pandastealer | da506fa70f7953e840f3eba28faf557a2038e0b3d0a5105a0ebe3434ee5e9e61

Analysis

max time kernel
1557s
max time network
1560s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
18-12-2024 19:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adobe-air-51-1-1-3.exe
Size

5.9MB
MD5

34dba7939065022ad74458acbae28abd
SHA1

5f4e6e7cc0f2970068ff1c05189a8dc6881b8d33
SHA256

da506fa70f7953e840f3eba28faf557a2038e0b3d0a5105a0ebe3434ee5e9e61
SHA512

6271f67b486c7273fd391e4379f987fcce3042947909e97d05290d04469588a94bd501685f686037a400b788d6693e73f7d7799069c772b80da9556322c6cc79
SSDEEP

98304:FOB7drLD5C522D5K6O6DWT9dCrVodEdhIW5LkrNcBByeTTC3qdqH2pjin6uYRjUI:gB7drxU22DJVAbAeOIyBBNiKqMbZUI

Score

10^/10

pandastealer discovery stealer

Malware Config

Signatures

Panda Stealer payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000500000001c59b-4249.dat	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer
Pandastealer family
pandastealer

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2384	msiexec.exe
5	2384	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Program Files directory 39 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Transformice\Transformice.exe	msiexec.exe
File created	C:\Program Files (x86)\Transformice\TransformiceAIR.swf	msiexec.exe
File created	C:\Program Files (x86)\Transformice\icone48.png	msiexec.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.swf	msiexec.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	msiexec.exe
File created	\??\c:\Program Files (x86)\Adobe\Flash Player\AddIns\airappinstaller\airappinstaller.exe	msiexec.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Thawte Root Certificate.cer	msiexec.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	msiexec.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\setup.swf	msiexec.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Thawte Root Certificate.cer	msiexec.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\digest.s	msiexec.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	msiexec.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\sentinel	msiexec.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll	msiexec.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe	msiexec.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\stylesNative.swf	msiexec.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe Root Certificate.cer	msiexec.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	msiexec.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\template.msi	msiexec.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\setup.swf	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\setup.msi	adobe air installer.exe
File created	C:\Program Files (x86)\Transformice\META-INF\AIR\application.xml	msiexec.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\airappinstaller.exe	msiexec.exe
File created	\??\c:\Program Files (x86)\Adobe\Flash Player\AddIns\airappinstaller\digest.s	msiexec.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\NPSWF32.dll	msiexec.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\sentinel	msiexec.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\template.exe	msiexec.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.swf	msiexec.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\WebKit.dll	msiexec.exe
File created	C:\Program Files (x86)\Transformice\icone16.png	msiexec.exe
File created	C:\Program Files (x86)\Transformice\META-INF\signatures.xml	msiexec.exe
File created	C:\Program Files (x86)\Transformice\icone32.png	msiexec.exe
File created	C:\Program Files (x86)\Transformice\icone128.png	msiexec.exe
File created	C:\Program Files (x86)\Transformice\META-INF\AIR\hash	msiexec.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll	msiexec.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe Root Certificate.cer	msiexec.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\digest.s	msiexec.exe
File created	C:\Program Files (x86)\.airInstallTmpFile.tmp	Adobe AIR Application Installer.exe
File created	C:\Program Files (x86)\Transformice\mimetype	msiexec.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File created	\??\c:\Windows\Installer\$PatchCache$\Managed\8663020007180A44EB446B23AFD487F0\1.0.8\air.swf	msiexec.exe
File created	\??\c:\Windows\Installer\$PatchCache$\Managed\8663020007180A44EB446B23AFD487F0\CacheSize.txt	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\f76ee96.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	\??\c:\Windows\Installer\f76ee9c.msi	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\$PatchCache$\Managed\8663020007180A44EB446B23AFD487F0\CacheSize.txt	msiexec.exe
File opened for modification	C:\Windows\Installer\f76eeac.msi	msiexec.exe
File created	\??\c:\Windows\Installer\f76ee93.msi	msiexec.exe
File created	\??\c:\Windows\Installer\f76ee96.ipi	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF658.tmp	msiexec.exe
File created	\??\c:\Windows\Installer\$PatchCache$\Managed\8663020007180A44EB446B23AFD487F0\1.0.8\air.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5BC4.tmp	msiexec.exe
File created	C:\Windows\Installer\f76eeb1.msi	msiexec.exe
File created	\??\c:\Windows\Installer\$PatchCache$\Managed\8663020007180A44EB446B23AFD487F0\1.0.8\AdobeAIR.dll	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\$PatchCache$\Managed\8663020007180A44EB446B23AFD487F0\1.0.8\AdobeAIR.dll	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\$PatchCache$\Managed\8663020007180A44EB446B23AFD487F0\1.0.8\air.swf	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\$PatchCache$\Managed\8663020007180A44EB446B23AFD487F0\1.0.8\air.exe	msiexec.exe
File created	C:\Windows\Installer\f76eeaf.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76eeaf.ipi	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\f76ee93.msi	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\$PatchCache$\Managed\8663020007180A44EB446B23AFD487F0	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\$PatchCache$\Managed\8663020007180A44EB446B23AFD487F0\1.0.8	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFA8F.tmp	msiexec.exe
File created	C:\Windows\Installer\f76eeac.msi	msiexec.exe

Executes dropped EXE 7 IoCs

pid	Process
2432	Adobe AIR Installer.exe
1748	adobe air installer.exe
2148	Transformice.exe
3324	Install Transformice.exe
1988	Adobe AIR Application Installer.exe
3548	Adobe AIR Updater.exe
6768	Transformice.exe

