pandastealer | da506fa70f7953e840f3eba28faf557a2038e0b3d0a5105a0ebe3434ee5e9e61

Resubmissions

17-12-2024 18:57

241217-xmcbqswkeq 4

17-12-2024 18:49

241217-xgb4sawjbm 10

Analysis

max time kernel
1389s
max time network
1797s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-12-2024 18:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adobe-air-51-1-1-3.exe
Size

5.9MB
MD5

34dba7939065022ad74458acbae28abd
SHA1

5f4e6e7cc0f2970068ff1c05189a8dc6881b8d33
SHA256

da506fa70f7953e840f3eba28faf557a2038e0b3d0a5105a0ebe3434ee5e9e61
SHA512

6271f67b486c7273fd391e4379f987fcce3042947909e97d05290d04469588a94bd501685f686037a400b788d6693e73f7d7799069c772b80da9556322c6cc79
SSDEEP

98304:FOB7drLD5C522D5K6O6DWT9dCrVodEdhIW5LkrNcBByeTTC3qdqH2pjin6uYRjUI:gB7drxU22DJVAbAeOIyBBNiKqMbZUI

Score

10^/10

pandastealer discovery phishing stealer

Malware Config

Signatures

Panda Stealer payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000500000001a41a-4190.dat	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer
Pandastealer family
pandastealer
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	2160	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
148	yandex.com
149	yandex.com
150	yandex.com

Drops file in Program Files directory 39 IoCs

description	ioc	Process
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.swf	msiexec.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe Root Certificate.cer	msiexec.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Thawte Root Certificate.cer	msiexec.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	msiexec.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll	msiexec.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	msiexec.exe
File created	C:\Program Files (x86)\Transformice\META-INF\signatures.xml	msiexec.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\setup.swf	msiexec.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\stylesNative.swf	msiexec.exe
File created	C:\Program Files (x86)\Transformice\icone128.png	msiexec.exe
File created	C:\Program Files (x86)\Transformice\META-INF\AIR\hash	msiexec.exe
File created	C:\Program Files (x86)\Transformice\META-INF\AIR\application.xml	msiexec.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Thawte Root Certificate.cer	msiexec.exe
File created	C:\Program Files (x86)\Transformice\Transformice.exe	msiexec.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	msiexec.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\WebKit.dll	msiexec.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.swf	msiexec.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\sentinel	msiexec.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\airappinstaller.exe	msiexec.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\digest.s	msiexec.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe Root Certificate.cer	msiexec.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\NPSWF32.dll	msiexec.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\setup.swf	msiexec.exe
File created	C:\Program Files (x86)\Transformice\icone48.png	msiexec.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll	msiexec.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\template.exe	msiexec.exe
File created	\??\c:\Program Files (x86)\Adobe\Flash Player\AddIns\airappinstaller\digest.s	msiexec.exe
File created	C:\Program Files (x86)\Transformice\TransformiceAIR.swf	msiexec.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\template.msi	msiexec.exe
File created	\??\c:\Program Files (x86)\Adobe\Flash Player\AddIns\airappinstaller\airappinstaller.exe	msiexec.exe
File created	C:\Program Files (x86)\.airInstallTmpFile.tmp	Adobe AIR Application Installer.exe
File created	C:\Program Files (x86)\Transformice\mimetype	msiexec.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\sentinel	msiexec.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\setup.msi	adobe air installer.exe
File created	C:\Program Files (x86)\Transformice\icone32.png	msiexec.exe
File created	C:\Program Files (x86)\Transformice\icone16.png	msiexec.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\digest.s	msiexec.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	msiexec.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File created	\??\c:\Windows\Installer\$PatchCache$\Managed\8663020007180A44EB446B23AFD487F0\1.0.8\AdobeAIR.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEBBE.tmp	msiexec.exe
File created	C:\Windows\Installer\f76e81a.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI558B.tmp	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\f76e7fe.msi	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\$PatchCache$\Managed\8663020007180A44EB446B23AFD487F0\1.0.8	msiexec.exe
File created	\??\c:\Windows\Installer\$PatchCache$\Managed\8663020007180A44EB446B23AFD487F0\1.0.8\air.swf	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\$PatchCache$\Managed\8663020007180A44EB446B23AFD487F0\1.0.8\air.swf	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\$PatchCache$\Managed\8663020007180A44EB446B23AFD487F0\1.0.8\air.exe	msiexec.exe
File created	\??\c:\Windows\Installer\$PatchCache$\Managed\8663020007180A44EB446B23AFD487F0\CacheSize.txt	msiexec.exe
File created	C:\Windows\Installer\f76e81c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76e81a.ipi	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\$PatchCache$\Managed\8663020007180A44EB446B23AFD487F0	msiexec.exe
File created	\??\c:\Windows\Installer\$PatchCache$\Managed\8663020007180A44EB446B23AFD487F0\1.0.8\air.exe	msiexec.exe
File created	\??\c:\Windows\Installer\f76e807.msi	msiexec.exe
File created	C:\Windows\Installer\f76e817.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76e817.msi	msiexec.exe
File created	\??\c:\Windows\Installer\f76e7fe.msi	msiexec.exe
File created	\??\c:\Windows\Installer\f76e801.ipi	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEAB3.tmp	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\$PatchCache$\Managed\8663020007180A44EB446B23AFD487F0\1.0.8\AdobeAIR.dll	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\$PatchCache$\Managed\8663020007180A44EB446B23AFD487F0\CacheSize.txt	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\f76e801.ipi	msiexec.exe

Executes dropped EXE 11 IoCs

pid	Process
2320	Adobe AIR Installer.exe
1948	adobe air installer.exe
1824	Adobe AIR Updater.exe
4196	Transformice.exe
3552	Install Transformice.exe
1852	Adobe AIR Application Installer.exe
3664	Transformice.exe
4600	Transformice.exe
4368	Transformice.exe
3868	Transformice.exe
2588	Transformice.exe

Loads dropped DLL 35 IoCs

pid	Process
2380	adobe-air-51-1-1-3.exe
2380	adobe-air-51-1-1-3.exe
2380	adobe-air-51-1-1-3.exe
2380	adobe-air-51-1-1-3.exe
2320	Adobe AIR Installer.exe
2320	Adobe AIR Installer.exe
1948	adobe air installer.exe
2320	Adobe AIR Installer.exe
1824	Adobe AIR Updater.exe
1824	Adobe AIR Updater.exe
1824	Adobe AIR Updater.exe
1824	Adobe AIR Updater.exe
1824	Adobe AIR Updater.exe
4196	Transformice.exe
4196	Transformice.exe
4196	Transformice.exe
4196	Transformice.exe
3552	Install Transformice.exe
3552	Install Transformice.exe
3552	Install Transformice.exe
1852	Adobe AIR Application Installer.exe
1852	Adobe AIR Application Installer.exe
1852	Adobe AIR Application Installer.exe
1852	Adobe AIR Application Installer.exe
1852	Adobe AIR Application Installer.exe
1852	Adobe AIR Application Installer.exe
1852	Adobe AIR Application Installer.exe
1852	Adobe AIR Application Installer.exe
1852	Adobe AIR Application Installer.exe
1852	Adobe AIR Application Installer.exe
3664	Transformice.exe
4600	Transformice.exe
4368	Transformice.exe
3868	Transformice.exe
2588	Transformice.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobe air installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adobe AIR Updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Transformice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Transformice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Transformice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobe-air-51-1-1-3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adobe AIR Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Transformice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install Transformice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adobe AIR Application Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Transformice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Transformice.exe

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	adobe air installer.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Adobe AIR Application Installer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Transformice.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Adobe AIR Updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Adobe AIR Application Installer.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Transformice.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Transformice.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Adobe AIR Installer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	adobe air installer.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Adobe AIR Updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Transformice.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Transformice.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Transformice.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Transformice.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Transformice.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Transformice.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Adobe AIR Installer.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Transformice.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT\Adobe AIR Installer.exe = "1"	Adobe AIR Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	Adobe AIR Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	Adobe AIR Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_IMG	Adobe AIR Installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_IMG\Adobe AIR Installer.exe = "1"	Adobe AIR Installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_OBJECT\Adobe AIR Installer.exe = "1"	Adobe AIR Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT	Adobe AIR Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	Adobe AIR Installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Adobe AIR Installer.exe = "32767"	Adobe AIR Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_OBJECT	Adobe AIR Installer.exe

