442c0691

SHA1
d45cb0f7424b5d0ca919135aba30b8653b67f515

SHA256
a53b8a1bf0be85f173df283fe43680416f236515f5517456d38cd2552c6fd56e

SHA512
a47e0c93a031ffa54c35587c77337bd06046f8445500e0986b4ce61568f8d29449e550571e4e571b12634597100fd36c6f08170804760f4f98c6c6ce90c9ea24

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
120b533c1247daf385e02aead97c4e14

SHA1
5378a34f2ef28ffdae5e3809f3f95b911689e1e1

SHA256
4e290ce67c2a49d4223612c2007d47a86e941a86fa6f705dcf452d31f2b080b8

SHA512
1ec439e081d5177e19dc756092284ddd00335adb19863aa1febda2ed0f92dfaecc7754ee1153fc4a0fcd8740bb65535e94971ffa1390f79c5906d9b376c5f375

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e5867f22fa50d9569c703fd0002a5f0b

SHA1
3134dad79a4d2ec2457ced93eb52794ba68f6b95

SHA256
b9bda591c812b27d5fa8cad148bbe6f99ddca3ee69396262325cb8c466f4fa5e

SHA512
dd9e0e39c31b70741a5d71c1086e3fc01b09dfd503a4428569df35945f35673568055be7e9849bff4e5efb0880ed3aa5ab0bb74cbc8d1b5555ea9f7a7af2d71b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
56B

MD5
ae1bccd6831ebfe5ad03b482ee266e4f

SHA1
01f4179f48f1af383b275d7ee338dd160b6f558a

SHA256
1b11047e738f76c94c9d15ee981ec46b286a54def1a7852ca1ade7f908988649

SHA512
baf7ff6747f30e542c254f46a9678b9dbf42312933962c391b79eca6fcb615e4ba9283c00f554d6021e594f18c087899bc9b5362c41c0d6f862bba7fb9f83038

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
120B

MD5
2e656a998ab56f0fb59fa80e4a0ab53b

SHA1
e7ea941c8801d4a41d0e914f72d5b01aff37ca6e

SHA256
1902040dc479221b386dea384e6f12585813a348199377760adf7a62e0c88437

SHA512
f6c30a68a88156c124ea2e508a9ac41047037be6013650811d2025e5fb97041f991c7916a25ead4e855f956a4bf6f4bffc59cf1c733c635c1d0a7d5ddc4aeff9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\db0dbd06-e7f1-4712-bb15-1268e473e474.tmp

Filesize
7KB

MD5
0f059e6af0449d82800c52e7a3e830f6

SHA1
d3b48c19fccbad7df28c06da26d4bee524880bd2

SHA256
e2754dbccea9dc910e1102a29792444452fe930e1ae28213d508666845f1cba3

SHA512
106faa1ae72a4cec57e62526ec9799fc2fe251dc718b5dfb41a7c95446340d46973bd1a534fcc25131a3b7f7b8451fb02afbac0106d66c209da6fdd8ddd23974

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\f5231ff8-c5b5-40f5-af79-b5441c5ecc4f.tmp

Filesize
7KB

MD5
7406f614b8529af4272d8c32aee16e6a

SHA1
e52c9e569364e9194a58528b12fd7e82b7f99984

SHA256
72ec1a025e7c1fd8413cf978cb5c67dfdfb2a58488c2c57bad1ec19a0ac63fd4

SHA512
2f000cececeb2812214d0ca270c7f06c04398b355094233ca7825e1f91e8721ca96b5d578a7f967c2630bfaf74449c26d1da5cbf8bc089637b243514a976bc1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000010.dbtmp

Filesize
16B

MD5
60e3f691077715586b918375dd23c6b0

SHA1
476d3eab15649c40c6aebfb6ac2366db50283d1b

SHA256
e91d13722e31f9b06c5df3582cad1ea5b73547ce3dc08b12ed461f095aad48ee

SHA512
d1c146d27bbf19362d6571e2865bb472ce4fe43dc535305615d92d6a2366f98533747a8a70a578d1f00199f716a61ce39fac5cab9dd67e9c044bc49e7343130e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
344KB