Loads dropped DLL 30 IoCs

pid	Process
2684	adobe-air-51-1-1-3.exe
2684	adobe-air-51-1-1-3.exe
2684	adobe-air-51-1-1-3.exe
2684	adobe-air-51-1-1-3.exe
2432	Adobe AIR Installer.exe
2432	Adobe AIR Installer.exe
1748	adobe air installer.exe
2148	Transformice.exe
2148	Transformice.exe
2148	Transformice.exe
2148	Transformice.exe
3324	Install Transformice.exe
3324	Install Transformice.exe
3324	Install Transformice.exe
1988	Adobe AIR Application Installer.exe
2432	Adobe AIR Installer.exe
3548	Adobe AIR Updater.exe
1988	Adobe AIR Application Installer.exe
1988	Adobe AIR Application Installer.exe
1988	Adobe AIR Application Installer.exe
1988	Adobe AIR Application Installer.exe
3548	Adobe AIR Updater.exe
3548	Adobe AIR Updater.exe
3548	Adobe AIR Updater.exe
3548	Adobe AIR Updater.exe
1988	Adobe AIR Application Installer.exe
1988	Adobe AIR Application Installer.exe
1988	Adobe AIR Application Installer.exe
1988	Adobe AIR Application Installer.exe
6768	Transformice.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobe air installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Transformice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install Transformice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adobe AIR Application Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adobe AIR Updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Transformice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobe-air-51-1-1-3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adobe AIR Installer.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	adobe air installer.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Adobe AIR Application Installer.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Adobe AIR Updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Transformice.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Adobe AIR Installer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Adobe AIR Installer.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	adobe air installer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Adobe AIR Application Installer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Adobe AIR Updater.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Transformice.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	Adobe AIR Installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_IMG\Adobe AIR Installer.exe = "1"	Adobe AIR Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT	Adobe AIR Installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT\Adobe AIR Installer.exe = "1"	Adobe AIR Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_IMG	Adobe AIR Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_OBJECT	Adobe AIR Installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_OBJECT\Adobe AIR Installer.exe = "1"	Adobe AIR Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	Adobe AIR Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	Adobe AIR Installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Adobe AIR Installer.exe = "32767"	Adobe AIR Installer.exe

