pandastealer | da506fa70f7953e840f3eba28faf557a2038e0b3d0a5105a0ebe3434ee5e9e61

Analysis

max time kernel
26s
max time network
150s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
06-01-2025 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adobe-air-51-1-1-3.exe
Size

5.9MB
MD5

34dba7939065022ad74458acbae28abd
SHA1

5f4e6e7cc0f2970068ff1c05189a8dc6881b8d33
SHA256

da506fa70f7953e840f3eba28faf557a2038e0b3d0a5105a0ebe3434ee5e9e61
SHA512

6271f67b486c7273fd391e4379f987fcce3042947909e97d05290d04469588a94bd501685f686037a400b788d6693e73f7d7799069c772b80da9556322c6cc79
SSDEEP

98304:FOB7drLD5C522D5K6O6DWT9dCrVodEdhIW5LkrNcBByeTTC3qdqH2pjin6uYRjUI:gB7drxU22DJVAbAeOIyBBNiKqMbZUI

Score

10^/10

pandastealer discovery stealer

Malware Config

Signatures

Panda Stealer payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000500000001c8ca-4300.dat	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer
Pandastealer family
pandastealer

Blocklisted process makes network request 1 IoCs

flow	pid	Process
25	3828	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Drops file in Program Files directory 28 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	msiexec.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\template.msi	msiexec.exe
File created	\??\c:\Program Files (x86)\Adobe\Flash Player\AddIns\airappinstaller\airappinstaller.exe	msiexec.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\digest.s	msiexec.exe
File created	\??\c:\Program Files (x86)\Adobe\Flash Player\AddIns\airappinstaller\digest.s	msiexec.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Thawte Root Certificate.cer	msiexec.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	msiexec.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.swf	msiexec.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.swf	msiexec.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\digest.s	msiexec.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\setup.swf	msiexec.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\WebKit.dll	msiexec.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\NPSWF32.dll	msiexec.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll	msiexec.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	msiexec.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe Root Certificate.cer	msiexec.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\setup.swf	msiexec.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	msiexec.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe Root Certificate.cer	msiexec.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\stylesNative.swf	msiexec.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Thawte Root Certificate.cer	msiexec.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\airappinstaller.exe	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\setup.msi	adobe air installer.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll	msiexec.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\template.exe	msiexec.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe	msiexec.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\sentinel	msiexec.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\sentinel	msiexec.exe

Drops file in Windows directory 18 IoCs

description	ioc	Process
File created	\??\c:\Windows\Installer\f77cd56.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID236.tmp	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\$PatchCache$\Managed\8663020007180A44EB446B23AFD487F0\CacheSize.txt	msiexec.exe
File created	\??\c:\Windows\Installer\f77cd50.ipi	msiexec.exe
File created	\??\c:\Windows\Installer\$PatchCache$\Managed\8663020007180A44EB446B23AFD487F0\1.0.8\AdobeAIR.dll	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\$PatchCache$\Managed\8663020007180A44EB446B23AFD487F0\1.0.8\AdobeAIR.dll	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\$PatchCache$\Managed\8663020007180A44EB446B23AFD487F0\1.0.8\air.exe	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\	msiexec.exe
File created	\??\c:\Windows\Installer\$PatchCache$\Managed\8663020007180A44EB446B23AFD487F0\1.0.8\air.exe	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\$PatchCache$\Managed\8663020007180A44EB446B23AFD487F0\1.0.8\air.swf	msiexec.exe
File created	\??\c:\Windows\Installer\$PatchCache$\Managed\8663020007180A44EB446B23AFD487F0\CacheSize.txt	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\f77cd4d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICFF2.tmp	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\$PatchCache$\Managed\8663020007180A44EB446B23AFD487F0	msiexec.exe
File created	\??\c:\Windows\Installer\$PatchCache$\Managed\8663020007180A44EB446B23AFD487F0\1.0.8\air.swf	msiexec.exe
File created	\??\c:\Windows\Installer\f77cd4d.msi	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\$PatchCache$\Managed\8663020007180A44EB446B23AFD487F0\1.0.8	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\f77cd50.ipi	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
2956	Adobe AIR Installer.exe
5032	adobe air installer.exe

Loads dropped DLL 7 IoCs

pid	Process
1172	adobe-air-51-1-1-3.exe
1172	adobe-air-51-1-1-3.exe
1172	adobe-air-51-1-1-3.exe
1172	adobe-air-51-1-1-3.exe
2956	Adobe AIR Installer.exe
2956	Adobe AIR Installer.exe
5032	adobe air installer.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobe-air-51-1-1-3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adobe AIR Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobe air installer.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Adobe AIR Installer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Adobe AIR Installer.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	adobe air installer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	adobe air installer.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_IMG\Adobe AIR Installer.exe = "1"	Adobe AIR Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_OBJECT	Adobe AIR Installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_OBJECT\Adobe AIR Installer.exe = "1"	Adobe AIR Installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT\Adobe AIR Installer.exe = "1"	Adobe AIR Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	Adobe AIR Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	Adobe AIR Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	Adobe AIR Installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Adobe AIR Installer.exe = "32767"	Adobe AIR Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_IMG	Adobe AIR Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT	Adobe AIR Installer.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2F	msiexec.exe