MD5
780fdc688612f1e7de20011b1ea77750

SHA1
c3680e86ec1832527b37bd83af3281e1b6963613

SHA256
baf36bc5d38341b097d172b95bb091a6867444962560cccd42ea7d79ea20d5ae

SHA512
7eaddea255223c042dc0e839e8994f1413c4eae40780879efa0f9aaf643f354dd02530e02d84390ef92de0702299cde181f1f17ae025c52c2c572f526590544d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
179KB

MD5
c7cd69e89621c9d1a6d55d0b79e4c96e

SHA1
e5742fd24c3a00790ff1aa3e9c75438af6065168

SHA256
c5e7076f41de46fc81e7d03b947abad905ca811537a0c7292b450b78a3138ed8

SHA512
c9450e95b410b73a356cd18a10008d7f88d83e1f3c89d7d90eb65cc283e079a8d4b0e2e31e98a54baaafbbd509c71ce624fb77dcd39fc3ddba67b7f0bce656dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\fc86b828-cd5a-46a7-8ade-8ddc24f6292f.tmp

Filesize
344KB

MD5
3629d9e26cd7ae92f74fcfddcd2dc9f1

SHA1
0b2a1716f852dedf07333783710c3669dae778d3

SHA256
992b056ce36d0b0bec84acdeca5cb6e96664d74cca611cd41ec0b71d33622bfe

SHA512
e7c3c629e91941f512fccf46c53af706179ee5cec3224dc03cbc600ad7ce486774211bcf1e73aa0dc7d8d6f9cd83e7177ab46d2789063d18b01a44a7140a8948

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S8GI6B9B\info[1].php

Filesize
105B

MD5
db6b7e0131993e003ac733a26a585995

SHA1
7f0380250b73c03433e5074662613b9fb8a02176

SHA256
8227596b9cad5d2c266ac071ecc6cbad5f1ce026d38a172e7e007d38ece28162

SHA512
8ebb5d0c04f7965cda0b2c70311bf42f7ae6f2d39cb0cca7bc48fa5af1e1fef484acad47f1b47bf76075cea0250a18ad5abcbc85a9b76bf8bfeace97dfdf6acd

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIR50A0.tmp\Install Transformice.exe

Filesize
130KB

MD5
a5da8ba949718507dfda7a816326fdbe

SHA1
3af561103bfb62fb580ab44954cd56c0aefc275f

SHA256
75eadf5339a379e93627e0a6659939d7b4f22b60849d8b906900255564ecb494

SHA512
073decc81a69fe60ee059ac086434738e702fdee078a65f1497c54d9106665687ed88b60e29ad3d750bcd1447d1ed117095941232e6c1919c2e14511befaf5c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIR818F.tmp\Adobe AIR\Versions\1.0\Adobe AIR.dll

Filesize
13.4MB

MD5
b10e155460556fa4667536de7bb40e43

SHA1
a17872d7ff29a307fac5b4ed98887a420f716964

SHA256
371c442e9ce81a9514d25eccbe6e9c37a7b766bc5de1a7e03e50ac77cb8ce374

SHA512
4a3d2b0ec3d3ae868c50530136da228d835234198a41aa47ef11c40843249bad29425d50967ce8205c948336d02107e69655900c071cb5b3cb0c63e57ea557d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIR818F.tmp\setup.swf

Filesize
512KB

MD5
ad5f7d53caef368303bebde302582d92

SHA1
9efad61bf69e80d7468236695e0a108d360ae749

SHA256
2b501bfdb378ba7130b8e4b4b2263adfb4f95887cf071ded134f4cffeee5f40d

SHA512
8a31c0009c915dbb46c054388d793c1db8fc7b5ae1df419b3f284cad1d2f8db1f2ed759dcb126868d64af8a0a94c9e479776e6da86296af4e73a0850821c49e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAF45.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAFE4.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\Downloads\Transformice.exe

Filesize
268KB

MD5
e0d19351dd3e1d5361def38659318249

SHA1
e6824969ebea151c77080b445ac416b56dd8630d

SHA256
6f378db45311af48c29fbd47550e7c181c748c1dab76cadd1f1f1c872ad288c8

SHA512
a684739e9f9283f1ad6dea9747fe46fd2feb9fb7854d128cd34b3543109cfc7c1f9cd21890ca27e55afd88d082ba81507eb3382968ba09cd33afc8208f33ec4b

Download Submit
C:\Windows\Installer\$PatchCache$\Managed\8663020007180A44EB446B23AFD487F0\1.0.8\AdobeAIR.dll