Modifies data under HKEY_USERS 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\30	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D23A06E79DA76FC73187F2CBBD3BE717\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5D029AD8C14C0E24FB1378AB9489E44E\EE6F249802136F443B6919B0C761E42A	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\SourceList	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\SourceList\LastUsedSource = "n;1;c:\\users\\admin\\appdata\\local\\temp\\aird346.tmp\\"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8663020007180A44EB446B23AFD487F0	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D23A06E79DA76FC73187F2CBBD3BE717\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D23A06E79DA76FC73187F2CBBD3BE717\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0449CE60EFC8852D9C0992133D806BBE	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AIR.InstallerPackage\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.air	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.air\ = "AIR.InstallerPackage"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AIR.InstallerPackage\shell\open	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AIR.InstallerPackage	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D23A06E79DA76FC73187F2CBBD3BE717\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D23A06E79DA76FC73187F2CBBD3BE717\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D23A06E79DA76FC73187F2CBBD3BE717	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\SourceList\Net\1 = "c:\\users\\admin\\appdata\\local\\temp\\aird346.tmp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D23A06E79DA76FC73187F2CBBD3BE717\Application	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.air\Content Type = "application/vnd.adobe.air-application-installer-package+zip"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.air\OpenWithProgids	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D23A06E79DA76FC73187F2CBBD3BE717\SourceList\Net	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D23A06E79DA76FC73187F2CBBD3BE717\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AIR.InstallerPackage\DefaultIcon	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D23A06E79DA76FC73187F2CBBD3BE717	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0449CE60EFC8852D9C0992133D806BBE\D23A06E79DA76FC73187F2CBBD3BE717	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AIR.InstallerPackage\shell\open\ = "Install"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\EE6F249802136F443B6919B0C761E42A\Management	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5D029AD8C14C0E24FB1378AB9489E44E	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8663020007180A44EB446B23AFD487F0\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AIR.InstallerPackage\DefaultIcon\ = "c:\\PROGRA~2\\COMMON~1\\ADOBEA~1\\Versions\\1.0\\ADOBEA~1.EXE,1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D23A06E79DA76FC73187F2CBBD3BE717\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AIR.InstallerPackage\ = "Installer Package"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\ProductName = "Adobe AIR"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D23A06E79DA76FC73187F2CBBD3BE717\ProgramShortcut	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D23A06E79DA76FC73187F2CBBD3BE717\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D23A06E79DA76FC73187F2CBBD3BE717\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\EE6F249802136F443B6919B0C761E42A	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8663020007180A44EB446B23AFD487F0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D23A06E79DA76FC73187F2CBBD3BE717\PackageCode = "D23A06E79DA76FC73187F2CBBD3BE717"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\EE6F249802136F443B6919B0C761E42A\Runtime	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D23A06E79DA76FC73187F2CBBD3BE717\DesktopShortcut	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D23A06E79DA76FC73187F2CBBD3BE717\ProductName = "Transformice"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D23A06E79DA76FC73187F2CBBD3BE717\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\AIR3C93.tmp\\Transformice\\"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8663020007180A44EB446B23AFD487F0\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8663020007180A44EB446B23AFD487F0\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D23A06E79DA76FC73187F2CBBD3BE717\SourceList\PackageName = "setup.msi"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D23A06E79DA76FC73187F2CBBD3BE717\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AIR.InstallerPackage\shell\open\command\ = "c:\\PROGRA~2\\COMMON~1\\ADOBEA~1\\Versions\\1.0\\ADOBEA~1.EXE \"%1\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\PackageCode = "BBD26563A231C6047BF676630876766C"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\Version = "855703553"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D23A06E79DA76FC73187F2CBBD3BE717\Version = "16777216"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.air\OpenWithProgids\AIR.InstallerPackage	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\SourceList\PackageName = "setup.msi"	msiexec.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	Adobe AIR Updater.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Adobe AIR Updater.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Adobe AIR Updater.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280	Adobe AIR Updater.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280\Blob = 0300000001000000140000009e99a48a9960b14926bb7f3b02e22da2b0ab72801400000001000000140000009c5f00dfaa01d7302b3888a2b86d4a9cf2119183040000000100000010000000c6150925cfea5941ddc7ff2a0a5066920f00000001000000200000008408d5e5010ab8da67eb33a7d79ace944dd0ac103ae6ead3ff30dec571066b0319000000010000001000000014d4b19434670e6dc091d154abb20edc180000000100000010000000fd960962ac6938e0d4b0769aa1a64e264b0000000100000044000000420036003600320034003000420030004600360043003800340042004400340038003500370041004200410036003000430046003500430045003400410030005f000000200000000100000079040000308204753082035da003020102020900a70e4a4c3482b77f300d06092a864886f70d01010b05003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3039303930323030303030305a170d3334303632383137333931365a308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d50c3ac42af94ee2f5be19975f8e8853b11f3fcbcf9f20136d293ac80f7d3cf76b763863d93660a89b5e5c0080b22f597ff687f9254386e7691b529a90e171e3d82d0d4e6ff6c849d9b6f31a56ae2bb67414ebcffb26e31aba1d962e6a3b5894894756ff25a093705383da847414c3679e04683adf8e405a1d4a4ecf43913be756d60070cb52ee7b7dae3ae7bc31f945f6c260cf1359022b80cc3447dfb9de90656d02cf2c91a6a6e7de8518497c664ea33a6da9b5ee342eba0d03b833df47ebb16b8d25d99bce81d1454632967087de020e494385b66c73bb64ea6141acc9d454df872fc722b226cc9f5954689ffcbe2a2fc4551c75406017850255398b7f050203010001a381f03081ed300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604149c5f00dfaa01d7302b3888a2b86d4a9cf2119183301f0603551d23041830168014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7304f06082b0601050507010104433041301c06082b060105050730018610687474703a2f2f6f2e7373322e75732f302106082b060105050730028615687474703a2f2f782e7373322e75732f782e63657230260603551d1f041f301d301ba019a0178615687474703a2f2f732e7373322e75732f722e63726c30110603551d20040a300830060604551d2000300d06092a864886f70d01010b05000382010100231de38a57ca7de917794cf11e55fdcc536e3e470fdfc655f2b20436ed801f53c45d34286bbec755fc67eacb3f7f90b233cd1b58108202f8f82ff51360d405cef18108c1dda775974f18b96ddef7939108ba7e402cedc1eabb769e3306771d0d087f53dd1b64ab8227f169d54d5eaef4a1c375a758442df23c7098acba69b695777f0f315e2cfca0873a4769f0795ff41454a4955e1178126027ce9fc277ff2353775dbaffea59e7dbcfaf9296ef249a35107a9c91c60e7d99f63f19dff57254e115a907597b83bf522e468cb20064761c48d3d879e86e56ccae2c0390d7193899e4ca09195bff0796b0a87f3449df56a9f7b05fed33ed8c47b730035df4038c	Adobe AIR Updater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	Adobe AIR Updater.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Adobe AIR Updater.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Adobe AIR Updater.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Adobe AIR Updater.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3004	chrome.exe
3004	chrome.exe
2384	msiexec.exe
2384	msiexec.exe
2384	msiexec.exe
2384	msiexec.exe
2384	msiexec.exe
2384	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1748	adobe air installer.exe
Token: SeIncreaseQuotaPrivilege	1748	adobe air installer.exe
Token: SeRestorePrivilege	2384	msiexec.exe
Token: SeTakeOwnershipPrivilege	2384	msiexec.exe
Token: SeSecurityPrivilege	2384	msiexec.exe
Token: SeCreateTokenPrivilege	1748	adobe air installer.exe
Token: SeAssignPrimaryTokenPrivilege	1748	adobe air installer.exe
Token: SeLockMemoryPrivilege	1748	adobe air installer.exe
Token: SeIncreaseQuotaPrivilege	1748	adobe air installer.exe
Token: SeMachineAccountPrivilege	1748	adobe air installer.exe
Token: SeTcbPrivilege	1748	adobe air installer.exe
Token: SeSecurityPrivilege	1748	adobe air installer.exe
Token: SeTakeOwnershipPrivilege	1748	adobe air installer.exe
Token: SeLoadDriverPrivilege	1748	adobe air installer.exe
Token: SeSystemProfilePrivilege	1748	adobe air installer.exe
Token: SeSystemtimePrivilege	1748	adobe air installer.exe
Token: SeProfSingleProcessPrivilege	1748	adobe air installer.exe
Token: SeIncBasePriorityPrivilege	1748	adobe air installer.exe
Token: SeCreatePagefilePrivilege	1748	adobe air installer.exe
Token: SeCreatePermanentPrivilege	1748	adobe air installer.exe
Token: SeBackupPrivilege	1748	adobe air installer.exe
Token: SeRestorePrivilege	1748	adobe air installer.exe
Token: SeShutdownPrivilege	1748	adobe air installer.exe
Token: SeDebugPrivilege	1748	adobe air installer.exe
Token: SeAuditPrivilege	1748	adobe air installer.exe
Token: SeSystemEnvironmentPrivilege	1748	adobe air installer.exe
Token: SeChangeNotifyPrivilege	1748	adobe air installer.exe
Token: SeRemoteShutdownPrivilege	1748	adobe air installer.exe
Token: SeUndockPrivilege	1748	adobe air installer.exe
Token: SeSyncAgentPrivilege	1748	adobe air installer.exe
Token: SeEnableDelegationPrivilege	1748	adobe air installer.exe
Token: SeManageVolumePrivilege	1748	adobe air installer.exe
Token: SeImpersonatePrivilege	1748	adobe air installer.exe
Token: SeCreateGlobalPrivilege	1748	adobe air installer.exe
Token: SeRestorePrivilege	2384	msiexec.exe
Token: SeTakeOwnershipPrivilege	2384	msiexec.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeRestorePrivilege	2384	msiexec.exe
Token: SeTakeOwnershipPrivilege	2384	msiexec.exe
Token: SeRestorePrivilege	2384	msiexec.exe
Token: SeTakeOwnershipPrivilege	2384	msiexec.exe
Token: SeRestorePrivilege	2384	msiexec.exe
Token: SeTakeOwnershipPrivilege	2384	msiexec.exe
Token: SeRestorePrivilege	2384	msiexec.exe
Token: SeTakeOwnershipPrivilege	2384	msiexec.exe
Token: SeRestorePrivilege	2384	msiexec.exe
Token: SeTakeOwnershipPrivilege	2384	msiexec.exe
Token: SeRestorePrivilege	2384	msiexec.exe
Token: SeTakeOwnershipPrivilege	2384	msiexec.exe
Token: SeRestorePrivilege	2384	msiexec.exe
Token: SeTakeOwnershipPrivilege	2384	msiexec.exe
Token: SeRestorePrivilege	2384	msiexec.exe
Token: SeTakeOwnershipPrivilege	2384	msiexec.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeRestorePrivilege	2384	msiexec.exe
Token: SeTakeOwnershipPrivilege	2384	msiexec.exe
Token: SeRestorePrivilege	2384	msiexec.exe
Token: SeTakeOwnershipPrivilege	2384	msiexec.exe
Token: SeRestorePrivilege	2384	msiexec.exe
Token: SeTakeOwnershipPrivilege	2384	msiexec.exe
Token: SeRestorePrivilege	2384	msiexec.exe
Token: SeTakeOwnershipPrivilege	2384	msiexec.exe