Modifies registry class 41 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\ProductName = "Adobe AIR"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5D029AD8C14C0E24FB1378AB9489E44E\EE6F249802136F443B6919B0C761E42A	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AIR.InstallerPackage\shell\open\command\ = "c:\\PROGRA~2\\COMMON~1\\ADOBEA~1\\Versions\\1.0\\ADOBEA~1.EXE \"%1\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AIR.InstallerPackage\ = "Installer Package"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\EE6F249802136F443B6919B0C761E42A	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\EE6F249802136F443B6919B0C761E42A\Runtime	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\SourceList\PackageName = "setup.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.air\ = "AIR.InstallerPackage"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.air\Content Type = "application/vnd.adobe.air-application-installer-package+zip"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AIR.InstallerPackage\DefaultIcon	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\SourceList\Net\1 = "c:\\users\\admin\\appdata\\local\\temp\\air7ee0.tmp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8663020007180A44EB446B23AFD487F0\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AIR.InstallerPackage\shell\open\ = "Install"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\Version = "855703553"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\AuthorizedLUAApp = "0"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\SourceList\LastUsedSource = "n;1;c:\\users\\admin\\appdata\\local\\temp\\air7ee0.tmp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.air	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8663020007180A44EB446B23AFD487F0\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.air\OpenWithProgids\AIR.InstallerPackage	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AIR.InstallerPackage\shell\open	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AIR.InstallerPackage\DefaultIcon\ = "c:\\PROGRA~2\\COMMON~1\\ADOBEA~1\\Versions\\1.0\\ADOBEA~1.EXE,1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\Language = "1033"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8663020007180A44EB446B23AFD487F0\SourceList	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8663020007180A44EB446B23AFD487F0	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8663020007180A44EB446B23AFD487F0	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AIR.InstallerPackage\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.air\OpenWithProgids	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\EE6F249802136F443B6919B0C761E42A\Management	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\PackageCode = "BBD26563A231C6047BF676630876766C"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5D029AD8C14C0E24FB1378AB9489E44E	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6F249802136F443B6919B0C761E42A\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AIR.InstallerPackage	msiexec.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2340	chrome.exe
2340	chrome.exe
3828	msiexec.exe
3828	msiexec.exe
3828	msiexec.exe
3828	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	5032	adobe air installer.exe
Token: SeIncreaseQuotaPrivilege	5032	adobe air installer.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeRestorePrivilege	3828	msiexec.exe
Token: SeTakeOwnershipPrivilege	3828	msiexec.exe
Token: SeSecurityPrivilege	3828	msiexec.exe
Token: SeCreateTokenPrivilege	5032	adobe air installer.exe
Token: SeAssignPrimaryTokenPrivilege	5032	adobe air installer.exe
Token: SeLockMemoryPrivilege	5032	adobe air installer.exe
Token: SeIncreaseQuotaPrivilege	5032	adobe air installer.exe
Token: SeMachineAccountPrivilege	5032	adobe air installer.exe
Token: SeTcbPrivilege	5032	adobe air installer.exe
Token: SeSecurityPrivilege	5032	adobe air installer.exe
Token: SeTakeOwnershipPrivilege	5032	adobe air installer.exe
Token: SeLoadDriverPrivilege	5032	adobe air installer.exe
Token: SeSystemProfilePrivilege	5032	adobe air installer.exe
Token: SeSystemtimePrivilege	5032	adobe air installer.exe
Token: SeProfSingleProcessPrivilege	5032	adobe air installer.exe
Token: SeIncBasePriorityPrivilege	5032	adobe air installer.exe
Token: SeCreatePagefilePrivilege	5032	adobe air installer.exe
Token: SeCreatePermanentPrivilege	5032	adobe air installer.exe
Token: SeBackupPrivilege	5032	adobe air installer.exe
Token: SeRestorePrivilege	5032	adobe air installer.exe
Token: SeShutdownPrivilege	5032	adobe air installer.exe
Token: SeDebugPrivilege	5032	adobe air installer.exe
Token: SeAuditPrivilege	5032	adobe air installer.exe
Token: SeSystemEnvironmentPrivilege	5032	adobe air installer.exe
Token: SeChangeNotifyPrivilege	5032	adobe air installer.exe
Token: SeRemoteShutdownPrivilege	5032	adobe air installer.exe
Token: SeUndockPrivilege	5032	adobe air installer.exe
Token: SeSyncAgentPrivilege	5032	adobe air installer.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2956	Adobe AIR Installer.exe
2956	Adobe AIR Installer.exe
2956	Adobe AIR Installer.exe
5032	adobe air installer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 2956	1172	adobe-air-51-1-1-3.exe	30
PID 1172 wrote to memory of 2956	1172	adobe-air-51-1-1-3.exe	30
PID 1172 wrote to memory of 2956	1172	adobe-air-51-1-1-3.exe	30
PID 1172 wrote to memory of 2956	1172	adobe-air-51-1-1-3.exe	30
PID 1172 wrote to memory of 2956	1172	adobe-air-51-1-1-3.exe	30
PID 1172 wrote to memory of 2956	1172	adobe-air-51-1-1-3.exe	30
PID 1172 wrote to memory of 2956	1172	adobe-air-51-1-1-3.exe	30
PID 2340 wrote to memory of 2420	2340	chrome.exe	32
PID 2340 wrote to memory of 2420	2340	chrome.exe	32
PID 2340 wrote to memory of 2420	2340	chrome.exe	32
PID 2340 wrote to memory of 2712	2340	chrome.exe	34
PID 2340 wrote to memory of 2712	2340	chrome.exe	34
PID 2340 wrote to memory of 2712	2340	chrome.exe	34
PID 2340 wrote to memory of 2712	2340	chrome.exe	34
PID 2340 wrote to memory of 2712	2340	chrome.exe	34
PID 2340 wrote to memory of 2712	2340	chrome.exe	34
PID 2340 wrote to memory of 2712	2340	chrome.exe	34
PID 2340 wrote to memory of 2712	2340	chrome.exe	34
PID 2340 wrote to memory of 2712	2340	chrome.exe	34
PID 2340 wrote to memory of 2712	2340	chrome.exe	34
PID 2340 wrote to memory of 2712	2340	chrome.exe	34
PID 2340 wrote to memory of 2712	2340	chrome.exe	34
PID 2340 wrote to memory of 2712	2340	chrome.exe	34
PID 2340 wrote to memory of 2712	2340	chrome.exe	34
PID 2340 wrote to memory of 2712	2340	chrome.exe	34
PID 2340 wrote to memory of 2712	2340	chrome.exe	34
PID 2340 wrote to memory of 2712	2340	chrome.exe	34
PID 2340 wrote to memory of 2712	2340	chrome.exe	34
PID 2340 wrote to memory of 2712	2340	chrome.exe	34
PID 2340 wrote to memory of 2712	2340	chrome.exe	34
PID 2340 wrote to memory of 2712	2340	chrome.exe	34
PID 2340 wrote to memory of 2712	2340	chrome.exe	34
PID 2340 wrote to memory of 2712	2340	chrome.exe	34
PID 2340 wrote to memory of 2712	2340	chrome.exe	34
PID 2340 wrote to memory of 2712	2340	chrome.exe	34
PID 2340 wrote to memory of 2712	2340	chrome.exe	34
PID 2340 wrote to memory of 2712	2340	chrome.exe	34
PID 2340 wrote to memory of 2712	2340	chrome.exe	34
PID 2340 wrote to memory of 2712	2340	chrome.exe	34
PID 2340 wrote to memory of 2712	2340	chrome.exe	34
PID 2340 wrote to memory of 2712	2340	chrome.exe	34
PID 2340 wrote to memory of 2712	2340	chrome.exe	34
PID 2340 wrote to memory of 2712	2340	chrome.exe	34
PID 2340 wrote to memory of 2712	2340	chrome.exe	34
PID 2340 wrote to memory of 2712	2340	chrome.exe	34
PID 2340 wrote to memory of 2712	2340	chrome.exe	34
PID 2340 wrote to memory of 2712	2340	chrome.exe	34
PID 2340 wrote to memory of 2712	2340	chrome.exe	34
PID 2340 wrote to memory of 2712	2340	chrome.exe	34
PID 2340 wrote to memory of 2840	2340	chrome.exe	35
PID 2340 wrote to memory of 2840	2340	chrome.exe	35
PID 2340 wrote to memory of 2840	2340	chrome.exe	35
PID 2340 wrote to memory of 2868	2340	chrome.exe	36
PID 2340 wrote to memory of 2868	2340	chrome.exe	36
PID 2340 wrote to memory of 2868	2340	chrome.exe	36
PID 2340 wrote to memory of 2868	2340	chrome.exe	36
PID 2340 wrote to memory of 2868	2340	chrome.exe	36
PID 2340 wrote to memory of 2868	2340	chrome.exe	36
PID 2340 wrote to memory of 2868	2340	chrome.exe	36
PID 2340 wrote to memory of 2868	2340	chrome.exe	36
PID 2340 wrote to memory of 2868	2340	chrome.exe	36
PID 2340 wrote to memory of 2868	2340	chrome.exe	36
PID 2340 wrote to memory of 2868	2340	chrome.exe	36
PID 2340 wrote to memory of 2868	2340	chrome.exe	36