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\30	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D23A06E79DA76FC73187F2CBBD3BE717\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AIR.InstallerPackage\shell\open\command	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D23A06E79DA76FC73187F2CBBD3BE717\ProgramShortcut	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D23A06E79DA76FC73187F2CBBD3BE717\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5D029AD8C14C0E24FB1378AB9489E44E	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8663020007180A44EB446B23AFD487F0\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\PackageCode = "BBD26563A231C6047BF676630876766C"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D23A06E79DA76FC73187F2CBBD3BE717\ProductName = "Transformice"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D23A06E79DA76FC73187F2CBBD3BE717\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.air	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AIR.InstallerPackage\DefaultIcon\ = "c:\\PROGRA~2\\COMMON~1\\ADOBEA~1\\Versions\\1.0\\ADOBEA~1.EXE,1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\EE6F249802136F443B6919B0C761E42A	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D23A06E79DA76FC73187F2CBBD3BE717\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0449CE60EFC8852D9C0992133D806BBE\D23A06E79DA76FC73187F2CBBD3BE717	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8663020007180A44EB446B23AFD487F0\SourceList\Net	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D23A06E79DA76FC73187F2CBBD3BE717\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AIR.InstallerPackage\shell\open\ = "Install"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\ProductName = "Adobe AIR"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D23A06E79DA76FC73187F2CBBD3BE717\DesktopShortcut	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D23A06E79DA76FC73187F2CBBD3BE717\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\AIR384F.tmp\\Transformice\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D23A06E79DA76FC73187F2CBBD3BE717\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.air\Content Type = "application/vnd.adobe.air-application-installer-package+zip"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AIR.InstallerPackage\ = "Installer Package"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D23A06E79DA76FC73187F2CBBD3BE717\Application	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D23A06E79DA76FC73187F2CBBD3BE717\Version = "16777216"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AIR.InstallerPackage\shell\open\command\ = "c:\\PROGRA~2\\COMMON~1\\ADOBEA~1\\Versions\\1.0\\ADOBEA~1.EXE \"%1\""	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\SourceList\Net	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8663020007180A44EB446B23AFD487F0\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AIR.InstallerPackage\shell\open	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\EE6F249802136F443B6919B0C761E42A\Management	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\DeploymentFlags = "3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D23A06E79DA76FC73187F2CBBD3BE717\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AIR.InstallerPackage	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\SourceList\Net\1 = "c:\\users\\admin\\appdata\\local\\temp\\airc533.tmp\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AIR.InstallerPackage\DefaultIcon	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\SourceList\PackageName = "setup.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D23A06E79DA76FC73187F2CBBD3BE717	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0449CE60EFC8852D9C0992133D806BBE	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\EE6F249802136F443B6919B0C761E42A\Runtime	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\SourceList\LastUsedSource = "n;1;c:\\users\\admin\\appdata\\local\\temp\\airc533.tmp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D23A06E79DA76FC73187F2CBBD3BE717\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D23A06E79DA76FC73187F2CBBD3BE717\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AIR384F.tmp\\Transformice\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.air\OpenWithProgids\AIR.InstallerPackage	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D23A06E79DA76FC73187F2CBBD3BE717\SourceList\PackageName = "setup.msi"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8663020007180A44EB446B23AFD487F0	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D23A06E79DA76FC73187F2CBBD3BE717	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.air\OpenWithProgids	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5D029AD8C14C0E24FB1378AB9489E44E\EE6F249802136F443B6919B0C761E42A	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8663020007180A44EB446B23AFD487F0	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D23A06E79DA76FC73187F2CBBD3BE717\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D23A06E79DA76FC73187F2CBBD3BE717\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D23A06E79DA76FC73187F2CBBD3BE717\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.air\ = "AIR.InstallerPackage"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\Version = "855703553"	msiexec.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Adobe AIR Updater.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280	Adobe AIR Updater.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280\Blob = 0300000001000000140000009e99a48a9960b14926bb7f3b02e22da2b0ab72801400000001000000140000009c5f00dfaa01d7302b3888a2b86d4a9cf2119183040000000100000010000000c6150925cfea5941ddc7ff2a0a5066920f00000001000000200000008408d5e5010ab8da67eb33a7d79ace944dd0ac103ae6ead3ff30dec571066b0319000000010000001000000014d4b19434670e6dc091d154abb20edc180000000100000010000000fd960962ac6938e0d4b0769aa1a64e264b0000000100000044000000420036003600320034003000420030004600360043003800340042004400340038003500370041004200410036003000430046003500430045003400410030005f000000200000000100000079040000308204753082035da003020102020900a70e4a4c3482b77f300d06092a864886f70d01010b05003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3039303930323030303030305a170d3334303632383137333931365a308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d50c3ac42af94ee2f5be19975f8e8853b11f3fcbcf9f20136d293ac80f7d3cf76b763863d93660a89b5e5c0080b22f597ff687f9254386e7691b529a90e171e3d82d0d4e6ff6c849d9b6f31a56ae2bb67414ebcffb26e31aba1d962e6a3b5894894756ff25a093705383da847414c3679e04683adf8e405a1d4a4ecf43913be756d60070cb52ee7b7dae3ae7bc31f945f6c260cf1359022b80cc3447dfb9de90656d02cf2c91a6a6e7de8518497c664ea33a6da9b5ee342eba0d03b833df47ebb16b8d25d99bce81d1454632967087de020e494385b66c73bb64ea6141acc9d454df872fc722b226cc9f5954689ffcbe2a2fc4551c75406017850255398b7f050203010001a381f03081ed300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604149c5f00dfaa01d7302b3888a2b86d4a9cf2119183301f0603551d23041830168014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7304f06082b0601050507010104433041301c06082b060105050730018610687474703a2f2f6f2e7373322e75732f302106082b060105050730028615687474703a2f2f782e7373322e75732f782e63657230260603551d1f041f301d301ba019a0178615687474703a2f2f732e7373322e75732f722e63726c30110603551d20040a300830060604551d2000300d06092a864886f70d01010b05000382010100231de38a57ca7de917794cf11e55fdcc536e3e470fdfc655f2b20436ed801f53c45d34286bbec755fc67eacb3f7f90b233cd1b58108202f8f82ff51360d405cef18108c1dda775974f18b96ddef7939108ba7e402cedc1eabb769e3306771d0d087f53dd1b64ab8227f169d54d5eaef4a1c375a758442df23c7098acba69b695777f0f315e2cfca0873a4769f0795ff41454a4955e1178126027ce9fc277ff2353775dbaffea59e7dbcfaf9296ef249a35107a9c91c60e7d99f63f19dff57254e115a907597b83bf522e468cb20064761c48d3d879e86e56ccae2c0390d7193899e4ca09195bff0796b0a87f3449df56a9f7b05fed33ed8c47b730035df4038c	Adobe AIR Updater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	Adobe AIR Updater.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2160	msiexec.exe