Suspicious use of FindShellTrayWindow 44 IoCs

pid	Process
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
6768	Transformice.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2432	Adobe AIR Installer.exe
2432	Adobe AIR Installer.exe
2432	Adobe AIR Installer.exe
1748	adobe air installer.exe
1988	Adobe AIR Application Installer.exe
3548	Adobe AIR Updater.exe
6768	Transformice.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 2432	2684	adobe-air-51-1-1-3.exe	31
PID 2684 wrote to memory of 2432	2684	adobe-air-51-1-1-3.exe	31
PID 2684 wrote to memory of 2432	2684	adobe-air-51-1-1-3.exe	31
PID 2684 wrote to memory of 2432	2684	adobe-air-51-1-1-3.exe	31
PID 2684 wrote to memory of 2432	2684	adobe-air-51-1-1-3.exe	31
PID 2684 wrote to memory of 2432	2684	adobe-air-51-1-1-3.exe	31
PID 2684 wrote to memory of 2432	2684	adobe-air-51-1-1-3.exe	31
PID 2432 wrote to memory of 1748	2432	Adobe AIR Installer.exe	32
PID 2432 wrote to memory of 1748	2432	Adobe AIR Installer.exe	32
PID 2432 wrote to memory of 1748	2432	Adobe AIR Installer.exe	32
PID 2432 wrote to memory of 1748	2432	Adobe AIR Installer.exe	32
PID 2432 wrote to memory of 1748	2432	Adobe AIR Installer.exe	32
PID 2432 wrote to memory of 1748	2432	Adobe AIR Installer.exe	32
PID 2432 wrote to memory of 1748	2432	Adobe AIR Installer.exe	32
PID 3004 wrote to memory of 2968	3004	chrome.exe	35
PID 3004 wrote to memory of 2968	3004	chrome.exe	35
PID 3004 wrote to memory of 2968	3004	chrome.exe	35
PID 3004 wrote to memory of 3872	3004	chrome.exe	37
PID 3004 wrote to memory of 3872	3004	chrome.exe	37
PID 3004 wrote to memory of 3872	3004	chrome.exe	37
PID 3004 wrote to memory of 3872	3004	chrome.exe	37
PID 3004 wrote to memory of 3872	3004	chrome.exe	37
PID 3004 wrote to memory of 3872	3004	chrome.exe	37
PID 3004 wrote to memory of 3872	3004	chrome.exe	37
PID 3004 wrote to memory of 3872	3004	chrome.exe	37
PID 3004 wrote to memory of 3872	3004	chrome.exe	37
PID 3004 wrote to memory of 3872	3004	chrome.exe	37
PID 3004 wrote to memory of 3872	3004	chrome.exe	37
PID 3004 wrote to memory of 3872	3004	chrome.exe	37
PID 3004 wrote to memory of 3872	3004	chrome.exe	37
PID 3004 wrote to memory of 3872	3004	chrome.exe	37
PID 3004 wrote to memory of 3872	3004	chrome.exe	37
PID 3004 wrote to memory of 3872	3004	chrome.exe	37
PID 3004 wrote to memory of 3872	3004	chrome.exe	37
PID 3004 wrote to memory of 3872	3004	chrome.exe	37
PID 3004 wrote to memory of 3872	3004	chrome.exe	37
PID 3004 wrote to memory of 3872	3004	chrome.exe	37
PID 3004 wrote to memory of 3872	3004	chrome.exe	37
PID 3004 wrote to memory of 3872	3004	chrome.exe	37
PID 3004 wrote to memory of 3872	3004	chrome.exe	37
PID 3004 wrote to memory of 3872	3004	chrome.exe	37
PID 3004 wrote to memory of 3872	3004	chrome.exe	37
PID 3004 wrote to memory of 3872	3004	chrome.exe	37
PID 3004 wrote to memory of 3872	3004	chrome.exe	37
PID 3004 wrote to memory of 3872	3004	chrome.exe	37
PID 3004 wrote to memory of 3872	3004	chrome.exe	37
PID 3004 wrote to memory of 3872	3004	chrome.exe	37
PID 3004 wrote to memory of 3872	3004	chrome.exe	37
PID 3004 wrote to memory of 3872	3004	chrome.exe	37
PID 3004 wrote to memory of 3872	3004	chrome.exe	37
PID 3004 wrote to memory of 3872	3004	chrome.exe	37
PID 3004 wrote to memory of 3872	3004	chrome.exe	37
PID 3004 wrote to memory of 3872	3004	chrome.exe	37
PID 3004 wrote to memory of 3872	3004	chrome.exe	37
PID 3004 wrote to memory of 3872	3004	chrome.exe	37
PID 3004 wrote to memory of 3872	3004	chrome.exe	37
PID 3004 wrote to memory of 3912	3004	chrome.exe	38
PID 3004 wrote to memory of 3912	3004	chrome.exe	38
PID 3004 wrote to memory of 3912	3004	chrome.exe	38
PID 3004 wrote to memory of 3924	3004	chrome.exe	39
PID 3004 wrote to memory of 3924	3004	chrome.exe	39
PID 3004 wrote to memory of 3924	3004	chrome.exe	39
PID 3004 wrote to memory of 3924	3004	chrome.exe	39
PID 3004 wrote to memory of 3924	3004	chrome.exe	39

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\adobe-air-51-1-1-3.exe
"C:\Users\Admin\AppData\Local\Temp\adobe-air-51-1-1-3.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Users\Admin\AppData\Local\Temp\AIRD346.tmp\Adobe AIR Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\AIRD346.tmp\Adobe AIR Installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Users\Admin\appdata\local\temp\aird346.tmp\adobe air installer.exe
    "C:\Users\Admin\appdata\local\temp\aird346.tmp\adobe air installer.exe" -stdio \\.\pipe\AIR_2432_0 -ei
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1748
- - \??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe
    "c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe" -installupdatecheck
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Modifies system certificate store
    - Suspicious use of SetWindowsHookEx
    PID:3548