C:\Users\Admin\AppData\Local\Temp\adobe-air-51-1-1-3.exe
"C:\Users\Admin\AppData\Local\Temp\adobe-air-51-1-1-3.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Users\Admin\AppData\Local\Temp\AIR7EE0.tmp\Adobe AIR Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\AIR7EE0.tmp\Adobe AIR Installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2956
- - C:\Users\Admin\appdata\local\temp\air7ee0.tmp\adobe air installer.exe
    "C:\Users\Admin\appdata\local\temp\air7ee0.tmp\adobe air installer.exe" -stdio \\.\pipe\AIR_2956_0 -ei
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:5032
- - \??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe
    "c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe" -installupdatecheck
    3⤵
    PID:1708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7419758,0x7fef7419768,0x7fef7419778
  2⤵
  PID:2420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1148 --field-trial-handle=1236,i,5039175585525177075,11542500425586977089,131072 /prefetch:2
  2⤵
  PID:2712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1512 --field-trial-handle=1236,i,5039175585525177075,11542500425586977089,131072 /prefetch:8
  2⤵
  PID:2840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1596 --field-trial-handle=1236,i,5039175585525177075,11542500425586977089,131072 /prefetch:8
  2⤵
  PID:2868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2184 --field-trial-handle=1236,i,5039175585525177075,11542500425586977089,131072 /prefetch:1
  2⤵
  PID:2144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2200 --field-trial-handle=1236,i,5039175585525177075,11542500425586977089,131072 /prefetch:1
  2⤵
  PID:1668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1356 --field-trial-handle=1236,i,5039175585525177075,11542500425586977089,131072 /prefetch:2
  2⤵
  PID:2148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2928 --field-trial-handle=1236,i,5039175585525177075,11542500425586977089,131072 /prefetch:1
  2⤵
  PID:3268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3676 --field-trial-handle=1236,i,5039175585525177075,11542500425586977089,131072 /prefetch:8
  2⤵
  PID:3212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3708 --field-trial-handle=1236,i,5039175585525177075,11542500425586977089,131072 /prefetch:1
  2⤵
  PID:4424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=2440 --field-trial-handle=1236,i,5039175585525177075,11542500425586977089,131072 /prefetch:1
  2⤵
  PID:4944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3324 --field-trial-handle=1236,i,5039175585525177075,11542500425586977089,131072 /prefetch:1
  2⤵
  PID:1604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3360 --field-trial-handle=1236,i,5039175585525177075,11542500425586977089,131072 /prefetch:1
  2⤵
  PID:2444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2452 --field-trial-handle=1236,i,5039175585525177075,11542500425586977089,131072 /prefetch:1
  2⤵
  PID:1056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3872 --field-trial-handle=1236,i,5039175585525177075,11542500425586977089,131072 /prefetch:8
  2⤵
  PID:3368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2424 --field-trial-handle=1236,i,5039175585525177075,11542500425586977089,131072 /prefetch:8
  2⤵
  PID:3048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4444 --field-trial-handle=1236,i,5039175585525177075,11542500425586977089,131072 /prefetch:8
  2⤵
  PID:3188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4464 --field-trial-handle=1236,i,5039175585525177075,11542500425586977089,131072 /prefetch:8
  2⤵
  PID:3336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2792 --field-trial-handle=1236,i,5039175585525177075,11542500425586977089,131072 /prefetch:8
  2⤵
  PID:3420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4132 --field-trial-handle=1236,i,5039175585525177075,11542500425586977089,131072 /prefetch:8
  2⤵
  PID:3532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1048 --field-trial-handle=1236,i,5039175585525177075,11542500425586977089,131072 /prefetch:8
  2⤵
  PID:3540
- C:\Users\Admin\Downloads\Transformice.exe
  "C:\Users\Admin\Downloads\Transformice.exe"
  2⤵
  PID:3644
- - C:\Users\Admin\AppData\Local\Temp\AIR10D2.tmp\Install Transformice.exe
    "C:\Users\Admin\AppData\Local\Temp\AIR10D2.tmp\Install Transformice.exe"
    3⤵
    PID:3856
  - - \??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe
      "Adobe AIR Application Installer.exe" "C:\Users\Admin\AppData\Local\Temp\AIR10D2.tmp\Transformice"
      4⤵
      PID:2004
    - - C:\Program Files (x86)\Transformice\Transformice.exe
        