2160	msiexec.exe
2160	msiexec.exe
2160	msiexec.exe
3760	chrome.exe
3760	chrome.exe
2160	msiexec.exe
2160	msiexec.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1948	adobe air installer.exe
Token: SeIncreaseQuotaPrivilege	1948	adobe air installer.exe
Token: SeRestorePrivilege	2160	msiexec.exe
Token: SeTakeOwnershipPrivilege	2160	msiexec.exe
Token: SeSecurityPrivilege	2160	msiexec.exe
Token: SeCreateTokenPrivilege	1948	adobe air installer.exe
Token: SeAssignPrimaryTokenPrivilege	1948	adobe air installer.exe
Token: SeLockMemoryPrivilege	1948	adobe air installer.exe
Token: SeIncreaseQuotaPrivilege	1948	adobe air installer.exe
Token: SeMachineAccountPrivilege	1948	adobe air installer.exe
Token: SeTcbPrivilege	1948	adobe air installer.exe
Token: SeSecurityPrivilege	1948	adobe air installer.exe
Token: SeTakeOwnershipPrivilege	1948	adobe air installer.exe
Token: SeLoadDriverPrivilege	1948	adobe air installer.exe
Token: SeSystemProfilePrivilege	1948	adobe air installer.exe
Token: SeSystemtimePrivilege	1948	adobe air installer.exe
Token: SeProfSingleProcessPrivilege	1948	adobe air installer.exe
Token: SeIncBasePriorityPrivilege	1948	adobe air installer.exe
Token: SeCreatePagefilePrivilege	1948	adobe air installer.exe
Token: SeCreatePermanentPrivilege	1948	adobe air installer.exe
Token: SeBackupPrivilege	1948	adobe air installer.exe
Token: SeRestorePrivilege	1948	adobe air installer.exe
Token: SeShutdownPrivilege	1948	adobe air installer.exe
Token: SeDebugPrivilege	1948	adobe air installer.exe
Token: SeAuditPrivilege	1948	adobe air installer.exe
Token: SeSystemEnvironmentPrivilege	1948	adobe air installer.exe
Token: SeChangeNotifyPrivilege	1948	adobe air installer.exe
Token: SeRemoteShutdownPrivilege	1948	adobe air installer.exe
Token: SeUndockPrivilege	1948	adobe air installer.exe
Token: SeSyncAgentPrivilege	1948	adobe air installer.exe
Token: SeEnableDelegationPrivilege	1948	adobe air installer.exe
Token: SeManageVolumePrivilege	1948	adobe air installer.exe
Token: SeImpersonatePrivilege	1948	adobe air installer.exe
Token: SeCreateGlobalPrivilege	1948	adobe air installer.exe
Token: SeRestorePrivilege	2160	msiexec.exe
Token: SeTakeOwnershipPrivilege	2160	msiexec.exe
Token: SeRestorePrivilege	2160	msiexec.exe
Token: SeTakeOwnershipPrivilege	2160	msiexec.exe
Token: SeRestorePrivilege	2160	msiexec.exe
Token: SeTakeOwnershipPrivilege	2160	msiexec.exe
Token: SeRestorePrivilege	2160	msiexec.exe
Token: SeTakeOwnershipPrivilege	2160	msiexec.exe
Token: SeRestorePrivilege	2160	msiexec.exe
Token: SeTakeOwnershipPrivilege	2160	msiexec.exe
Token: SeRestorePrivilege	2160	msiexec.exe
Token: SeTakeOwnershipPrivilege	2160	msiexec.exe
Token: SeRestorePrivilege	2160	msiexec.exe
Token: SeTakeOwnershipPrivilege	2160	msiexec.exe
Token: SeRestorePrivilege	2160	msiexec.exe
Token: SeTakeOwnershipPrivilege	2160	msiexec.exe
Token: SeRestorePrivilege	2160	msiexec.exe
Token: SeTakeOwnershipPrivilege	2160	msiexec.exe
Token: SeRestorePrivilege	2160	msiexec.exe
Token: SeTakeOwnershipPrivilege	2160	msiexec.exe
Token: SeRestorePrivilege	2160	msiexec.exe
Token: SeTakeOwnershipPrivilege	2160	msiexec.exe
Token: SeRestorePrivilege	2160	msiexec.exe
Token: SeTakeOwnershipPrivilege	2160	msiexec.exe
Token: SeRestorePrivilege	2160	msiexec.exe
Token: SeTakeOwnershipPrivilege	2160	msiexec.exe
Token: SeRestorePrivilege	2160	msiexec.exe
Token: SeTakeOwnershipPrivilege	2160	msiexec.exe
Token: SeRestorePrivilege	2160	msiexec.exe
Token: SeTakeOwnershipPrivilege	2160	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3664	Transformice.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2320	Adobe AIR Installer.exe
2320	Adobe AIR Installer.exe
2320	Adobe AIR Installer.exe
1948	adobe air installer.exe
1824	Adobe AIR Updater.exe
1852	Adobe AIR Application Installer.exe
3664	Transformice.exe
4600	Transformice.exe
4368	Transformice.exe
3868	Transformice.exe
2588	Transformice.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2320	2380	adobe-air-51-1-1-3.exe	30
PID 2380 wrote to memory of 2320	2380	adobe-air-51-1-1-3.exe	30
PID 2380 wrote to memory of 2320	2380	adobe-air-51-1-1-3.exe	30
PID 2380 wrote to memory of 2320	2380	adobe-air-51-1-1-3.exe	30
PID 2380 wrote to memory of 2320	2380	adobe-air-51-1-1-3.exe	30
PID 2380 wrote to memory of 2320	2380	adobe-air-51-1-1-3.exe	30
PID 2380 wrote to memory of 2320	2380	adobe-air-51-1-1-3.exe	30
PID 2320 wrote to memory of 1948	2320	Adobe AIR Installer.exe	32
PID 2320 wrote to memory of 1948	2320	Adobe AIR Installer.exe	32
PID 2320 wrote to memory of 1948	2320	Adobe AIR Installer.exe	32
PID 2320 wrote to memory of 1948	2320	Adobe AIR Installer.exe	32
PID 2320 wrote to memory of 1948	2320	Adobe AIR Installer.exe	32
PID 2320 wrote to memory of 1948	2320	Adobe AIR Installer.exe	32
PID 2320 wrote to memory of 1948	2320	Adobe AIR Installer.exe	32
PID 2320 wrote to memory of 1824	2320	Adobe AIR Installer.exe	35
PID 2320 wrote to memory of 1824	2320	Adobe AIR Installer.exe	35
PID 2320 wrote to memory of 1824	2320	Adobe AIR Installer.exe	35
PID 2320 wrote to memory of 1824	2320	Adobe AIR Installer.exe	35
PID 2320 wrote to memory of 1824	2320	Adobe AIR Installer.exe	35
PID 2320 wrote to memory of 1824	2320	Adobe AIR Installer.exe	35
PID 2320 wrote to memory of 1824	2320	Adobe AIR Installer.exe	35
PID 3760 wrote to memory of 672	3760	chrome.exe	37
PID 3760 wrote to memory of 672	3760	chrome.exe	37
PID 3760 wrote to memory of 672	3760	chrome.exe	37
PID 3760 wrote to memory of 4772	3760	chrome.exe	39
PID 3760 wrote to memory of 4772	3760	chrome.exe	39
PID 3760 wrote to memory of 4772	3760	chrome.exe	39
PID 3760 wrote to memory of 4772	3760	chrome.exe	39
PID 3760 wrote to memory of 4772	3760	chrome.exe	39
PID 3760 wrote to memory of 4772	3760	chrome.exe	39
PID 3760 wrote to memory of 4772	3760	chrome.exe	39
PID 3760 wrote to memory of 4772	3760	chrome.exe	39
PID 3760 wrote to memory of 4772	3760	chrome.exe	39
PID 3760 wrote to memory of 4772	3760	chrome.exe	39
PID 3760 wrote to memory of 4772	3760	chrome.exe	39
PID 3760 wrote to memory of 4772	3760	chrome.exe	39
PID 3760 wrote to memory of 4772	3760	chrome.exe	39
PID 3760 wrote to memory of 4772	3760	chrome.exe	39
PID 3760 wrote to memory of 4772	3760	chrome.exe	39
PID 3760 wrote to memory of 4772	3760	chrome.exe	39
PID 3760 wrote to memory of 4772	3760	chrome.exe	39
PID 3760 wrote to memory of 4772	3760	chrome.exe	39
PID 3760 wrote to memory of 4772	3760	chrome.exe	39
PID 3760 wrote to memory of 4772	3760	chrome.exe	39
PID 3760 wrote to memory of 4772	3760	chrome.exe	39
PID 3760 wrote to memory of 4772	3760	chrome.exe	39
PID 3760 wrote to memory of 4772	3760	chrome.exe	39
PID 3760 wrote to memory of 4772	3760	chrome.exe	39
PID 3760 wrote to memory of 4772	3760	chrome.exe	39
PID 3760 wrote to memory of 4772	3760	chrome.exe	39
PID 3760 wrote to memory of 4772	3760	chrome.exe	39
PID 3760 wrote to memory of 4772	3760	chrome.exe	39
PID 3760 wrote to memory of 4772	3760	chrome.exe	39
PID 3760 wrote to memory of 4772	3760	chrome.exe	39
PID 3760 wrote to memory of 4772	3760	chrome.exe	39
PID 3760 wrote to memory of 4772	3760	chrome.exe	39
PID 3760 wrote to memory of 4772	3760	chrome.exe	39
PID 3760 wrote to memory of 4772	3760	chrome.exe	39
PID 3760 wrote to memory of 4772	3760	chrome.exe	39
PID 3760 wrote to memory of 4772	3760	chrome.exe	39
PID 3760 wrote to memory of 4772	3760	chrome.exe	39
PID 3760 wrote to memory of 4772	3760	chrome.exe	39
PID 3760 wrote to memory of 4772	3760	chrome.exe	39
PID 3760 wrote to memory of 4796	3760	chrome.exe	40