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7059758,0x7fef7059768,0x7fef7059778
  2⤵
  PID:2968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1192 --field-trial-handle=1112,i,16862276814990593510,17633683176547370426,131072 /prefetch:2
  2⤵
  PID:3872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1540 --field-trial-handle=1112,i,16862276814990593510,17633683176547370426,131072 /prefetch:8
  2⤵
  PID:3912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1592 --field-trial-handle=1112,i,16862276814990593510,17633683176547370426,131072 /prefetch:8
  2⤵
  PID:3924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2304 --field-trial-handle=1112,i,16862276814990593510,17633683176547370426,131072 /prefetch:1
  2⤵
  PID:856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2312 --field-trial-handle=1112,i,16862276814990593510,17633683176547370426,131072 /prefetch:1
  2⤵
  PID:2104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1492 --field-trial-handle=1112,i,16862276814990593510,17633683176547370426,131072 /prefetch:2
  2⤵
  PID:2188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3224 --field-trial-handle=1112,i,16862276814990593510,17633683176547370426,131072 /prefetch:1
  2⤵
  PID:2440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3608 --field-trial-handle=1112,i,16862276814990593510,17633683176547370426,131072 /prefetch:8
  2⤵
  PID:3336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3756 --field-trial-handle=1112,i,16862276814990593510,17633683176547370426,131072 /prefetch:1
  2⤵
  PID:3476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=1552 --field-trial-handle=1112,i,16862276814990593510,17633683176547370426,131072 /prefetch:1
  2⤵
  PID:2584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2608 --field-trial-handle=1112,i,16862276814990593510,17633683176547370426,131072 /prefetch:1
  2⤵
  PID:2416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3780 --field-trial-handle=1112,i,16862276814990593510,17633683176547370426,131072 /prefetch:1
  2⤵
  PID:3068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3700 --field-trial-handle=1112,i,16862276814990593510,17633683176547370426,131072 /prefetch:8
  2⤵
  PID:3828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3980 --field-trial-handle=1112,i,16862276814990593510,17633683176547370426,131072 /prefetch:8
  2⤵
  PID:2948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4428 --field-trial-handle=1112,i,16862276814990593510,17633683176547370426,131072 /prefetch:8
  2⤵
  PID:2932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4444 --field-trial-handle=1112,i,16862276814990593510,17633683176547370426,131072 /prefetch:8
  2⤵
  PID:4068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4456 --field-trial-handle=1112,i,16862276814990593510,17633683176547370426,131072 /prefetch:8
  2⤵
  PID:3036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4472 --field-trial-handle=1112,i,16862276814990593510,17633683176547370426,131072 /prefetch:8
  2⤵
  PID:3152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4424 --field-trial-handle=1112,i,16862276814990593510,17633683176547370426,131072 /prefetch:8
  2⤵
  PID:3160
- C:\Users\Admin\Downloads\Transformice.exe
  "C:\Users\Admin\Downloads\Transformice.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2148
- - C:\Users\Admin\AppData\Local\Temp\AIR3C93.tmp\Install Transformice.exe
    "C:\Users\Admin\AppData\Local\Temp\AIR3C93.tmp\Install Transformice.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3324
  - - \??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe
      "Adobe AIR Application Installer.exe" "C:\Users\Admin\AppData\Local\Temp\AIR3C93.tmp\Transformice"
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious use of SetWindowsHookEx
      PID:1988
    - - C:\Program Files (x86)\Transformice\Transformice.exe
        
        "C:\Program Files (x86)\Transformice\Transformice.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:6768

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76ee97.rbs

Filesize
14KB

MD5
783b120b8422b58f03b077d02b86901a

SHA1
e2254c0de9bf29a41be4c6fd11c5b23d0359b018

SHA256
f46015c2c7486474fedc9be9f4a328f3e3b58370192ca838df3aaa63cada4147

SHA512
1ed4d5bbe4a3f331b6ad8410deba8db3ceff40bdfcc15f0093f41bbfd13bd4589f63994dd946ce975ed2e4546988b2abdc67ff04a5d7f652c899d7ad5c87fc10

Download Submit
C:\Config.Msi\f76ee9f.rbs

Filesize
11KB

MD5
ecb9e28d70edb0671ecef364cdd952c1

SHA1
d938530aa13537183e0a3c1966255b5d5984ae87

SHA256
1e49c288e54ef5aed4a92778918fe78038325a49150aa200d96f6f1f624559c8

SHA512
0586e7c8e9712cc59a9b5bf8357470715e2f6a4fd1ff8e9c0c0c71bb600da760c0f1ed2e1415248f68d429fdc0021c7d0b3a778b51e194d78bf57b8fce5be4e6

Download Submit
C:\Config.Msi\f76eeab.rbf

Filesize
3B

MD5
21438ef4b9ad4fc266b6129a2f60de29

SHA1
5eb8e2242eeb4f5432beeec8b873f1ab0a6b71fd

SHA256
13bf7b3039c63bf5a50491fa3cfd8eb4e699d1ba1436315aef9cbe5711530354

SHA512
37436ced85e5cd638973e716d6713257d692f9dd2e1975d5511ae3856a7b3b9f0d9e497315a058b516ab31d652ea9950938c77c1ad435ea8d4b49d73427d1237

Download Submit
C:\Config.Msi\f76eeb0.rbs

Filesize
9KB

MD5
67a1710896c92e668674e38360b6367c

SHA1
c368aa7060d2bd87241f3fb4dc9eaf7d1e33ebc5

SHA256
5c21129c371ef22f7b496fe3735e7b7295cdd2a08e362f06cfbd9a9f1690b80a

SHA512
d4bf9233a4bd99c2c09e557c4371a6c802d52c4e3ce284afd5de39a889d32f27a59517d293c3cea4943f771f1676665b2ee2e7cb53d7c166188e77dc7eb8214d

Download Submit
C:\Program Files (x86)\Transformice\Transformice.exe

Filesize
139KB

MD5
055a34bd625727d3e1f9fc15e2ff6c3b

SHA1
d9f23f91240c6ebdb6cb88f25b43ac68da40d6be

SHA256
a0c992369f8bf35c5856d1fd4930ac72c682bb74d8f6764466e4630b1a6a9347

SHA512
28afec89c505bc01592774e1a2eb14b4d104a13c2e351cd3c468cec7314be0af86561b8e1684765ef254f776416dd69009b9cdd1a577ce63e2ee5af4d44904ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe3c69699d429ab0f87f82b59f0370b6

SHA1
795e35316524932de55417d4e0d9d92ab7829993

SHA256
cd7fdff6901c27299f9d07131be6412942415a8091b9e3ee212b3411e3510186

SHA512
d4b173de5b9ceb1033a1b38ac4ec6df74e7d25770f7f5524a939f937d1a3928c0b0e1c3cd9a2c3bcc97accc0c4101085d13dcd9a12ca42735ce46b778c165c96