        "C:\Program Files (x86)\Transformice\Transformice.exe"
        5⤵
        
        PID:4228
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" http://www.nekodancer.com/nk.swf
        6⤵
        
        PID:4220
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4220 CREDAT:275457 /prefetch:2
        7⤵
        
        PID:3332
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4220 CREDAT:472070 /prefetch:2
        7⤵
        
        PID:4808

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2276

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3828

C:\Program Files (x86)\Transformice\Transformice.exe
"C:\Program Files (x86)\Transformice\Transformice.exe"
1⤵
PID:3992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f77cd51.rbs

Filesize
14KB

MD5
a4441d4cbfc6ba57440a0c53a3e9ceea

SHA1
42a735c6b082d7cebbd57989f4d593583d063813

SHA256
8391123da7c3840bb3942e4ede26f2921d8688ea0aebca563149bbd9afbff309

SHA512
422aa62ca75319cb0f9bda329202a0dec83257b0d5fd690aa0e1d9c89ef1d319f8f81f8809dccf916ad1ced1db62d9b88f5e7eb512c48baeb7d781379e9dea05

Download Submit
C:\Config.Msi\f77cd59.rbs

Filesize
11KB

MD5
843e131eaa34d117158081613892ba5c

SHA1
e3f6d1d9214844f58e768dd2433a3972c33cf268

SHA256
836daf3ad1329114a8d23ebd2556e1e1e9dc4ebada8851b9e367890921d6dfc5

SHA512
57b4ab508a227a6eaccc77652c92a883899f0a14867d0ea0d0319a57f226d9cd6084f2980e99e86501154c9372a694462d56179268ea1e86be43d63b18949581

Download Submit
C:\Config.Msi\f77cd62.rbf

Filesize
8.0MB

MD5
479dfeb6bfdb8035dd2bf79cabb39e65

SHA1
e1b8a1363189abc7d3f7459bd6740682e43b30f2

SHA256
814728159d8e316eb6bc09fb1dafef911b708d1d1f51e8e866fee8e7965ce05e

SHA512
2650454e22176d31415c3be4dca4ed887bf30adf4f3655dde5d9cd538025b662ec9bf39657aff540c68aa1e4494c449099bc1a693ea2f835bd41ac51169778ca

Download Submit
C:\Config.Msi\f77cd65.rbf

Filesize
3B

MD5
21438ef4b9ad4fc266b6129a2f60de29

SHA1
5eb8e2242eeb4f5432beeec8b873f1ab0a6b71fd

SHA256
13bf7b3039c63bf5a50491fa3cfd8eb4e699d1ba1436315aef9cbe5711530354

SHA512
37436ced85e5cd638973e716d6713257d692f9dd2e1975d5511ae3856a7b3b9f0d9e497315a058b516ab31d652ea9950938c77c1ad435ea8d4b49d73427d1237

Download Submit
C:\Config.Msi\f77cd6a.rbs

Filesize
9KB

MD5
1595ce90c6ec74dbcdcfc70af7374e99

SHA1
f92894358991f2856158c7f6eb0f8a79f3f5477d

SHA256
d71d969b14cc7964ed79a788479aaf060939aa54f229af2413117004ff1b1542

SHA512
1d5af9231d0588af9b93cf02ac483d6c3864cde858f100c10ef45c309769cd64ae33757976f5af3b531b2d23374ec67ab4583a199fb7717183fa2c9bf53baafe

Download Submit
C:\Program Files (x86)\Transformice\Transformice.exe

Filesize
139KB

MD5
055a34bd625727d3e1f9fc15e2ff6c3b

SHA1
d9f23f91240c6ebdb6cb88f25b43ac68da40d6be

SHA256
a0c992369f8bf35c5856d1fd4930ac72c682bb74d8f6764466e4630b1a6a9347

SHA512
28afec89c505bc01592774e1a2eb14b4d104a13c2e351cd3c468cec7314be0af86561b8e1684765ef254f776416dd69009b9cdd1a577ce63e2ee5af4d44904ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
d2728a37beb63c00085949af58e45390

SHA1
2acb77082687dc4729d2ce76dbccdd90e01d9724

SHA256
d3bc312d0d9338289e4678851a37e31b5b789f9fb1f0af0ce6865b2f5109f367

SHA512
9d3713291082fa80688e2818cc33f9cfb8b1da15a8b11cf7576c7315a623caab223f1e502b36b1046a28e4cf2d1bb4b244cac90331e2958f61385448efbfa7bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
37d92222954a30fb14a617d3b1a3bf7d

SHA1
39599da438b65801aceb11794c0ec0535b0ac411

SHA256
36c7024819bc506ae4a89089692f5821d9314f84f76aa8e1cec93f77e847f5c1

SHA512
81484e17db184d765ac63cebcf3e8bd43cae05167b15d0f44fb2a337ac13f217a3ca4271b211201fcf5ea73a01a33d1aad045673098a240374695b5426eca4a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1b4d98209b6fd873c9c9b0e3b51aba36