Filesize
8.0MB

MD5
479dfeb6bfdb8035dd2bf79cabb39e65

SHA1
e1b8a1363189abc7d3f7459bd6740682e43b30f2

SHA256
814728159d8e316eb6bc09fb1dafef911b708d1d1f51e8e866fee8e7965ce05e

SHA512
2650454e22176d31415c3be4dca4ed887bf30adf4f3655dde5d9cd538025b662ec9bf39657aff540c68aa1e4494c449099bc1a693ea2f835bd41ac51169778ca

Download Submit
C:\Windows\Installer\$PatchCache$\Managed\8663020007180A44EB446B23AFD487F0\1.0.8\air.exe

Filesize
59KB

MD5
5e9d2fccad3b9edbc0a8ab0fe1e5e510

SHA1
4f74227b71e570f57e0bf611de8fe2b73cd3aba3

SHA256
ba7cd3c2ef37746576ea934fbbfe6ce0f659977f604cb6528e642e6d82e60ff7

SHA512
8e5ae33075564851f1534767558b1be79894858a912e5f53b00c98ad38e46bcdd17e225e32acea78b634221b506a312185ea155faaac976642c6fc8ed352f035

Download Submit
C:\Windows\Installer\$PatchCache$\Managed\8663020007180A44EB446B23AFD487F0\1.0.8\air.swf

Filesize
352KB

MD5
8599589cb2f1cfad899f0e95c3cf2bc9

SHA1
5f749cd74d03b0d050be34eba34cfa11dabab3dc

SHA256
101140c8df33cd81af64000549872ef9e48af5913a27367e0865a4f83becc509

SHA512
216b21b7c373f083fbd4246555a94c8ade6c6d009a381d28b98a59028bc0eaf99ba937147c90184060ee3c6c6a95d9b0b249da3fb2ef16272eb881bb6e74e35d

Download Submit
C:\Windows\Installer\f76af3c.msi

Filesize
21KB

MD5
164df4c65d8e4e8d910e2a1703ca3e75

SHA1
3531024204406e602e3157ff5ca8b9e36c1111fe

SHA256
9566c1dddc1d0ad10071e9f260a05a96da4307f64a9ee59ab318aab823cfee15

SHA512
3d14ff7274ba92cee9c1c25fe08bb03b9253b2ac8e316ebd738a935bb1ec6ad17042b3dc3a8ceacc15627d91cb4ff0885e326cb8bb11a1dd5408f9a571970636

Download Submit
\??\c:\users\admin\appdata\local\temp\air818f.tmp\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe

Filesize
408KB

MD5
277739413fb03b430b50d60d679f3d97

SHA1
264da51d663ef366a19dca31faa83f2ae91c6e45

SHA256
96cf2ed23e21169633d3a78f0677fd28754c1f491d590809506dc075bb49eda3

SHA512
8429fa88b6e1eb072edaf28c79b320a6150f0579376d61c7f11a31b59a116848cff5315373a0393c238e1d19b4e4b5bd282f9de54a7749db658dda073f227cca

Download Submit
\??\c:\users\admin\appdata\local\temp\air818f.tmp\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.swf

Filesize
491KB

MD5
e9db98f0ab9334466bc94604c62e4c04

SHA1
992642151c9ef76e338509b592e29cde69383751

SHA256
c740ad52c9c1ab8d7762dd744f13742564cc1500b94d7a29bfc60311b7f22934

SHA512
7dfe2dadabeb3159a91b70280e5ca773f37d45babbe2c6a37989fc2848ffd0ec4ef9e3d8b6af69853be6adab935126b94b45216fa395c7fa0755f969c44c8c71

Download Submit
\??\c:\users\admin\appdata\local\temp\air818f.tmp\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe

Filesize
383KB

MD5
557de97331f10692a1d1a6d757587f6a

SHA1
9d12b14515b876047e42e119048a0de6f791ae7b

SHA256
ee869bed7628dc2db4dd1ece9d2dcfb084cc803a08c007d3d88b0bf3343b15cb

SHA512
8d94d98c54b457b99e2c00a99f209fecc93544b3bdb998561cc0f8dac6768e3ae93b4737e18ce51d9d9059d45fd3566be0cb67b80f067d6484d7ddfcb6670076