Download Submit
C:\Users\Admin\AppData\Local\Adobe\AIR\logs\Install.log

Filesize
511B

MD5
8690418bd40f2c41f5f158df35c9f4f6

SHA1
85b8b678fb86a823f0e7eb7355bd297d3f1fed60

SHA256
86ac0e976cf9af6db15054d8467efef5f8ad2cfd8f990721148b2695993d9f27

SHA512
3f2eab62fb594a1bad0a2b77b1d43705f079cbba7efe08d6de8bcd4ab219ff467147b5a1871012febf4cf6290149c2304b51a6688779b94a3a94cccc7d888bf0

Download Submit
C:\Users\Admin\AppData\Local\Adobe\AIR\logs\Install.log

Filesize
1KB

MD5
5f0161ffee000b4dc7e15a8700802994

SHA1
f1662a2532d2ca5228d9d652ca0dea455f8764e9

SHA256
6d3772decd7bb65bf3beb6a9c53773b3c5b47d10465325f05db074d5b248b8b8

SHA512
d61582a1153667ed60e85fd0b2abab1d988760afd4dc963180ffcaf06698e59a984ab04d0f216b942a80307247049d322a26927c32ba04f1707b59666ffc4d35

Download Submit
C:\Users\Admin\AppData\Local\Adobe\AIR\logs\Install.log

Filesize
1KB

MD5
bc81340fb7901ef3422628578967f2d8

SHA1
21e79abfab662348ec1a0d92dd7095226b5ff255

SHA256
a059ed36dd6b2a58606723aab00b851ee72aa557ddacef9f476509c83743dcf7

SHA512
5738211d20d467e3bce464052efa91074ceb042f56c626ea057ef568dddae3e758972b86ee33112c4ef5350868b6c44d8a42af28f24c6521c7856441eb731df0

Download Submit
C:\Users\Admin\AppData\Local\Adobe\AIR\logs\Install.log

Filesize
1KB

MD5
8b426c514e8c28d63ed23ae25e9bf8c0

SHA1
c9041138911ae58cdfa43e3b48eb69b5d381cf17

SHA256
e184b8a1c1fd3cd08e1a30281a4ce21bd0e2be8e9dc7569c27106c5e1a861706

SHA512
ea2d775a2c3dfa789ccae2b5f235ef358415c4f8b6116320b329a34901f5e30b033f3209a96b6ac265dd2d3968c2ec668871c84f90da3d2f4fedd132db0deb62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\75658d73-9155-4589-8e0d-8bbe559f689e.tmp

Filesize
337KB

MD5
370c170f62d372f3b8adacf750857d85

SHA1
773b9b61ef2aa5e46b2dac10a3d8dc2fabbc5441

SHA256
a379d8f815ceb8e460e2088f46f655940b88ed05161c5b2efd01dcc283b44ce5

SHA512
63b45460c32f59470438847a235d821d6aeb4f66f763df31c76efd7364addc55daf936e5b8572d259efe688872858e6a2c03430ce259edff69bb6a24c3d5f27e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT~RFf772c3e.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
e9315ed0eec4d93cb97aa794ebb846d8

SHA1
a59b4d52287b5426e7d0deacf7a3e3bdfd630dcb

SHA256
682a9a2e08624a8a88e0d5077dfe774a0336f9b1762d3269d127710dc8541ff1

SHA512
585f41e009ca941153745b9e584b317b51083e81a5c6bfcc7da1754ae306345c1542f68967482d322642601b5776c5fd18a64e70c36e4159b399749f1ca2dee8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
5cc1c8446e3818aef360ae40861b07fe

SHA1
0aaf5afb6bdf60d1ce687a2153244e5abda02922

SHA256
ca6279dcdde2d8db4798fa4cf15f695dec749779d94bb3ba612e0dfb4269d21e

SHA512
266b6cfb5d0eaf67edd429c02736bb7683f89c014ae406959192f2eaef36cb20af3840d68b6012850e688f6916bfb4ae45f66dd0cc9368ca122f6d17c9ffdd9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
337KB

MD5
6c304b87d0ab514c8404c6c219b72047

SHA1
0016f65c88b545f3945e564d92f695861a33bb7d

SHA256
0d394da1a7e6551db9c129dcac1fbb981636f0d5386059f70c6302ff3948cf76

SHA512
8f0f6753eab1344cfdf5cae87c73bd172045b117c022d3221078ba50d9287a47e1ebbc53026bbd57a2352f3e59872500cc1b89fb320dc8686f2bb8815f62f7ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LW44N8OS\info[1].php

Filesize
105B

MD5
db6b7e0131993e003ac733a26a585995

SHA1
7f0380250b73c03433e5074662613b9fb8a02176

SHA256
8227596b9cad5d2c266ac071ecc6cbad5f1ce026d38a172e7e007d38ece28162

SHA512
8ebb5d0c04f7965cda0b2c70311bf42f7ae6f2d39cb0cca7bc48fa5af1e1fef484acad47f1b47bf76075cea0250a18ad5abcbc85a9b76bf8bfeace97dfdf6acd

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIR3C93.tmp\.launch

Filesize
24B

MD5
71100a118618ca9623f517d7468278d1

SHA1
d0bca87f671fc06774cb667cf8bef962a0278ccc

SHA256
307a9865fd68d697675818cbd36f386102aae93b3ffc9526fa44deb0e541f2f0

SHA512
0a1f22d1e03f6af658d6c0377238c48b8a99adc1eaa3137cfd6def40f655762cca40e7b48ad2a77dd53b869b333300a7c68762da3feeee86e7c4837416679ed7

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIRD346.tmp\Adobe AIR\Versions\1.0\Adobe AIR.dll

Filesize
13.4MB

MD5
b10e155460556fa4667536de7bb40e43

SHA1
a17872d7ff29a307fac5b4ed98887a420f716964

SHA256
371c442e9ce81a9514d25eccbe6e9c37a7b766bc5de1a7e03e50ac77cb8ce374

SHA512
4a3d2b0ec3d3ae868c50530136da228d835234198a41aa47ef11c40843249bad29425d50967ce8205c948336d02107e69655900c071cb5b3cb0c63e57ea557d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIRD346.tmp\setup.swf

Filesize
512KB

MD5
ad5f7d53caef368303bebde302582d92

SHA1
9efad61bf69e80d7468236695e0a108d360ae749

SHA256
2b501bfdb378ba7130b8e4b4b2263adfb4f95887cf071ded134f4cffeee5f40d

SHA512
8a31c0009c915dbb46c054388d793c1db8fc7b5ae1df419b3f284cad1d2f8db1f2ed759dcb126868d64af8a0a94c9e479776e6da86296af4e73a0850821c49e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEF22.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF04D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 377476.crdownload