SHA1
0a0529189cd865c2b4fde77f333f524060265a13

SHA256
5c61bf7cbb47d91f9a2a451615b2d784fb248566deba8976619e9e3fc1da4ec3

SHA512
b3715e97ec66c269514deeba9c8d4ecc35cc98bd224d688fabe0e9519b3241181dfe7324b09687c4ed5fb4272900b946f3a3d507b78c5b92d7e39e31185b97bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c60a2badebd6762acf0d7fec78eb538f

SHA1
1d9af389e9b51770d66fd54fd7e495523d48aeb5

SHA256
c0298f5ccc3886636aaa231d434412869e5b076e8d3f2049ed5aa8f855398a90

SHA512
88cfbecb90b2cf203fbc8bd6c1b9bfb600ee7d8d408f330530200a3c882c1cc3788ec0aa85b58f5b725e6c28be33a32ce998b01c0168efae3964a6259fd0cfc9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
444bc2117a2a14f0c777905df9540c3c

SHA1
57623230eb378ee65fd53909873c8c1d76ab78f1

SHA256
b8dfd032b64dc1aa5f451eff0fff12b55c2ca31aafc91c7539d228e61eb277ff

SHA512
2e0f20b98dbddd0b5bec67245b224d0c4892558fdf6db55a573a7793776b9f4d939f465af55ae44262e67c4cc189cd912c5a9a3e77b5f3863a5e7a4acc21db40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
02d0928bca499397a00fe1324f11c1e1

SHA1
cc263607fb1c2cb91af8f33f195a3a17e6bd27ed

SHA256
92e9071ae66ce07dd606fc60330ad7db80152f1762cc554d73e57d1dcb30a109

SHA512
6f5d6ee386838649a4a00243e85a79814e517e7a015b56bcd42814941bbf08a120a0c011434edf31982625e39a24641e212b4f67e20db6d94003525e0fe66741

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dab144c65ff933686d11bf78e353e783

SHA1
1897b85286cd408433570ee9272e04c1b79e2bbc

SHA256
18c2713124ab3963c40030c0eaac98a37a427e2f0f4428620704ef13d4afccb3

SHA512
e4b819f12250be60815763c8f7deaeb1b574a7841636c72377b5f6989f3f9eedb4bdb9237b629e8e83be7cd226cf538ab862890603b62fcee10ec78185c9d4ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eff2353a052ddb552ebedff07e60f3c5

SHA1
e1b293c6e1c18d921ec4e609f1be6b6c786ea018

SHA256
b003be32c9df27b255b5712d434cda39f3613172bdc2fc6e1cfb6b5ddf3af27f

SHA512
919640a07adb98f83965a1e0ed35f8ac1600e7230582b6e2a59c9cb99aeffceff122a7b622146f2da3a2895db9e9d0e09f27007f534fac1e889a3254d1c76d3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f6aff1526e4eb121dae73892a6736d72

SHA1
004afef6b8742a471532e6f1d4879ac4589196dd

SHA256
402a1d5801366d59b2aa76e1ec38184f5c575706577a047a80973466bc21706c

SHA512
7ec14e9861de1fd9305eacd162d5e7c513ae1a1e711800443ad4ce843ff9bbb093f07a2df1120a237dc7dff5826530f5d4c6ae707270d46abfdd4b70c50e510c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
dde41c7a87277b03a48a16c7c6c2a04b

SHA1
7628db1cc753c480a283f8067502b5c3dd251231

SHA256
887cdf1d05a75fac697209fb91d96335502813b0b1df022b53129b8d1c9bf59f

SHA512
51c0db32da2dfd5d6d70a356848f016815bc38032de0ac4f78c7a4a4c84641978cdb3c476d4766686bf157c763a0d91da4a3960840dc333bf8c303bef3e8e6ef

Download Submit
C:\Users\Admin\AppData\Local\Adobe\AIR\logs\Install.log

Filesize
692B

MD5
ed6db5d86958b9e78710b6f664c3276d

SHA1
309f2f7ff39baffe879ba6cda610b45c8c096c4d

SHA256
160aa3e64fccd374f0ab31e6ecb180c5745ff0f4a60a1f0831bb7ea0b32b2051

SHA512
2e7cb766792b135d25e7fe2571a1e06eb3228e1956e8da6d07f7811978006956e950e215968232bbfd31013f20cd200d470f4c2bb88ba883ec27e39321d2c384

Download Submit
C:\Users\Admin\AppData\Local\Adobe\AIR\logs\Install.log

Filesize
1KB

MD5
6ab246192fae4a337dd07b3b103b3f1c

SHA1
bd71f378d6084050a181640f8fade75bb8d50bd4

SHA256
f2eb5419c4bb299891de4144ca01c66f9e79328f9fcf81dd6851d40b7f7a7527

SHA512
38cab3ac9d09d2e31b0102fdcc2455bb35ffa03a21f9c3d0dca7a8a3a04ec03ca4acc714d471e03de960c9567a9f10497c4192c66e47edd74c9e10079c3b50b4

Download Submit
C:\Users\Admin\AppData\Local\Adobe\AIR\logs\Install.log

Filesize
1KB

MD5
c5cba9f8a8f24747baa0a2c63ac15496

SHA1
4765cb43e4f5c132b01f853c4dc7fdab5f081958

SHA256
afb977d777be443b2a101f23d5a7b5c4160833849335e7a40b5ab1242c2e25da

SHA512
421bebc9387c80d2155da373c6047094a37aed482f84b1efe9ff4f332dff71a121ed9e3c0d9f6f81bf6b010e34e44a44d075a7c4affd9adb0d92e3af515e48aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\01101af9-d17e-49aa-b466-cd867387a1e0.tmp