Download Submit
\??\c:\users\admin\appdata\local\temp\air818f.tmp\Adobe AIR\Versions\1.0\Resources\Adobe Root Certificate.cer

Filesize
1KB

MD5
bf70913ff8d6d60a47fe825330815db4

SHA1
6be8460639f5651848b2f83ab1463f5602be06c3

SHA256
944e66aa967bd390952d22426bf1dfcd379a2c87a21b942fbca79f41f0354aac

SHA512
108e3c8ec1d45de97a7efc5c6262602414bbb7a32477dd7d8aab4c9335365f2b95c52d4f708a4a7422f4d4e0877f222cd358411d7b78cebe83565954e4f465f0

Download Submit
\??\c:\users\admin\appdata\local\temp\air818f.tmp\Adobe AIR\Versions\1.0\Resources\Thawte Root Certificate.cer

Filesize
677B

MD5
7f667a71d3eb6978209a51149d83da20

SHA1
be36a4562fb2ee05dbb3d32323adf445084ed656

SHA256
6b6c1e01f590f5afc5fcf85cd0b9396884048659fc2c6d1170d68b045216c3fd

SHA512
7f7329f4f9a3fb45b8aaa8eac9191bef9db85a1bdb13ed66d1ece6a51531f216eeb736a96d8baa87e033f2b7f0b8879954bc261c4c8bd632563ba153bc07e0b0

Download Submit
\??\c:\users\admin\appdata\local\temp\air818f.tmp\Adobe AIR\Versions\1.0\Resources\airappinstaller.exe

Filesize
53KB

MD5
9cec1614a59cecacd3d31274bf00a37f

SHA1
b46af6fa2924b0c4d6e290ae0dcbc42e3d27ad1a

SHA256
e277d2a94295506fe1574cf0b4e499b204f83293b290fc1139098d55e2b7c176

SHA512
25f6c873bf406f3615bdf04aae5e66d3bd5b52bb77c7cda27a57cf5830012bcbec4cf5b0a563b868ec0fd47f1612fc4be6b6c355685db86b1da41b2bd856b64f

Download Submit
\??\c:\users\admin\appdata\local\temp\air818f.tmp\Adobe AIR\Versions\1.0\Resources\digest.s

Filesize
2KB

MD5
0f5295089e4ef5a7396007407ee21113

SHA1
e5731eaa83f4dec94fd51612beb8e72b42df8954

SHA256
4571ead5d878568c4082003d21f50a39b8687f08e8f631aa20351014373ed2b1

SHA512
49d02f3787454c9e0b77822de0f3761457eca4038fd7ba74e1c61232b5887b6f658161c7c088690641c33f4e0bad755b45886572e0cc1b468dc7d5c42f8257b3

Download Submit
\??\c:\users\admin\appdata\local\temp\air818f.tmp\Adobe AIR\Versions\1.0\Resources\stylesNative.swf

Filesize
229KB

MD5
bc2c33f2d32da05074e96ceafb8a25d1

SHA1
ab5b93ff24f10dd6446690862b34281964e70d55

SHA256
bbc0e77749778134698038ea107dd47e76e0cd849d34406eb960bf0c9f3c7a5a

SHA512
83c7676816594e5931d8a36827d492e7a52b120f23a1e3375ec0535698dbfddf955833fbf17accbe2bba05214d73eeae8ab9c0e4b3f74f796322f174f745609e

Download Submit
\??\c:\users\admin\appdata\local\temp\air818f.tmp\Adobe AIR\Versions\1.0\Resources\template.exe

Filesize
86KB

MD5
3c3024ded7007aa0d529555ac6754342

SHA1
5e3c3c583c14cc8207952bb18387e0ed852677af

SHA256
ece64eaa90de0446dbdd7fc96c36e0ed784bba0920d807cd2aeb15ea6d38d057

SHA512
38451c05dc7e65b9765dd28abe6ee8510f1e7b1f8cb683c833b601c95cb4151714a3b76581fe6841724805997db42e2e0d1f80228acf8985cd5131f64fbc9e0d

Download Submit
\??\c:\users\admin\appdata\local\temp\air818f.tmp\Adobe AIR\Versions\1.0\Resources\template.msi