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\adobe-air-51-1-1-3.exe
"C:\Users\Admin\AppData\Local\Temp\adobe-air-51-1-1-3.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\AIRC533.tmp\Adobe AIR Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\AIRC533.tmp\Adobe AIR Installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Users\Admin\appdata\local\temp\airc533.tmp\adobe air installer.exe
    "C:\Users\Admin\appdata\local\temp\airc533.tmp\adobe air installer.exe" -stdio \\.\pipe\AIR_2320_0 -ei
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1948
- - \??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe
    "c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe" -installupdatecheck
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Modifies system certificate store
    - Suspicious use of SetWindowsHookEx
    PID:1824

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5559758,0x7fef5559768,0x7fef5559778
  2⤵
  PID:672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1140 --field-trial-handle=1196,i,16934270263528055717,9514599497262627448,131072 /prefetch:2
  2⤵
  PID:4772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1404 --field-trial-handle=1196,i,16934270263528055717,9514599497262627448,131072 /prefetch:8
  2⤵
  PID:4796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1424 --field-trial-handle=1196,i,16934270263528055717,9514599497262627448,131072 /prefetch:8
  2⤵
  PID:2112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2152 --field-trial-handle=1196,i,16934270263528055717,9514599497262627448,131072 /prefetch:1
  2⤵
  PID:1084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2156 --field-trial-handle=1196,i,16934270263528055717,9514599497262627448,131072 /prefetch:1
  2⤵
  PID:1868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1512 --field-trial-handle=1196,i,16934270263528055717,9514599497262627448,131072 /prefetch:2
  2⤵
  PID:4140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2452 --field-trial-handle=1196,i,16934270263528055717,9514599497262627448,131072 /prefetch:1
  2⤵
  PID:4452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3476 --field-trial-handle=1196,i,16934270263528055717,9514599497262627448,131072 /prefetch:1
  2⤵
  PID:4548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=2332 --field-trial-handle=1196,i,16934270263528055717,9514599497262627448,131072 /prefetch:1
  2⤵
  PID:1688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=2380 --field-trial-handle=1196,i,16934270263528055717,9514599497262627448,131072 /prefetch:1
  2⤵
  PID:296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3620 --field-trial-handle=1196,i,16934270263528055717,9514599497262627448,131072 /prefetch:1
  2⤵
  PID:3220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3592 --field-trial-handle=1196,i,16934270263528055717,9514599497262627448,131072 /prefetch:8
  2⤵
  PID:2544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3812 --field-trial-handle=1196,i,16934270263528055717,9514599497262627448,131072 /prefetch:1
  2⤵
  PID:2272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4004 --field-trial-handle=1196,i,16934270263528055717,9514599497262627448,131072 /prefetch:1
  2⤵
  PID:2388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4364 --field-trial-handle=1196,i,16934270263528055717,9514599497262627448,131072 /prefetch:1
  2⤵
  PID:4680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4772 --field-trial-handle=1196,i,16934270263528055717,9514599497262627448,131072 /prefetch:8
  2⤵
  PID:1192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3972 --field-trial-handle=1196,i,16934270263528055717,9514599497262627448,131072 /prefetch:8
  2⤵
  PID:3836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3704 --field-trial-handle=1196,i,16934270263528055717,9514599497262627448,131072 /prefetch:8
  2⤵
  PID:3812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3548 --field-trial-handle=1196,i,16934270263528055717,9514599497262627448,131072 /prefetch:8
  2⤵
  PID:1092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4300 --field-trial-handle=1196,i,16934270263528055717,9514599497262627448,131072 /prefetch:8
  2⤵
  PID:2200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3692 --field-trial-handle=1196,i,16934270263528055717,9514599497262627448,131072 /prefetch:8
  2⤵
  PID:1084
- C:\Users\Admin\Downloads\Transformice.exe
  "C:\Users\Admin\Downloads\Transformice.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4196
- - C:\Users\Admin\AppData\Local\Temp\AIR384F.tmp\Install Transformice.exe
    "C:\Users\Admin\AppData\Local\Temp\AIR384F.tmp\Install Transformice.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3552
  - - \??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe
      "Adobe AIR Application Installer.exe" "C:\Users\Admin\AppData\Local\Temp\AIR384F.tmp\Transformice"
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious use of SetWindowsHookEx
      PID:1852
    - - C:\Program Files (x86)\Transformice\Transformice.exe
        
        "C:\Program Files (x86)\Transformice\Transformice.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:3664

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:544

C:\Program Files (x86)\Transformice\Transformice.exe
"C:\Program Files (x86)\Transformice\Transformice.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:4600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5559758,0x7fef5559768,0x7fef5559778
  2⤵
  PID:3564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1192 --field-trial-handle=1260,i,8471892761591143924,12368029140923043844,131072 /prefetch:2
  2⤵
  PID:4816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1440 --field-trial-handle=1260,i,8471892761591143924,12368029140923043844,131072 /prefetch:8
  2⤵
  PID:472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1640 --field-trial-handle=1260,i,8471892761591143924,12368029140923043844,131072 /prefetch:8
  2⤵
  PID:2448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2152 --field-trial-handle=1260,i,8471892761591143924,12368029140923043844,131072 /prefetch:1
  2⤵
  PID:4344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2160 --field-trial-handle=1260,i,8471892761591143924,12368029140923043844,131072 /prefetch:1
  2⤵
  PID:3252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1512 --field-trial-handle=1260,i,8471892761591143924,12368029140923043844,131072 /prefetch:2
  2⤵
  PID:4552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1356 --field-trial-handle=1260,i,8471892761591143924,12368029140923043844,131072 /prefetch:1
  2⤵
  PID:3588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3464 --field-trial-handle=1260,i,8471892761591143924,12368029140923043844,131072 /prefetch:1
  2⤵
  PID:4044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2520 --field-trial-handle=1260,i,8471892761591143924,12368029140923043844,131072 /prefetch:8
  2⤵
  PID:5076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=2484 --field-trial-handle=1260,i,8471892761591143924,12368029140923043844,131072 /prefetch:1
  2⤵
  PID:2548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2744 --field-trial-handle=1260,i,8471892761591143924,12368029140923043844,131072 /prefetch:1
  2⤵
  PID:3764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3632 --field-trial-handle=1260,i,8471892761591143924,12368029140923043844,131072 /prefetch:8
  2⤵
  PID:3952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3772 --field-trial-handle=1260,i,8471892761591143924,12368029140923043844,131072 /prefetch:1
  2⤵
  PID:5048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4060 --field-trial-handle=1260,i,8471892761591143924,12368029140923043844,131072 /prefetch:1
  2⤵
  PID:2820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3672 --field-trial-handle=1260,i,8471892761591143924,12368029140923043844,131072 /prefetch:1
  2⤵
  PID:4772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3556 --field-trial-handle=1260,i,8471892761591143924,12368029140923043844,131072 /prefetch:1
  2⤵
  PID:1084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=2660 --field-trial-handle=1260,i,8471892761591143924,12368029140923043844,131072 /prefetch:1
  2⤵
  PID:2672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=4176 --field-trial-handle=1260,i,8471892761591143924,12368029140923043844,131072 /prefetch:1
  2⤵
  PID:3340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3812 --field-trial-handle=1260,i,8471892761591143924,12368029140923043844,131072 /prefetch:8
  2⤵
  PID:4076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4200 --field-trial-handle=1260,i,8471892761591143924,12368029140923043844,131072 /prefetch:8
  2⤵
  PID:4504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=2804 --field-trial-handle=1260,i,8471892761591143924,12368029140923043844,131072 /prefetch:1
  2⤵
  PID:1044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=2480 --field-trial-handle=1260,i,8471892761591143924,12368029140923043844,131072 /prefetch:1
  2⤵
  PID:1668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=3832 --field-trial-handle=1260,i,8471892761591143924,12368029140923043844,131072 /prefetch:1
  2⤵
  PID:1912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=1964 --field-trial-handle=1260,i,8471892761591143924,12368029140923043844,131072 /prefetch:1
  2⤵
  PID:3448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4420 --field-trial-handle=1260,i,8471892761591143924,12368029140923043844,131072 /prefetch:8
  2⤵
  PID:4592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=4324 --field-trial-handle=1260,i,8471892761591143924,12368029140923043844,131072 /prefetch:1
  2⤵
  PID:4188

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3244

C:\Program Files (x86)\Transformice\Transformice.exe
"C:\Program Files (x86)\Transformice\Transformice.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:4368

C:\Program Files (x86)\Transformice\Transformice.exe
"C:\Program Files (x86)\Transformice\Transformice.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:3868

C:\Program Files (x86)\Transformice\Transformice.exe
"C:\Program Files (x86)\Transformice\Transformice.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76e802.rbs

Filesize
14KB

MD5
dd12f22222f2a5e582cb8368c2be6c05

SHA1
b91b90047b5d935429557d886f5f2f73f7a25963

SHA256
9ad98930b53aec03e87fff86f6814de8ec48ad7e640793aaf55ca8b6c4339bc8

SHA512
87bfa2b77238e70c33fce9f7fac3a4f57100efd5f11049dd1ee9e2979704a6a1a2982f872755f5daf5c84293092a1ff650e80c0fcc2ea2597bc5e005a61795fe

Download Submit
C:\Config.Msi\f76e80a.rbs

Filesize
11KB

MD5
631aaef2f22ddcad7eeeccbd1caf66fc

SHA1
fbd35f16132cf6ae51cf0d79ee9519a609bed3c5

SHA256
049f890aa616658a43d5b7d59c2b8e38e6b97806f54f1aff09ec4bc0b97641d4

SHA512
6d29076c63b24c729767a4ce1ef349f71249414cdb47b11a532c81996c33de13fcd42b614977e57adc7564e65bbbf31eade50a7c2373ac3bb3ef4b3232cbaeba