Filesize
6KB

MD5
0a3069cc54aebed7303e7d3bd59d328a

SHA1
a7af51b89e35612a44f5f90a4dc423d887b54c95

SHA256
04e8033f1940b17801b984af82a13d39a743b2e9e4dd55fbec4588102a06c1be

SHA512
e18a4f82dd3dc32b2d78026c3d9082dd9ee5366df91e361e684169fb938ad63d42ebe31dd1268ded557ccc6c77d23e0798a98781c19e27c79435ed2e8dd48acc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT~RFf77f892.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
ddc69d364c23cd3c398eaad8d0db1e50

SHA1
1a2c174df6e7716a54220d450f051ad9629515a6

SHA256
fe375a09fa75d5654e6b016c958d2d7a7503db08caf8d6a5bad6edf3fa97abe3

SHA512
cd2ff077d299e2d5834f6e51cbb3aa0f6664336098bb11ae27b7f9a9e74df8ac80a551df048cbe2c83c0b44a09ff6e9705ba6c423df358dbf3fa20de8729c90d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
55fa45dd2ec97a309253171e7c2d10cb

SHA1
e47a1d3bf7143ef2f4a79aaf3fd0ba1a67126a46

SHA256
db788689b7743b0c301834eae461eb90e05dee6ebc42c925c1dd6e6851d0cd3a

SHA512
6496fae10851805e7a9b87ecb7e55b21a7dcec5a41686744925ab0df582a17a043c976547cdcac29f2c76fdc66c2aa34336d99c51b7803cca3be5d35dc4ae7e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
d9e3eaa898d8a1e0b9723c5d3bb3083c

SHA1
dd9c56b3762c03eddbb5307742cf1763668cba16

SHA256
393e8d964f5b7eb088bacd49c27d20f8a151349296d25950cef0effc73721e33

SHA512
0bbb950aba16bda810a845d7dc715b236e9c7c67e7ca44a7eef0ddc58fdbc550b66c9c65e02b53c4c1fee23bc9647b7aeba6445644b06100b6c4f08791ad335c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
63d88c17c98f5b8fb0d0a9b93c40543b

SHA1
7bf41446a2affe0a2671c404445a1bd3931cf283

SHA256
a00bc41ec6df90256fbfd453c37d2a8578bff5f4e1760e0b10aa22748d347ed5

SHA512
cc89f6a818219488ff2b7ccbb8a514a87b7ddbce5492f3322bf246be2086bf6ac864b785d0273ac8b23862f1db460f209e186cd6cc04da1be131feb9ae8d0e61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
4ce202d108145ca4e24a50aaa147ee59

SHA1
523fc851f0dbe6920a4c8318bc15e438c597709f

SHA256
2f152373d034a72ee5dfdcf9cc0e27adfe7fc3134f1a1b4b83d4bc84318e9b78

SHA512
7a289a664c59ab9c0ec4bcde8526445464cf678e134de5642cf62bc9b4c465c81bd4a29027a9fb028eb8f1ee6acc644fc1d0f66c0fffde39ff9232ad07fe539e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDDDRHWK\info[2].php

Filesize
105B

MD5
db6b7e0131993e003ac733a26a585995

SHA1
7f0380250b73c03433e5074662613b9fb8a02176

SHA256
8227596b9cad5d2c266ac071ecc6cbad5f1ce026d38a172e7e007d38ece28162

SHA512
8ebb5d0c04f7965cda0b2c70311bf42f7ae6f2d39cb0cca7bc48fa5af1e1fef484acad47f1b47bf76075cea0250a18ad5abcbc85a9b76bf8bfeace97dfdf6acd

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIR10D2.tmp\.launch

Filesize
24B

MD5
71100a118618ca9623f517d7468278d1

SHA1
d0bca87f671fc06774cb667cf8bef962a0278ccc

SHA256
307a9865fd68d697675818cbd36f386102aae93b3ffc9526fa44deb0e541f2f0

SHA512
0a1f22d1e03f6af658d6c0377238c48b8a99adc1eaa3137cfd6def40f655762cca40e7b48ad2a77dd53b869b333300a7c68762da3feeee86e7c4837416679ed7

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIR7EE0.tmp\Adobe AIR\Versions\1.0\Adobe AIR.dll

Filesize
13.4MB

MD5
b10e155460556fa4667536de7bb40e43

SHA1
a17872d7ff29a307fac5b4ed98887a420f716964

SHA256
371c442e9ce81a9514d25eccbe6e9c37a7b766bc5de1a7e03e50ac77cb8ce374

SHA512
4a3d2b0ec3d3ae868c50530136da228d835234198a41aa47ef11c40843249bad29425d50967ce8205c948336d02107e69655900c071cb5b3cb0c63e57ea557d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIR7EE0.tmp\setup.swf

Filesize
512KB

MD5
ad5f7d53caef368303bebde302582d92

SHA1
9efad61bf69e80d7468236695e0a108d360ae749

SHA256
2b501bfdb378ba7130b8e4b4b2263adfb4f95887cf071ded134f4cffeee5f40d

SHA512
8a31c0009c915dbb46c054388d793c1db8fc7b5ae1df419b3f284cad1d2f8db1f2ed759dcb126868d64af8a0a94c9e479776e6da86296af4e73a0850821c49e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCD8E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCEAA.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 727760.crdownload

Filesize
268KB

MD5
e0d19351dd3e1d5361def38659318249

SHA1
e6824969ebea151c77080b445ac416b56dd8630d

SHA256
6f378db45311af48c29fbd47550e7c181c748c1dab76cadd1f1f1c872ad288c8

SHA512
a684739e9f9283f1ad6dea9747fe46fd2feb9fb7854d128cd34b3543109cfc7c1f9cd21890ca27e55afd88d082ba81507eb3382968ba09cd33afc8208f33ec4b

Download Submit
C:\Windows\Installer\$PatchCache$\Managed\8663020007180A44EB446B23AFD487F0\1.0.8\air.exe