Filesize
36KB

MD5
d4139b57677a2ad682938f60522e2b0f

SHA1
2ed0025422389df08373e056cd1dc6bd7295abc5

SHA256
cb2954595c2ac2c5c0ad6db3471073ea67b27e17914072f3cbf6344c97d6592d

SHA512
282db921c661601025f1c2b6e91e667ecc4f1595a85e23cd367b966df59470b910fd8e93ac4bbc1a4989f92d8245c140f8dc86036f25713951b5881acbd0c3f2

Download Submit
\??\c:\users\admin\appdata\local\temp\air818f.tmp\Adobe AIR\sentinel

Filesize
11B

MD5
a5c11ca014fe30b8085ea2e95f7196c4

SHA1
594e00fa5eaeaa9f99f7e45d92bab7dd7ca8575a

SHA256
096e4bfd9f7e1faf15058c0a0fe45e6dbd00e3e1360f21f2ca92bce16a9a919a

SHA512
9b3dd555ac1ab5e8dafcffdb6e23ebfffafecfb908c204e88a369c9c8e0fce326caa3aa2ac71be6629f018191cc379e29b1a919dc787fe29bc16c5f0ee24b26b

Download Submit
\??\c:\users\admin\appdata\local\temp\air818f.tmp\setup.msi

Filesize
48KB

MD5
5f75a11c1eb98a022e087ba7eefc2ea6

SHA1
9f46877e58f4549bcb2c4f0fd903d9fb49ecfb8a

SHA256
6f905ac0f120f11bfcf04496ae7cf6e3d0128f6cd6b08cf0cf5eab7ff9ce314b

SHA512
5f45bdffe6880197af1ae1f6ed1b1483a4595c982c39e33f89c5972658809dbd3041f0f8105206534baf129e0f5a8a51e05a4aa69b08d52edee530a2018afff8

Download Submit
\Users\Admin\AppData\Local\Temp\AIR818F.tmp\Adobe AIR Installer.exe

Filesize
383KB

MD5
6ba34f521e2de430fa5ba108e399d12e

SHA1
830ee63d8db0020201b6d0cb8d5a2ed2dd523256

SHA256
1a54ac75b4b671657c4368c6a73143e63462be076312921bc6d1e94a12426c58

SHA512
1e3826aa000abaa15d93e516b8398f31a9517d8dbbaa2ee671cfb2619af3818efe8b810e6fde3411c8b05b8c51afbd58b561c6d76e4383ac300bb7a3ce8f6401

Download Submit
memory/6168-9592-0x0000000002E80000-0x0000000003080000-memory.dmp