Download Submit
C:\Config.Msi\f76e816.rbf

Filesize
3B

MD5
21438ef4b9ad4fc266b6129a2f60de29

SHA1
5eb8e2242eeb4f5432beeec8b873f1ab0a6b71fd

SHA256
13bf7b3039c63bf5a50491fa3cfd8eb4e699d1ba1436315aef9cbe5711530354

SHA512
37436ced85e5cd638973e716d6713257d692f9dd2e1975d5511ae3856a7b3b9f0d9e497315a058b516ab31d652ea9950938c77c1ad435ea8d4b49d73427d1237

Download Submit
C:\Config.Msi\f76e81b.rbs

Filesize
9KB

MD5
c50f4fc2f3d2c97d9043139fe835dce4

SHA1
ea544f13b0954c4a43c14393c5e0b62df4cca302

SHA256
270334b52e030983921e5e75b08ff0f32ff58ff4cac376aac34faa6492ba186e

SHA512
633f69f5ad98fc0449f7c0548ab7f4887968192f1e9b91fa83d12abd590b0b0d049db5c59d7e3612c6db159eeda8637af51f961a629810aa48ed77df5b9019a1

Download Submit
C:\Program Files (x86)\Transformice\Transformice.exe

Filesize
139KB

MD5
055a34bd625727d3e1f9fc15e2ff6c3b

SHA1
d9f23f91240c6ebdb6cb88f25b43ac68da40d6be

SHA256
a0c992369f8bf35c5856d1fd4930ac72c682bb74d8f6764466e4630b1a6a9347

SHA512
28afec89c505bc01592774e1a2eb14b4d104a13c2e351cd3c468cec7314be0af86561b8e1684765ef254f776416dd69009b9cdd1a577ce63e2ee5af4d44904ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DABA17F5E36CBE65640DD2FE24F104E7

Filesize
1KB

MD5
c6150925cfea5941ddc7ff2a0a506692

SHA1
9e99a48a9960b14926bb7f3b02e22da2b0ab7280

SHA256
28689b30e4c306aab53b027b29e36ad6dd1dcf4b953994482ca84bdc1ecac996

SHA512
b3bd41385d72148e03f453e76a45fcd2111a22eff3c7f1e78e41f6744735444e058144ed68af88654ee62b0f117949f35739daad6ad765b8cde1cff92ed2d00c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

Filesize
230B

MD5
0ace143cb97ab0130393070ac4892954

SHA1
3fec2e32480c9dd061e80d77335c1e2f490c6c6c

SHA256
b6f7212684f65133b7cc794ea3b665705147f63d2642e1481b193e64365e52fb

SHA512
d8ac823952317ff08818743bdbaa6b40bf1eb241260316b9a64f7e2d462c47e925c02cfa5c50b1f7232edcd4ade5dac81121661d1ec50232b19885c5e3c44444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
95ebcf0bf0b4019ba33cb5b6f87d37bc

SHA1
475627e0c57fa0d8d43b6211855c8c739ec9ce48

SHA256
5553a182d25969d88f76b01c89baee150f6e62c695be3e90c915ad69b8020190

SHA512
03c8635e890b463356d79c7ff07028fa45b1e56863b35021d865f93186c777c5f55824872d16f4593fa282e140819bb6ddc84504f7cb74052537eeff3a219001

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b26ef60bfb92601ad5650a084b82994f

SHA1
f487f37432fb07bb981c8cd63845ab72a88e0e73

SHA256
f5701ab3fbbeb5176ac39993912ae352947ae1ca467dae6eab90fec65c21cd0d

SHA512
81ffc480c41acfcd80eee1e0d874876c60f36175bf39b7c144f5990411bed193f42b07d7b15329dd7167adc4d812b1fcf0228a24bf3ea0500e96733b1c784d01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
42f65a8a1dca3a2eec3cc83e63622ec3

SHA1
d7eb7a53f33527efc5945787f57e9ee2b0db9ff6

SHA256
1bfb82e2359eb6b44e64c18a2ec5a1dbfef60f5c64207cd5228cefdd1cb47bcc

SHA512
1021b906198b940507287a50669921c42e92fa660e6d7d89a4dd51549a36dc007cfb084a8ba3397d52deeeea3f2b1835a3ae66b8fa127fcf8a0beee638b89c7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c70f776a73667a86da76a35af32064c2

SHA1
dd92f0bdd3b37d01f14c3acb38a36c470ce293ea

SHA256
5d3cbc9b5ae95cb5bf597fe7942abc2d42b996ba72ec48aefab428e5fb2db267

SHA512
3399ed042b6207025a9661de4e0770de8ae58aeeb6f992696edb5256cd96952566e3c5dabf528aa31cb93dbe94e4bcc38dc7f8ec1743255d2f845a716a079d0a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
506881974c6c25a09748e7cc44d7508d

SHA1
49497f038cc9f8f669ab46a4c502902a12ac3d13

SHA256
c271d66eecd509f744c93ad4d0f9cc3cbeab31352d4f0998723e4f71e7f9dc8a

SHA512
73a4eba9640e5265502ec1b168b1fc446edac32f0d86fa34ef152717cb2a866a515eae2bd3ed480c427114886d679e182aa6ea5b5119f0e0bf405ba2bbd7ffe3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5389a794c8018553faf9f93ea95e8206

SHA1
48c3d45fadf20ad573a64bfe0b9dc537dbb31a18

SHA256
90a69d100376e2c57522f80024c2efa0cdf10256e3beea121a58573b8df154c1

SHA512
6a350f68cb77b735f557918b1e7cb4196881779f9f60ac2913f9d697a04cba0acfce8ab9811368a38d17334dcf35224a04d3724f1d5bcd924b286cb6ebb909ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8c9bfb9e93c4d882de73da75fc0f35d5

SHA1
6b377aaa846abbcc7c47cbc63209c0d3fa62a87b

SHA256
aaaee19495e183e09526a30684d17a8122b3ede0e956f9b717017c66a62be41a

SHA512
152a6e39def957d15738306a9b3d13d8c8d4466966f9292e751b1a11a8421db29c4bde9316ccbc5758fe14ad3a40c90f11176b34124f1a59627b26c236b5ff58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DABA17F5E36CBE65640DD2FE24F104E7

Filesize
276B

MD5
587feca041d3033137814933765fa928

SHA1
1912c150b697a12bec97a1ed4bfc9f01dd24b7e7

SHA256
abcba3d3529175cf6c8e63cdd5932f49b5b3c000f72310e5bca5aed460a38253

SHA512
a9e895f6db4c8c3672be89ce666c047d738a22b961e7e621992501afe00f2bad43d63154a0cda309b419a469913173b77b5df9f9da8685f3e966e4f9e6201da6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
72ccc6060742b82a11c5f0333be758fa

SHA1
a420666cc6bd15223c3b461c728185d4a5b3e133

SHA256
59e032d02600916e3227e365d7c0655af022366cf3020b72df2101adde213575

SHA512
25898acae59f19c7f854f98bfae55c874fd0b75b8b8030bdb7fee91f18399e2d50360bafaff26b3b924321b43d7c13f6a8a84f8c50ce956b1000898748bbc5fd

Download Submit
C:\Users\Admin\AppData\Local\Adobe\AIR\logs\Install.log

Filesize
511B

MD5
020e2c70b2f64fc45c0fc65196c1f271

SHA1
f359a1d5d8be2dc5628790c5f33d21aa20a8d65f

SHA256
686f2f11e5beee87f2895606dc3018d3a250f600ed663767fcd111e38b2d4f0a

SHA512
c9dfc6cb9baec282e985a4a3f6a4f3add03263dd6feec58b8dd7d9d9974edd9292bed9bae7720a42df75be5e4ae68999d9ce995feea530bb7c0d67e7d9c03f98

Download Submit
C:\Users\Admin\AppData\Local\Adobe\AIR\logs\Install.log

Filesize
1KB

MD5
35d2fa596f986865c4a61978119e81a7

SHA1
9cbac2cafd7beae688b3b1149b66aa24b2649035

SHA256
432be502b419013f775aef27eab5d88fd8c185f3e7a35a209a1474303dc4c2a1

SHA512
8862d82f7a51008c7359db72eba8290bdf63961f8d9d1df20fe74c0276059959688ccba604a16437589cea5abb3c2507e7e396391c9836039a0e6f37e741ecc4

Download Submit
C:\Users\Admin\AppData\Local\Adobe\AIR\logs\Install.log

Filesize
1KB

MD5
52bbe87e9e1c41cdfdd2a3e68900a1a7

SHA1
ebf21c42cc7350e208ecac4d457807fa54493461

SHA256
46f9ca9a781c8ca9461469cdd1326942b037975fd7ddc90d45a62d759847a152

SHA512
00af047cf339f933ed11071e4f3f9048aae14710a6a392dc06a866529b8e874d8ecabd40adb69597e5b99de01070f54ec31ca966f1136772036c122dd7c117fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\5c4296cd-4094-4f00-a28f-5b67a0f3911b.tmp