Filesize
268KB

MD5
e0d19351dd3e1d5361def38659318249

SHA1
e6824969ebea151c77080b445ac416b56dd8630d

SHA256
6f378db45311af48c29fbd47550e7c181c748c1dab76cadd1f1f1c872ad288c8

SHA512
a684739e9f9283f1ad6dea9747fe46fd2feb9fb7854d128cd34b3543109cfc7c1f9cd21890ca27e55afd88d082ba81507eb3382968ba09cd33afc8208f33ec4b

Download Submit
C:\Windows\Installer\$PatchCache$\Managed\8663020007180A44EB446B23AFD487F0\1.0.8\AdobeAIR.dll

Filesize
8.0MB

MD5
479dfeb6bfdb8035dd2bf79cabb39e65

SHA1
e1b8a1363189abc7d3f7459bd6740682e43b30f2

SHA256
814728159d8e316eb6bc09fb1dafef911b708d1d1f51e8e866fee8e7965ce05e

SHA512
2650454e22176d31415c3be4dca4ed887bf30adf4f3655dde5d9cd538025b662ec9bf39657aff540c68aa1e4494c449099bc1a693ea2f835bd41ac51169778ca

Download Submit
C:\Windows\Installer\$PatchCache$\Managed\8663020007180A44EB446B23AFD487F0\1.0.8\air.exe

Filesize
59KB

MD5
5e9d2fccad3b9edbc0a8ab0fe1e5e510

SHA1
4f74227b71e570f57e0bf611de8fe2b73cd3aba3

SHA256
ba7cd3c2ef37746576ea934fbbfe6ce0f659977f604cb6528e642e6d82e60ff7

SHA512
8e5ae33075564851f1534767558b1be79894858a912e5f53b00c98ad38e46bcdd17e225e32acea78b634221b506a312185ea155faaac976642c6fc8ed352f035

Download Submit
C:\Windows\Installer\$PatchCache$\Managed\8663020007180A44EB446B23AFD487F0\1.0.8\air.swf

Filesize
352KB

MD5
8599589cb2f1cfad899f0e95c3cf2bc9

SHA1
5f749cd74d03b0d050be34eba34cfa11dabab3dc

SHA256
101140c8df33cd81af64000549872ef9e48af5913a27367e0865a4f83becc509

SHA512
216b21b7c373f083fbd4246555a94c8ade6c6d009a381d28b98a59028bc0eaf99ba937147c90184060ee3c6c6a95d9b0b249da3fb2ef16272eb881bb6e74e35d

Download Submit
C:\Windows\Installer\f76eeac.msi

Filesize
21KB

MD5
164df4c65d8e4e8d910e2a1703ca3e75

SHA1
3531024204406e602e3157ff5ca8b9e36c1111fe

SHA256
9566c1dddc1d0ad10071e9f260a05a96da4307f64a9ee59ab318aab823cfee15

SHA512
3d14ff7274ba92cee9c1c25fe08bb03b9253b2ac8e316ebd738a935bb1ec6ad17042b3dc3a8ceacc15627d91cb4ff0885e326cb8bb11a1dd5408f9a571970636

Download Submit
\??\c:\users\admin\appdata\local\temp\aird346.tmp\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe

Filesize
408KB

MD5
277739413fb03b430b50d60d679f3d97

SHA1
264da51d663ef366a19dca31faa83f2ae91c6e45

SHA256
96cf2ed23e21169633d3a78f0677fd28754c1f491d590809506dc075bb49eda3

SHA512
8429fa88b6e1eb072edaf28c79b320a6150f0579376d61c7f11a31b59a116848cff5315373a0393c238e1d19b4e4b5bd282f9de54a7749db658dda073f227cca

Download Submit
\??\c:\users\admin\appdata\local\temp\aird346.tmp\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.swf

Filesize
491KB

MD5
e9db98f0ab9334466bc94604c62e4c04

SHA1
992642151c9ef76e338509b592e29cde69383751

SHA256
c740ad52c9c1ab8d7762dd744f13742564cc1500b94d7a29bfc60311b7f22934

SHA512
7dfe2dadabeb3159a91b70280e5ca773f37d45babbe2c6a37989fc2848ffd0ec4ef9e3d8b6af69853be6adab935126b94b45216fa395c7fa0755f969c44c8c71

Download Submit
\??\c:\users\admin\appdata\local\temp\aird346.tmp\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe

Filesize
383KB

MD5
557de97331f10692a1d1a6d757587f6a

SHA1
9d12b14515b876047e42e119048a0de6f791ae7b

SHA256
ee869bed7628dc2db4dd1ece9d2dcfb084cc803a08c007d3d88b0bf3343b15cb

SHA512
8d94d98c54b457b99e2c00a99f209fecc93544b3bdb998561cc0f8dac6768e3ae93b4737e18ce51d9d9059d45fd3566be0cb67b80f067d6484d7ddfcb6670076

Download Submit
\??\c:\users\admin\appdata\local\temp\aird346.tmp\Adobe AIR\Versions\1.0\Resources\Adobe Root Certificate.cer

Filesize
1KB

MD5
bf70913ff8d6d60a47fe825330815db4

SHA1
6be8460639f5651848b2f83ab1463f5602be06c3

SHA256
944e66aa967bd390952d22426bf1dfcd379a2c87a21b942fbca79f41f0354aac

SHA512
108e3c8ec1d45de97a7efc5c6262602414bbb7a32477dd7d8aab4c9335365f2b95c52d4f708a4a7422f4d4e0877f222cd358411d7b78cebe83565954e4f465f0

Download Submit
\??\c:\users\admin\appdata\local\temp\aird346.tmp\Adobe AIR\Versions\1.0\Resources\Thawte Root Certificate.cer

Filesize
677B

MD5
7f667a71d3eb6978209a51149d83da20

SHA1
be36a4562fb2ee05dbb3d32323adf445084ed656

SHA256
6b6c1e01f590f5afc5fcf85cd0b9396884048659fc2c6d1170d68b045216c3fd

SHA512
7f7329f4f9a3fb45b8aaa8eac9191bef9db85a1bdb13ed66d1ece6a51531f216eeb736a96d8baa87e033f2b7f0b8879954bc261c4c8bd632563ba153bc07e0b0

Download Submit
\??\c:\users\admin\appdata\local\temp\aird346.tmp\Adobe AIR\Versions\1.0\Resources\airappinstaller.exe