Filesize
2.0MB

Download
memory/6168-9598-0x0000000002E80000-0x0000000003080000-memory.dmp

Filesize
2.0MB

Download
memory/6168-9600-0x0000000002E80000-0x0000000003080000-memory.dmp

Filesize
2.0MB

Download
memory/6168-9597-0x0000000002E80000-0x0000000003080000-memory.dmp

Filesize
2.0MB

Download
memory/6168-9596-0x0000000002E80000-0x0000000003080000-memory.dmp

Filesize
2.0MB

Download
memory/6168-9595-0x0000000002E80000-0x0000000003080000-memory.dmp

Filesize
2.0MB

Download
memory/6168-9602-0x0000000002E80000-0x0000000003080000-memory.dmp

Filesize
2.0MB

Download
memory/6168-9603-0x0000000002E80000-0x0000000003080000-memory.dmp

Filesize
2.0MB

Download
memory/6168-9601-0x0000000002E80000-0x0000000003080000-memory.dmp

Filesize
2.0MB

Download
memory/6168-9594-0x0000000002E80000-0x0000000003080000-memory.dmp

Filesize
2.0MB

Download
memory/6168-9580-0x0000000002E80000-0x0000000003080000-memory.dmp

Filesize
2.0MB

Download
memory/6168-9579-0x0000000002E80000-0x0000000003080000-memory.dmp

Filesize
2.0MB

Download
memory/6168-9578-0x0000000002E80000-0x0000000003080000-memory.dmp

Filesize
2.0MB

Download
memory/6168-9577-0x0000000002E80000-0x0000000003080000-memory.dmp

Filesize
2.0MB

Download
memory/6168-9569-0x0000000002E80000-0x0000000003080000-memory.dmp

Filesize
2.0MB

Download
memory/6168-9568-0x0000000002E80000-0x0000000003080000-memory.dmp

Filesize
2.0MB

Download
memory/6168-9567-0x0000000002E80000-0x0000000003080000-memory.dmp

Filesize
2.0MB

Download
memory/6168-9566-0x0000000002E80000-0x0000000003080000-memory.dmp

Filesize
2.0MB

Download
memory/6168-9565-0x0000000002E80000-0x0000000003080000-memory.dmp

Filesize
2.0MB

Download
memory/6168-9563-0x0000000002E80000-0x0000000003080000-memory.dmp

Filesize
2.0MB

Download
memory/6168-9562-0x0000000002E80000-0x0000000003080000-memory.dmp

Filesize
2.0MB

Download
memory/6168-9561-0x0000000002E80000-0x0000000003080000-memory.dmp

Filesize
2.0MB

Download
memory/6168-9560-0x0000000002E80000-0x0000000003080000-memory.dmp

Filesize
2.0MB

Download
memory/6168-9559-0x0000000002E80000-0x0000000003080000-memory.dmp

Filesize
2.0MB

Download
memory/6168-9558-0x0000000002E80000-0x0000000003080000-memory.dmp

Filesize
2.0MB

Download
memory/6168-9557-0x0000000002E80000-0x0000000003080000-memory.dmp

Filesize
2.0MB

Download
memory/6168-9556-0x0000000002E80000-0x0000000003080000-memory.dmp

Filesize
2.0MB

Download
memory/6168-9555-0x0000000002E80000-0x0000000003080000-memory.dmp

Filesize
2.0MB

Download
memory/6168-9554-0x0000000002E80000-0x0000000003080000-memory.dmp

Filesize
2.0MB

Download
memory/6168-9542-0x0000000002E80000-0x0000000003080000-memory.dmp

Filesize
2.0MB

Download
memory/6168-9541-0x0000000002E80000-0x0000000003080000-memory.dmp

Filesize
2.0MB

Download
memory/6168-9540-0x0000000002E80000-0x0000000003080000-memory.dmp

Filesize
2.0MB

Download
memory/6168-9599-0x0000000002E80000-0x0000000003080000-memory.dmp

Filesize
2.0MB

Download
memory/6168-9581-0x0000000002E80000-0x0000000003080000-memory.dmp

Filesize
2.0MB

Download
memory/6168-9587-0x0000000002E80000-0x0000000003080000-memory.dmp

Filesize
2.0MB

Download
memory/6168-9588-0x0000000002E80000-0x0000000003080000-memory.dmp

Filesize
2.0MB

Download
memory/6168-9589-0x0000000002E80000-0x0000000003080000-memory.dmp

Filesize
2.0MB

Download
memory/6168-9590-0x0000000002E80000-0x0000000003080000-memory.dmp

Filesize
2.0MB

Download
memory/6168-9591-0x0000000002E80000-0x0000000003080000-memory.dmp

Filesize
2.0MB

Download
memory/6168-9593-0x0000000002E80000-0x0000000003080000-memory.dmp

Filesize
2.0MB

Download
memory/6168-9583-0x0000000002E80000-0x0000000003080000-memory.dmp

Filesize
2.0MB

Download
memory/6168-9584-0x0000000002E80000-0x0000000003080000-memory.dmp

Filesize
2.0MB

Download
memory/6168-9585-0x0000000002E80000-0x0000000003080000-memory.dmp

Filesize
2.0MB

Download
memory/6168-9586-0x0000000002E80000-0x0000000003080000-memory.dmp

Filesize
2.0MB

Download
memory/6168-9582-0x0000000002E80000-0x0000000003080000-memory.dmp

Filesize
2.0MB

Download
memory/6168-9570-0x0000000002E80000-0x0000000003080000-memory.dmp

Filesize
2.0MB

Download
memory/6168-9571-0x0000000002E80000-0x0000000003080000-memory.dmp

Filesize
2.0MB

Download
memory/6168-9572-0x0000000002E80000-0x0000000003080000-memory.dmp

Filesize
2.0MB

Download
memory/6168-9573-0x0000000002E80000-0x0000000003080000-memory.dmp

Filesize
2.0MB

Download
memory/6168-9574-0x0000000002E80000-0x0000000003080000-memory.dmp

Filesize
2.0MB

Download
memory/6168-9544-0x0000000002E80000-0x0000000003080000-memory.dmp

Filesize
2.0MB

Download