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
a5ff7b8d3f9da95f3edc95416ad0ee3a

SHA1
a1d3fb57133e5369e14db282af76e1c6593cc9b2

SHA256
7237c8d0f62cf771e73c5e6099e0ff332f3bd57474348b304390afb190f9fcfd

SHA512
d0ac399fbcf673e3045e62b5bdeee954cf08fe562f2aba8c718980b504e00af2cb3c14ee28c719fc46058cb9ede922f373f2d53e585e29c4d7e1d2eecea2898e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\0c4b7c19-1657-4605-a5e0-1c0d4957e408.tmp

Filesize
8KB

MD5
0c8d7e5dd551fd55d75943edd245a95a

SHA1
05095f6a00b5870761e45dd2fdf048abe1f43613

SHA256
2a6e5ad7edee1a2a6c09fed6dd36024f8eba46731b32113036612f5db258806d

SHA512
abd1e3a88ebf82471edc7968ed0301f2e8af5633df2c25c4a9ace8d6b6e55a304018e3da16c6901f5a2618b42e38153d6aee9ce248b7c0a322b846d15a364872

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001c

Filesize
39KB

MD5
074d7c0ab0352d979572b757de8b9f0c

SHA1
ca7dd3b86c5e8a750401b8d6d773a9cc3af55b81

SHA256
46a06c3ec01cd4c5d5d8bb131febc48e3b1eeac94a47fe0718dfce6af821f83a

SHA512
00de9f645ca784322b005c73302aa573ab0665e8334533e7408326f0c84c12f3d056f39a2197d5c4bb8092f3b09dec4b79ec73de1b5d161951c5c48b9548216d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00003d

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000046

Filesize
67KB

MD5
bcfda9afc202574572f0247968812014

SHA1
80f8af2d5d2f978a3969a56256aace20e893fb3f

SHA256
7c970cd163690addf4a69faf5aea65e7f083ca549f75a66d04a73cb793a00f91

SHA512
508ca6011abb2ec4345c3b80bd89979151fee0a0de851f69b7aa06e69c89f6d8c3b6144f2f4715112c896c5b8a3e3e9cd49b05c9b507602d7f0d6b10061b17bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\000009.dbtmp

Filesize
16B

MD5
979c29c2917bed63ccf520ece1d18cda

SHA1
65cd81cdce0be04c74222b54d0881d3fdfe4736c

SHA256
b3524365a633ee6d1fa9953638d2867946c515218c497a5ec2dbef7dc44a7c53

SHA512
e38f694fd6ab9f678ae156528230d7a8bfb7b59a13b227f59f9c38ab5617db11ebb6be1276323a905d09c4066a3fe820cf58077ab48bf201f3c467a98516ee7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\Origins\000002.dbtmp

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000008.dbtmp

Filesize
16B

MD5
589c49f8a8e18ec6998a7a30b4958ebc

SHA1
cd4e0e2a5cb1fd5099ff88daf4f48bdba566332e

SHA256
26d067dbb5e448b16f93a1bb22a2541beb7134b1b3e39903346d10b96022b6b8

SHA512
e73566a037838d1f7db7e9b728eba07db08e079de471baca7c8f863c7af7beb36221e9ff77e0a898ce86d4ef4c36f83fb3af9c35e342061b7a5442ca3b9024d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT~RFf770b66.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\776c0c51-ec61-4f01-beff-b60be076c0b7.tmp

Filesize
8KB

MD5
bd1183db5034a87e7ea1c851c4b52af6

SHA1
f58ecc6377d43c1eead231e13371555706c1028a

SHA256
4c2a8207aece6cbb25f3adf987964af06bd9e86ab6065b7880c2e6f874a3f572

SHA512
6856c3362e4cb9394facb333904656b90b959c5a3844f2092434289bfe0279d9c8fa7de9d29a50ef1b13985f6c52d4e588e14fad007ad0cc7286622594afed2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
41fae354c9de6bdb36a5f8608ecff08b

SHA1
d9b14f7559236e10f998c1b49ee037ddf9519827

SHA256
667f70aaa33225b1389f4a893cd0c3460f16bc53761c088fa02d359079235cee

SHA512
4fa8a311611b40290888d08538a178b9603e27ee42451ceacb11b8869b58eeb03b32ec3dabdd15e6bd801d58e1b00ccd6b55ac5dcf0a6e02c294334ca3f678e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
3dfe67bdee3b269cd7e6340147989b6f

SHA1
1926d4986eed10478d782f4810837ce562924053

SHA256
2da02490cdd4909debd2ffc49493bb8b94686a8307b6189c64b5249946cfba62

SHA512
75016cb7ed1cfa0f058042029e593b28f0b33c22968b0996f7275949b4a27e830326ba41da0d14bebb9578c8bb08d20f52dbc33bdd6826a66c7c218b7f01529f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
192c52dee2dab6906030badc9fa38e7e

SHA1
419618a5d0b7d77472092eb20254d636bfef8d52

SHA256
9c0abdbd9d7686dc199e3f5b34567bf9e4e75b8bc4463aaa87bc0f80e464dbfd

SHA512
76fdc938951393427834c0c322ff642a19e0460b823973d43f3af82ac33ccb49c9095c9c4cfff8393baa939014d17520d333a7476e00be811fc64a9ad77d5e3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
4f4e25c8641113f905e250cf5b098b30

SHA1
844bf2e5ccf441d04846b47dc60c0fc9d4865558

SHA256
70dd03a895988d1ee58b808e203e969a812bc8df03ace011e09c67f63639519d

SHA512
d33463e22d71539ac8ef58eff21f049af822178dfc6a9d62e1d9600a8f480b0fea0e8ef9b3be5362680a788e26fb901f543383adf50432c1fec89905fc407f50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
f1fe91c3294f9acf3ff05b07b52d9653

SHA1
5c89085842239db9696fff5479a8926b09e8b315

SHA256
d7f8c1aea330f95289f34bbc4bc4d143faa4163eb300383a698aae2ce92f5880

SHA512
e23cfa31ca8ad874477720db6cb86488328efacd4747ce8a0de2f13988ed3d41042eaad58f1aa015c9e021ffda4b3adc254ee33297f243816fd41769ca32eefe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
857850877adc0e1dde792ee92e4d7477

SHA1
b1a4d48c4daac798531eef93014f2d9fe89e8307

SHA256
05550be824d531501b30bbdda8dc7dc5361c40fa86a0621fce36e3085edf94b3

SHA512
f3054e38547aae52169b609db03b49380e3714bfae40d7940a0f5db3e5aebd5a2973fbe118f37b7ebafa35b7b9781cc2b098f4aeec37a13c89ea77915f7e7a34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
31be8d8a4d19f8d6646c8ecd688f7f37

SHA1
abc4a4127bd48c7cbf26ad97707537060a81e111

SHA256
08f09d17728a091e46b0f68f2cb9ac70246c3ee5a842474b79953a145dda5e82

SHA512
1fc7ddeb2ad8f039e920062f2f241efd40e20cc3b6d20fe0db512f5c1fcaf0775a1e6a513473e6d92e176202bc557c55c141d8eecca174c7799165f5f488f56b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\blob_storage\5d0713a3-2f49-42b8-9c78-05dd691ea938\0

Filesize
4.8MB

MD5
9f0c0ddae7c91118e349a6992235e98f

SHA1
11b2720554b955b80f1159ef130c865e1c8914ab

SHA256
654a17ffd5d9b44e309a9159cce8899de457439a19f7cb3c76f277c23318963e

SHA512
41e2765607a015c20e6bb2ab760f58f6f272e37c9ed13102209c8ebfe163aa0b3e0b8a31c81d5bd673a95d1966d78c76b29fd875b0c98483f16110c3b85e7745

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000010.dbtmp

Filesize
16B

MD5
60e3f691077715586b918375dd23c6b0

SHA1
476d3eab15649c40c6aebfb6ac2366db50283d1b

SHA256
e91d13722e31f9b06c5df3582cad1ea5b73547ce3dc08b12ed461f095aad48ee

SHA512
d1c146d27bbf19362d6571e2865bb472ce4fe43dc535305615d92d6a2366f98533747a8a70a578d1f00199f716a61ce39fac5cab9dd67e9c044bc49e7343130e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
344KB

MD5
e45563403536a6287725ca226d9b1127

SHA1
4a8aa245c92b1d95ff7e86e9e1df36f1af5c833f

SHA256
ff7d08be819c7833752abf2588e83d1e40fdfe90d6703921083d9605bb8b9f79

SHA512
0be3db30842f5ada2c45bcb84886ab6a098cf6df5b0d18ec621983b67b84e385c426ac6b12d7fb0290e4f5ea54100975578a723a1495c2c0ea70862ed265c965