Filesize
59KB

MD5
5e9d2fccad3b9edbc0a8ab0fe1e5e510

SHA1
4f74227b71e570f57e0bf611de8fe2b73cd3aba3

SHA256
ba7cd3c2ef37746576ea934fbbfe6ce0f659977f604cb6528e642e6d82e60ff7

SHA512
8e5ae33075564851f1534767558b1be79894858a912e5f53b00c98ad38e46bcdd17e225e32acea78b634221b506a312185ea155faaac976642c6fc8ed352f035

Download Submit
C:\Windows\Installer\$PatchCache$\Managed\8663020007180A44EB446B23AFD487F0\1.0.8\air.swf

Filesize
352KB

MD5
8599589cb2f1cfad899f0e95c3cf2bc9

SHA1
5f749cd74d03b0d050be34eba34cfa11dabab3dc

SHA256
101140c8df33cd81af64000549872ef9e48af5913a27367e0865a4f83becc509

SHA512
216b21b7c373f083fbd4246555a94c8ade6c6d009a381d28b98a59028bc0eaf99ba937147c90184060ee3c6c6a95d9b0b249da3fb2ef16272eb881bb6e74e35d

Download Submit
C:\Windows\Installer\f77cd66.msi

Filesize
21KB

MD5
164df4c65d8e4e8d910e2a1703ca3e75

SHA1
3531024204406e602e3157ff5ca8b9e36c1111fe

SHA256
9566c1dddc1d0ad10071e9f260a05a96da4307f64a9ee59ab318aab823cfee15

SHA512
3d14ff7274ba92cee9c1c25fe08bb03b9253b2ac8e316ebd738a935bb1ec6ad17042b3dc3a8ceacc15627d91cb4ff0885e326cb8bb11a1dd5408f9a571970636

Download Submit
\??\c:\users\admin\appdata\local\temp\air7ee0.tmp\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe

Filesize
408KB

MD5
277739413fb03b430b50d60d679f3d97

SHA1
264da51d663ef366a19dca31faa83f2ae91c6e45

SHA256
96cf2ed23e21169633d3a78f0677fd28754c1f491d590809506dc075bb49eda3

SHA512
8429fa88b6e1eb072edaf28c79b320a6150f0579376d61c7f11a31b59a116848cff5315373a0393c238e1d19b4e4b5bd282f9de54a7749db658dda073f227cca

Download Submit
\??\c:\users\admin\appdata\local\temp\air7ee0.tmp\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.swf

Filesize
491KB

MD5
e9db98f0ab9334466bc94604c62e4c04

SHA1
992642151c9ef76e338509b592e29cde69383751

SHA256
c740ad52c9c1ab8d7762dd744f13742564cc1500b94d7a29bfc60311b7f22934

SHA512
7dfe2dadabeb3159a91b70280e5ca773f37d45babbe2c6a37989fc2848ffd0ec4ef9e3d8b6af69853be6adab935126b94b45216fa395c7fa0755f969c44c8c71

Download Submit
\??\c:\users\admin\appdata\local\temp\air7ee0.tmp\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe

Filesize
383KB

MD5
557de97331f10692a1d1a6d757587f6a

SHA1
9d12b14515b876047e42e119048a0de6f791ae7b

SHA256
ee869bed7628dc2db4dd1ece9d2dcfb084cc803a08c007d3d88b0bf3343b15cb

SHA512
8d94d98c54b457b99e2c00a99f209fecc93544b3bdb998561cc0f8dac6768e3ae93b4737e18ce51d9d9059d45fd3566be0cb67b80f067d6484d7ddfcb6670076

Download Submit
\??\c:\users\admin\appdata\local\temp\air7ee0.tmp\Adobe AIR\Versions\1.0\Resources\Adobe Root Certificate.cer

Filesize
1KB

MD5
bf70913ff8d6d60a47fe825330815db4

SHA1
6be8460639f5651848b2f83ab1463f5602be06c3

SHA256
944e66aa967bd390952d22426bf1dfcd379a2c87a21b942fbca79f41f0354aac

SHA512
108e3c8ec1d45de97a7efc5c6262602414bbb7a32477dd7d8aab4c9335365f2b95c52d4f708a4a7422f4d4e0877f222cd358411d7b78cebe83565954e4f465f0

Download Submit
\??\c:\users\admin\appdata\local\temp\air7ee0.tmp\Adobe AIR\Versions\1.0\Resources\Thawte Root Certificate.cer

Filesize
677B

MD5
7f667a71d3eb6978209a51149d83da20

SHA1
be36a4562fb2ee05dbb3d32323adf445084ed656

SHA256
6b6c1e01f590f5afc5fcf85cd0b9396884048659fc2c6d1170d68b045216c3fd

SHA512
7f7329f4f9a3fb45b8aaa8eac9191bef9db85a1bdb13ed66d1ece6a51531f216eeb736a96d8baa87e033f2b7f0b8879954bc261c4c8bd632563ba153bc07e0b0

Download Submit
\??\c:\users\admin\appdata\local\temp\air7ee0.tmp\Adobe AIR\Versions\1.0\Resources\airappinstaller.exe

Filesize
53KB

MD5
9cec1614a59cecacd3d31274bf00a37f

SHA1
b46af6fa2924b0c4d6e290ae0dcbc42e3d27ad1a

SHA256
e277d2a94295506fe1574cf0b4e499b204f83293b290fc1139098d55e2b7c176

SHA512
25f6c873bf406f3615bdf04aae5e66d3bd5b52bb77c7cda27a57cf5830012bcbec4cf5b0a563b868ec0fd47f1612fc4be6b6c355685db86b1da41b2bd856b64f

Download Submit
\??\c:\users\admin\appdata\local\temp\air7ee0.tmp\Adobe AIR\Versions\1.0\Resources\digest.s

Filesize
2KB

MD5
0f5295089e4ef5a7396007407ee21113

SHA1
e5731eaa83f4dec94fd51612beb8e72b42df8954

SHA256
4571ead5d878568c4082003d21f50a39b8687f08e8f631aa20351014373ed2b1

SHA512
49d02f3787454c9e0b77822de0f3761457eca4038fd7ba74e1c61232b5887b6f658161c7c088690641c33f4e0bad755b45886572e0cc1b468dc7d5c42f8257b3