Filesize
53KB

MD5
9cec1614a59cecacd3d31274bf00a37f

SHA1
b46af6fa2924b0c4d6e290ae0dcbc42e3d27ad1a

SHA256
e277d2a94295506fe1574cf0b4e499b204f83293b290fc1139098d55e2b7c176

SHA512
25f6c873bf406f3615bdf04aae5e66d3bd5b52bb77c7cda27a57cf5830012bcbec4cf5b0a563b868ec0fd47f1612fc4be6b6c355685db86b1da41b2bd856b64f

Download Submit
\??\c:\users\admin\appdata\local\temp\aird346.tmp\Adobe AIR\Versions\1.0\Resources\digest.s

Filesize
2KB

MD5
0f5295089e4ef5a7396007407ee21113

SHA1
e5731eaa83f4dec94fd51612beb8e72b42df8954

SHA256
4571ead5d878568c4082003d21f50a39b8687f08e8f631aa20351014373ed2b1

SHA512
49d02f3787454c9e0b77822de0f3761457eca4038fd7ba74e1c61232b5887b6f658161c7c088690641c33f4e0bad755b45886572e0cc1b468dc7d5c42f8257b3

Download Submit
\??\c:\users\admin\appdata\local\temp\aird346.tmp\Adobe AIR\Versions\1.0\Resources\stylesNative.swf

Filesize
229KB

MD5
bc2c33f2d32da05074e96ceafb8a25d1

SHA1
ab5b93ff24f10dd6446690862b34281964e70d55

SHA256
bbc0e77749778134698038ea107dd47e76e0cd849d34406eb960bf0c9f3c7a5a

SHA512
83c7676816594e5931d8a36827d492e7a52b120f23a1e3375ec0535698dbfddf955833fbf17accbe2bba05214d73eeae8ab9c0e4b3f74f796322f174f745609e

Download Submit
\??\c:\users\admin\appdata\local\temp\aird346.tmp\Adobe AIR\Versions\1.0\Resources\template.exe

Filesize
86KB

MD5
3c3024ded7007aa0d529555ac6754342

SHA1
5e3c3c583c14cc8207952bb18387e0ed852677af

SHA256
ece64eaa90de0446dbdd7fc96c36e0ed784bba0920d807cd2aeb15ea6d38d057

SHA512
38451c05dc7e65b9765dd28abe6ee8510f1e7b1f8cb683c833b601c95cb4151714a3b76581fe6841724805997db42e2e0d1f80228acf8985cd5131f64fbc9e0d

Download Submit
\??\c:\users\admin\appdata\local\temp\aird346.tmp\Adobe AIR\Versions\1.0\Resources\template.msi

Filesize
36KB

MD5
d4139b57677a2ad682938f60522e2b0f

SHA1
2ed0025422389df08373e056cd1dc6bd7295abc5

SHA256
cb2954595c2ac2c5c0ad6db3471073ea67b27e17914072f3cbf6344c97d6592d

SHA512
282db921c661601025f1c2b6e91e667ecc4f1595a85e23cd367b966df59470b910fd8e93ac4bbc1a4989f92d8245c140f8dc86036f25713951b5881acbd0c3f2

Download Submit
\??\c:\users\admin\appdata\local\temp\aird346.tmp\Adobe AIR\sentinel

Filesize
11B

MD5
a5c11ca014fe30b8085ea2e95f7196c4

SHA1
594e00fa5eaeaa9f99f7e45d92bab7dd7ca8575a

SHA256
096e4bfd9f7e1faf15058c0a0fe45e6dbd00e3e1360f21f2ca92bce16a9a919a

SHA512
9b3dd555ac1ab5e8dafcffdb6e23ebfffafecfb908c204e88a369c9c8e0fce326caa3aa2ac71be6629f018191cc379e29b1a919dc787fe29bc16c5f0ee24b26b

Download Submit
\??\c:\users\admin\appdata\local\temp\aird346.tmp\setup.msi

Filesize
48KB

MD5
5f75a11c1eb98a022e087ba7eefc2ea6

SHA1
9f46877e58f4549bcb2c4f0fd903d9fb49ecfb8a

SHA256
6f905ac0f120f11bfcf04496ae7cf6e3d0128f6cd6b08cf0cf5eab7ff9ce314b

SHA512
5f45bdffe6880197af1ae1f6ed1b1483a4595c982c39e33f89c5972658809dbd3041f0f8105206534baf129e0f5a8a51e05a4aa69b08d52edee530a2018afff8

Download Submit
\Users\Admin\AppData\Local\Temp\AIR3C93.tmp\Install Transformice.exe

Filesize
130KB

MD5
a5da8ba949718507dfda7a816326fdbe

SHA1
3af561103bfb62fb580ab44954cd56c0aefc275f

SHA256
75eadf5339a379e93627e0a6659939d7b4f22b60849d8b906900255564ecb494

SHA512
073decc81a69fe60ee059ac086434738e702fdee078a65f1497c54d9106665687ed88b60e29ad3d750bcd1447d1ed117095941232e6c1919c2e14511befaf5c6

Download Submit
\Users\Admin\AppData\Local\Temp\AIRD346.tmp\Adobe AIR Installer.exe

Filesize
383KB

MD5
6ba34f521e2de430fa5ba108e399d12e

SHA1
830ee63d8db0020201b6d0cb8d5a2ed2dd523256

SHA256
1a54ac75b4b671657c4368c6a73143e63462be076312921bc6d1e94a12426c58

SHA512
1e3826aa000abaa15d93e516b8398f31a9517d8dbbaa2ee671cfb2619af3818efe8b810e6fde3411c8b05b8c51afbd58b561c6d76e4383ac300bb7a3ce8f6401

Download Submit
memory/6768-12316-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12277-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12321-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12313-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12320-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12319-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12318-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12317-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12323-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12315-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12314-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12312-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12311-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12310-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12309-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12308-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12307-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12306-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12305-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12304-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12303-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12302-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12301-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12300-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12299-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12298-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12297-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12296-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12295-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12294-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12293-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12322-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12275-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12274-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12273-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12272-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12271-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12270-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12261-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12269-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12268-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12266-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12264-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12263-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12262-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12260-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12259-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12258-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12257-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12256-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12255-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12254-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12252-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12250-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12249-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12248-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12247-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12246-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12245-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12244-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12243-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12241-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download
memory/6768-12267-0x000000000CE00000-0x000000000D000000-memory.dmp

Filesize
2.0MB

Download