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
179KB

MD5
3b6f47d13ac8c575f1fd016a6afe415d

SHA1
82ed95a0576d699d7a64e03b0fb612a508ff09e4

SHA256
de27e3125d001d6e8a68bb1313ff1283ea1e342482623750ec3b9ee2fe7044e8

SHA512
92a2837db466ae476faeaf00c514bf3aa01c2166402e186cb6055e4157dcce3648fe715ec12afecff5f0cec46d963918d345cb6b7064bedd063bab3d370b70e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
344KB

MD5
8f4047dec595f02f18538a0a966640e5

SHA1
4ae7a597370b997f250e7c57f6cec9b867e6e7fa

SHA256
0d02d49a552c2376441cceda8857680b06b634fb8b092739f889d2902a0e2e3f

SHA512
84ae84e6f85ffa5108d7eec5a130b1b34651c8000b69809353c0c7aad4019d2a8b7994db96b941d0eeae73d9db5667d154132004b9efb24ee8e909697e76d804

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State~RFf8266ee.TMP

Filesize
179KB

MD5
548c22629d05c347ae04f343f220670a

SHA1
02a63a27ed303199beea8d310a27036b32c25803

SHA256
fbd5cad173c2c0b6babbba4e991bb087951bad2f1f554583957f05760964a04d

SHA512
c87d7ba422643442b9292c7207696f43e6274f465aea3d0a41bfcc381a7cb3d7aa9d6f564637c15d882eeffb2ecc45cbf5799d8d1af7694bf589c146a3e64311

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\df3c6908-425b-4589-99e2-94ca6e9ec669.tmp

Filesize
344KB

MD5
a6060961beb9ea070dfcd40f5c84970c

SHA1
1f538759f647bce4c32e9ccf4d2445c5dced6d90

SHA256
dc29531415c744043fc300ab77d5216eaf69bbcd2e6b7362e070eec5e9678b8d

SHA512
6506004bf3e2f27bd94b2927a79e9d848e76035f0fd4d1c3b8fef3c189de8876fa3c89eaeca431362c7b1839067977183901d765acfcc66c4f67570b91f7472a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DJB1KT77\Tribulle[3].swf

Filesize
123KB

MD5
e3fcb09ecdf768b8ad33f6bc9ce95a2f

SHA1
026aef553d17329bea0aba6d4b997771580580b0

SHA256
8d33faf318ac36d4260f00e786fdd7c93b8f1bb93e84f0dd7623eb1a244dea3c

SHA512
2fa72b81604256a9dd08d1f612e971baa6a4d3d09ca80ab81833194189255c143f2414c0f484c5c006333cc016f4c5372f7e13fdeeb216f9cf73d4d84d07f78f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPUI9R2R\info[2].php

Filesize
105B

MD5
db6b7e0131993e003ac733a26a585995

SHA1
7f0380250b73c03433e5074662613b9fb8a02176

SHA256
8227596b9cad5d2c266ac071ecc6cbad5f1ce026d38a172e7e007d38ece28162

SHA512
8ebb5d0c04f7965cda0b2c70311bf42f7ae6f2d39cb0cca7bc48fa5af1e1fef484acad47f1b47bf76075cea0250a18ad5abcbc85a9b76bf8bfeace97dfdf6acd

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIR384F.tmp\Install Transformice.exe

Filesize
130KB

MD5
a5da8ba949718507dfda7a816326fdbe

SHA1
3af561103bfb62fb580ab44954cd56c0aefc275f

SHA256
75eadf5339a379e93627e0a6659939d7b4f22b60849d8b906900255564ecb494

SHA512
073decc81a69fe60ee059ac086434738e702fdee078a65f1497c54d9106665687ed88b60e29ad3d750bcd1447d1ed117095941232e6c1919c2e14511befaf5c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIRC533.tmp\Adobe AIR\Versions\1.0\Adobe AIR.dll

Filesize
13.4MB

MD5
b10e155460556fa4667536de7bb40e43

SHA1
a17872d7ff29a307fac5b4ed98887a420f716964

SHA256
371c442e9ce81a9514d25eccbe6e9c37a7b766bc5de1a7e03e50ac77cb8ce374

SHA512
4a3d2b0ec3d3ae868c50530136da228d835234198a41aa47ef11c40843249bad29425d50967ce8205c948336d02107e69655900c071cb5b3cb0c63e57ea557d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIRC533.tmp\setup.swf

Filesize
512KB

MD5
ad5f7d53caef368303bebde302582d92

SHA1
9efad61bf69e80d7468236695e0a108d360ae749

SHA256
2b501bfdb378ba7130b8e4b4b2263adfb4f95887cf071ded134f4cffeee5f40d

SHA512
8a31c0009c915dbb46c054388d793c1db8fc7b5ae1df419b3f284cad1d2f8db1f2ed759dcb126868d64af8a0a94c9e479776e6da86296af4e73a0850821c49e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE810.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE96A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms

Filesize
20KB

MD5
ead1c7800b526847c460a821de972b09

SHA1
6f77071e545f3f8614104b26de2f7426371b1322

SHA256
4781fd9e0146af3e0835a84ae371f09e568d54fd6eb1b2299a598251cac2ea34

SHA512
034f4f147fe25a275e09d655b4529182917715f954150a87e8710a54c1fa0559b8b498196164c0bea210b5e962c28302969caf31da802351dc578453ee950b4e

Download Submit
C:\Users\Admin\Downloads\Transformice.exe

Filesize
268KB

MD5
e0d19351dd3e1d5361def38659318249

SHA1
e6824969ebea151c77080b445ac416b56dd8630d

SHA256
6f378db45311af48c29fbd47550e7c181c748c1dab76cadd1f1f1c872ad288c8

SHA512
a684739e9f9283f1ad6dea9747fe46fd2feb9fb7854d128cd34b3543109cfc7c1f9cd21890ca27e55afd88d082ba81507eb3382968ba09cd33afc8208f33ec4b

Download Submit
C:\Windows\Installer\$PatchCache$\Managed\8663020007180A44EB446B23AFD487F0\1.0.8\AdobeAIR.dll

Filesize
8.0MB

MD5
479dfeb6bfdb8035dd2bf79cabb39e65

SHA1
e1b8a1363189abc7d3f7459bd6740682e43b30f2

SHA256
814728159d8e316eb6bc09fb1dafef911b708d1d1f51e8e866fee8e7965ce05e

SHA512
2650454e22176d31415c3be4dca4ed887bf30adf4f3655dde5d9cd538025b662ec9bf39657aff540c68aa1e4494c449099bc1a693ea2f835bd41ac51169778ca

Download Submit
C:\Windows\Installer\$PatchCache$\Managed\8663020007180A44EB446B23AFD487F0\1.0.8\air.exe

Filesize
59KB

MD5
5e9d2fccad3b9edbc0a8ab0fe1e5e510

SHA1
4f74227b71e570f57e0bf611de8fe2b73cd3aba3

SHA256
ba7cd3c2ef37746576ea934fbbfe6ce0f659977f604cb6528e642e6d82e60ff7

SHA512
8e5ae33075564851f1534767558b1be79894858a912e5f53b00c98ad38e46bcdd17e225e32acea78b634221b506a312185ea155faaac976642c6fc8ed352f035

Download Submit
C:\Windows\Installer\$PatchCache$\Managed\8663020007180A44EB446B23AFD487F0\1.0.8\air.swf

Filesize
352KB

MD5
8599589cb2f1cfad899f0e95c3cf2bc9

SHA1
5f749cd74d03b0d050be34eba34cfa11dabab3dc

SHA256
101140c8df33cd81af64000549872ef9e48af5913a27367e0865a4f83becc509

SHA512
216b21b7c373f083fbd4246555a94c8ade6c6d009a381d28b98a59028bc0eaf99ba937147c90184060ee3c6c6a95d9b0b249da3fb2ef16272eb881bb6e74e35d

Download Submit
C:\Windows\Installer\f76e817.msi

Filesize
21KB

MD5
164df4c65d8e4e8d910e2a1703ca3e75

SHA1
3531024204406e602e3157ff5ca8b9e36c1111fe

SHA256
9566c1dddc1d0ad10071e9f260a05a96da4307f64a9ee59ab318aab823cfee15

SHA512
3d14ff7274ba92cee9c1c25fe08bb03b9253b2ac8e316ebd738a935bb1ec6ad17042b3dc3a8ceacc15627d91cb4ff0885e326cb8bb11a1dd5408f9a571970636

Download Submit
\??\c:\users\admin\appdata\local\temp\airc533.tmp\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe

Filesize
408KB

MD5
277739413fb03b430b50d60d679f3d97

SHA1
264da51d663ef366a19dca31faa83f2ae91c6e45

SHA256
96cf2ed23e21169633d3a78f0677fd28754c1f491d590809506dc075bb49eda3

SHA512
8429fa88b6e1eb072edaf28c79b320a6150f0579376d61c7f11a31b59a116848cff5315373a0393c238e1d19b4e4b5bd282f9de54a7749db658dda073f227cca

Download Submit
\??\c:\users\admin\appdata\local\temp\airc533.tmp\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.swf

Filesize
491KB

MD5
e9db98f0ab9334466bc94604c62e4c04

SHA1
992642151c9ef76e338509b592e29cde69383751

SHA256
c740ad52c9c1ab8d7762dd744f13742564cc1500b94d7a29bfc60311b7f22934

SHA512
7dfe2dadabeb3159a91b70280e5ca773f37d45babbe2c6a37989fc2848ffd0ec4ef9e3d8b6af69853be6adab935126b94b45216fa395c7fa0755f969c44c8c71

Download Submit
\??\c:\users\admin\appdata\local\temp\airc533.tmp\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe

Filesize
383KB

MD5
557de97331f10692a1d1a6d757587f6a

SHA1
9d12b14515b876047e42e119048a0de6f791ae7b

SHA256
ee869bed7628dc2db4dd1ece9d2dcfb084cc803a08c007d3d88b0bf3343b15cb

SHA512
8d94d98c54b457b99e2c00a99f209fecc93544b3bdb998561cc0f8dac6768e3ae93b4737e18ce51d9d9059d45fd3566be0cb67b80f067d6484d7ddfcb6670076

Download Submit
\??\c:\users\admin\appdata\local\temp\airc533.tmp\Adobe AIR\Versions\1.0\Resources\Adobe Root Certificate.cer

Filesize
1KB

MD5
bf70913ff8d6d60a47fe825330815db4

SHA1
6be8460639f5651848b2f83ab1463f5602be06c3

SHA256
944e66aa967bd390952d22426bf1dfcd379a2c87a21b942fbca79f41f0354aac

SHA512
108e3c8ec1d45de97a7efc5c6262602414bbb7a32477dd7d8aab4c9335365f2b95c52d4f708a4a7422f4d4e0877f222cd358411d7b78cebe83565954e4f465f0

Download Submit
\??\c:\users\admin\appdata\local\temp\airc533.tmp\Adobe AIR\Versions\1.0\Resources\Thawte Root Certificate.cer

Filesize
677B

MD5
7f667a71d3eb6978209a51149d83da20

SHA1
be36a4562fb2ee05dbb3d32323adf445084ed656

SHA256
6b6c1e01f590f5afc5fcf85cd0b9396884048659fc2c6d1170d68b045216c3fd

SHA512
7f7329f4f9a3fb45b8aaa8eac9191bef9db85a1bdb13ed66d1ece6a51531f216eeb736a96d8baa87e033f2b7f0b8879954bc261c4c8bd632563ba153bc07e0b0

Download Submit
\??\c:\users\admin\appdata\local\temp\airc533.tmp\Adobe AIR\Versions\1.0\Resources\airappinstaller.exe

Filesize
53KB

MD5
9cec1614a59cecacd3d31274bf00a37f

SHA1
b46af6fa2924b0c4d6e290ae0dcbc42e3d27ad1a

SHA256
e277d2a94295506fe1574cf0b4e499b204f83293b290fc1139098d55e2b7c176

SHA512
25f6c873bf406f3615bdf04aae5e66d3bd5b52bb77c7cda27a57cf5830012bcbec4cf5b0a563b868ec0fd47f1612fc4be6b6c355685db86b1da41b2bd856b64f

Download Submit
\??\c:\users\admin\appdata\local\temp\airc533.tmp\Adobe AIR\Versions\1.0\Resources\digest.s

Filesize
2KB

MD5
0f5295089e4ef5a7396007407ee21113

SHA1
e5731eaa83f4dec94fd51612beb8e72b42df8954

SHA256
4571ead5d878568c4082003d21f50a39b8687f08e8f631aa20351014373ed2b1

SHA512
49d02f3787454c9e0b77822de0f3761457eca4038fd7ba74e1c61232b5887b6f658161c7c088690641c33f4e0bad755b45886572e0cc1b468dc7d5c42f8257b3

Download Submit
\??\c:\users\admin\appdata\local\temp\airc533.tmp\Adobe AIR\Versions\1.0\Resources\stylesNative.swf

Filesize
229KB

MD5
bc2c33f2d32da05074e96ceafb8a25d1

SHA1
ab5b93ff24f10dd6446690862b34281964e70d55

SHA256
bbc0e77749778134698038ea107dd47e76e0cd849d34406eb960bf0c9f3c7a5a

SHA512
83c7676816594e5931d8a36827d492e7a52b120f23a1e3375ec0535698dbfddf955833fbf17accbe2bba05214d73eeae8ab9c0e4b3f74f796322f174f745609e

Download Submit
\??\c:\users\admin\appdata\local\temp\airc533.tmp\Adobe AIR\Versions\1.0\Resources\template.exe

Filesize
86KB

MD5
3c3024ded7007aa0d529555ac6754342

SHA1
5e3c3c583c14cc8207952bb18387e0ed852677af

SHA256
ece64eaa90de0446dbdd7fc96c36e0ed784bba0920d807cd2aeb15ea6d38d057

SHA512
38451c05dc7e65b9765dd28abe6ee8510f1e7b1f8cb683c833b601c95cb4151714a3b76581fe6841724805997db42e2e0d1f80228acf8985cd5131f64fbc9e0d

Download Submit
\??\c:\users\admin\appdata\local\temp\airc533.tmp\Adobe AIR\Versions\1.0\Resources\template.msi

Filesize
36KB

MD5
d4139b57677a2ad682938f60522e2b0f

SHA1
2ed0025422389df08373e056cd1dc6bd7295abc5

SHA256
cb2954595c2ac2c5c0ad6db3471073ea67b27e17914072f3cbf6344c97d6592d

SHA512
282db921c661601025f1c2b6e91e667ecc4f1595a85e23cd367b966df59470b910fd8e93ac4bbc1a4989f92d8245c140f8dc86036f25713951b5881acbd0c3f2

Download Submit
\??\c:\users\admin\appdata\local\temp\airc533.tmp\Adobe AIR\sentinel

Filesize
11B

MD5
a5c11ca014fe30b8085ea2e95f7196c4

SHA1
594e00fa5eaeaa9f99f7e45d92bab7dd7ca8575a

SHA256
096e4bfd9f7e1faf15058c0a0fe45e6dbd00e3e1360f21f2ca92bce16a9a919a

SHA512
9b3dd555ac1ab5e8dafcffdb6e23ebfffafecfb908c204e88a369c9c8e0fce326caa3aa2ac71be6629f018191cc379e29b1a919dc787fe29bc16c5f0ee24b26b

Download Submit
\??\c:\users\admin\appdata\local\temp\airc533.tmp\setup.msi

Filesize
48KB

MD5
5f75a11c1eb98a022e087ba7eefc2ea6

SHA1
9f46877e58f4549bcb2c4f0fd903d9fb49ecfb8a

SHA256
6f905ac0f120f11bfcf04496ae7cf6e3d0128f6cd6b08cf0cf5eab7ff9ce314b

SHA512
5f45bdffe6880197af1ae1f6ed1b1483a4595c982c39e33f89c5972658809dbd3041f0f8105206534baf129e0f5a8a51e05a4aa69b08d52edee530a2018afff8

Download Submit
\Users\Admin\AppData\Local\Temp\AIRC533.tmp\Adobe AIR Installer.exe

Filesize
383KB

MD5
6ba34f521e2de430fa5ba108e399d12e

SHA1
830ee63d8db0020201b6d0cb8d5a2ed2dd523256

SHA256
1a54ac75b4b671657c4368c6a73143e63462be076312921bc6d1e94a12426c58

SHA512
1e3826aa000abaa15d93e516b8398f31a9517d8dbbaa2ee671cfb2619af3818efe8b810e6fde3411c8b05b8c51afbd58b561c6d76e4383ac300bb7a3ce8f6401

Download Submit
memory/3664-12484-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12477-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12476-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12475-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12473-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12472-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12471-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12470-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12469-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12468-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12467-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12466-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12465-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12464-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12463-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12461-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12462-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12460-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12459-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12458-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12457-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12456-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12455-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12454-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12453-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12452-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12451-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12449-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12447-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12446-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12445-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12444-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12443-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12490-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12442-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12441-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12439-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12438-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12478-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12479-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12480-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12481-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12482-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12483-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12485-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12489-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12491-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12493-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12494-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12495-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12496-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12497-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12498-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12499-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12501-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12502-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12503-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12504-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12505-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12506-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12507-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12508-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12474-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download
memory/3664-12440-0x000000000C6B0000-0x000000000C8B0000-memory.dmp

Filesize
2.0MB

Download