Download Submit
\??\c:\users\admin\appdata\local\temp\air7ee0.tmp\Adobe AIR\Versions\1.0\Resources\stylesNative.swf

Filesize
229KB

MD5
bc2c33f2d32da05074e96ceafb8a25d1

SHA1
ab5b93ff24f10dd6446690862b34281964e70d55

SHA256
bbc0e77749778134698038ea107dd47e76e0cd849d34406eb960bf0c9f3c7a5a

SHA512
83c7676816594e5931d8a36827d492e7a52b120f23a1e3375ec0535698dbfddf955833fbf17accbe2bba05214d73eeae8ab9c0e4b3f74f796322f174f745609e

Download Submit
\??\c:\users\admin\appdata\local\temp\air7ee0.tmp\Adobe AIR\Versions\1.0\Resources\template.exe

Filesize
86KB

MD5
3c3024ded7007aa0d529555ac6754342

SHA1
5e3c3c583c14cc8207952bb18387e0ed852677af

SHA256
ece64eaa90de0446dbdd7fc96c36e0ed784bba0920d807cd2aeb15ea6d38d057

SHA512
38451c05dc7e65b9765dd28abe6ee8510f1e7b1f8cb683c833b601c95cb4151714a3b76581fe6841724805997db42e2e0d1f80228acf8985cd5131f64fbc9e0d

Download Submit
\??\c:\users\admin\appdata\local\temp\air7ee0.tmp\Adobe AIR\Versions\1.0\Resources\template.msi

Filesize
36KB

MD5
d4139b57677a2ad682938f60522e2b0f

SHA1
2ed0025422389df08373e056cd1dc6bd7295abc5

SHA256
cb2954595c2ac2c5c0ad6db3471073ea67b27e17914072f3cbf6344c97d6592d

SHA512
282db921c661601025f1c2b6e91e667ecc4f1595a85e23cd367b966df59470b910fd8e93ac4bbc1a4989f92d8245c140f8dc86036f25713951b5881acbd0c3f2

Download Submit
\??\c:\users\admin\appdata\local\temp\air7ee0.tmp\Adobe AIR\sentinel

Filesize
11B

MD5
a5c11ca014fe30b8085ea2e95f7196c4

SHA1
594e00fa5eaeaa9f99f7e45d92bab7dd7ca8575a

SHA256
096e4bfd9f7e1faf15058c0a0fe45e6dbd00e3e1360f21f2ca92bce16a9a919a

SHA512
9b3dd555ac1ab5e8dafcffdb6e23ebfffafecfb908c204e88a369c9c8e0fce326caa3aa2ac71be6629f018191cc379e29b1a919dc787fe29bc16c5f0ee24b26b

Download Submit
\??\c:\users\admin\appdata\local\temp\air7ee0.tmp\setup.msi

Filesize
48KB

MD5
5f75a11c1eb98a022e087ba7eefc2ea6

SHA1
9f46877e58f4549bcb2c4f0fd903d9fb49ecfb8a

SHA256
6f905ac0f120f11bfcf04496ae7cf6e3d0128f6cd6b08cf0cf5eab7ff9ce314b

SHA512
5f45bdffe6880197af1ae1f6ed1b1483a4595c982c39e33f89c5972658809dbd3041f0f8105206534baf129e0f5a8a51e05a4aa69b08d52edee530a2018afff8

Download Submit
\Users\Admin\AppData\Local\Temp\AIR10D2.tmp\Install Transformice.exe

Filesize
130KB

MD5
a5da8ba949718507dfda7a816326fdbe

SHA1
3af561103bfb62fb580ab44954cd56c0aefc275f

SHA256
75eadf5339a379e93627e0a6659939d7b4f22b60849d8b906900255564ecb494

SHA512
073decc81a69fe60ee059ac086434738e702fdee078a65f1497c54d9106665687ed88b60e29ad3d750bcd1447d1ed117095941232e6c1919c2e14511befaf5c6

Download Submit
\Users\Admin\AppData\Local\Temp\AIR7EE0.tmp\Adobe AIR Installer.exe

Filesize
383KB

MD5
6ba34f521e2de430fa5ba108e399d12e

SHA1
830ee63d8db0020201b6d0cb8d5a2ed2dd523256

SHA256
1a54ac75b4b671657c4368c6a73143e63462be076312921bc6d1e94a12426c58

SHA512
1e3826aa000abaa15d93e516b8398f31a9517d8dbbaa2ee671cfb2619af3818efe8b810e6fde3411c8b05b8c51afbd58b561c6d76e4383ac300bb7a3ce8f6401

Download Submit
memory/4228-12590-0x000000000D540000-0x000000000D740000-memory.dmp

Filesize
2.0MB

Download
memory/4228-12592-0x000000000D540000-0x000000000D740000-memory.dmp

Filesize
2.0MB

Download
memory/4228-12593-0x000000000D540000-0x000000000D740000-memory.dmp

Filesize
2.0MB

Download
memory/4228-12595-0x000000000D540000-0x000000000D740000-memory.dmp

Filesize
2.0MB

Download
memory/4228-12594-0x000000000D540000-0x000000000D740000-memory.dmp

Filesize
2.0MB

Download
memory/4228-12598-0x000000000D540000-0x000000000D740000-memory.dmp

Filesize
2.0MB

Download
memory/4228-12597-0x000000000D540000-0x000000000D740000-memory.dmp

Filesize
2.0MB

Download
memory/4228-12591-0x000000000D540000-0x000000000D740000-memory.dmp

Filesize
2.0MB

Download
memory/4228-12589-0x000000000D540000-0x000000000D740000-memory.dmp

Filesize
2.0MB

Download
memory/4228-12587-0x000000000D540000-0x000000000D740000-memory.dmp

Filesize
2.0MB

Download