General Info

File name

TransformiceClient.rar

Full analysis
https://app.any.run/tasks/80a11a0b-da3c-49f2-ba8d-9319b6eef324
Verdict
Malicious activity
Analysis date
7/11/2019, 22:13:32
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:

MIME:
application/x-rar
File info:
RAR archive data, v5
MD5

591b852995418a6100a965a7e98a0737

SHA1

c809dffcd912237400ee36f6233fc04def90d61d

SHA256

bce00529092236dade7f702c5e16868b3c6c4ef6202f4a3ca5aff38ed26fb4ea

SSDEEP

49152:cFKPQBtqHZJ1ZUzcSYw7vrHpskyBbZNJyQDyF3tSVH8Q:GKPQBtqHFy4StvjKk87DugVH8Q

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
300 seconds
Additional time used
240 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 67.0.4 (x86 en-US) (67.0.4)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • abcexport.exe (PID: 3040)
  • abcreplace.exe (PID: 3068)
  • rabcdasm.exe (PID: 3872)
  • Transformice Client.exe (PID: 4076)
  • abcexport.exe (PID: 2444)
  • swfdecript.exe (PID: 2672)
  • swfdump.exe (PID: 3616)
  • rabcdasm.exe (PID: 3512)
  • rabcasm.exe (PID: 840)
Loads dropped or rewritten executable
  • abcexport.exe (PID: 3040)
  • abcreplace.exe (PID: 3068)
  • SearchProtocolHost.exe (PID: 856)
  • Transformice Client.exe (PID: 4076)
  • abcexport.exe (PID: 2444)
Creates files in the user directory
  • abcexport.exe (PID: 2444)
  • rabcasm.exe (PID: 840)
  • abcexport.exe (PID: 3040)
  • Transformice Client.exe (PID: 4076)
  • rabcdasm.exe (PID: 3872)
  • rabcdasm.exe (PID: 3512)
Reads Internet Cache Settings
  • Transformice Client.exe (PID: 4076)
Executable content was dropped or overwritten
  • WinRAR.exe (PID: 3144)
Reads internet explorer settings
  • Transformice Client.exe (PID: 4076)
Dropped object may contain Bitcoin addresses
  • WinRAR.exe (PID: 3144)
Manual execution by user
  • taskmgr.exe (PID: 3392)
Reads settings of System Certificates
  • Transformice Client.exe (PID: 4076)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.rar
|   RAR compressed archive (v5.0) (61.5%)
.rar
|   RAR compressed archive (gen) (38.4%)

Screenshots

Processes

Total processes
55
Monitored processes
12
Malicious processes
5
Suspicious processes
0

Behavior graph

+
drop and start start winrar.exe transformice client.exe abcexport.exe no specs rabcdasm.exe no specs swfdecript.exe no specs swfdump.exe no specs abcexport.exe no specs rabcdasm.exe no specs rabcasm.exe no specs abcreplace.exe no specs searchprotocolhost.exe no specs taskmgr.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
856
CMD
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe7_ Global\UsGthrCtrlFltPipeMssGthrPipe7 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
Path
C:\Windows\System32\SearchProtocolHost.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft Windows Search Protocol Host
Version
7.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\tquery.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msshooks.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\msidle.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\mssph.dll
c:\windows\system32\mapi32.dll
c:\windows\system32\authz.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shell32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\version.dll
c:\users\admin\desktop\transformice client\tools\swfdump.exe
c:\users\admin\desktop\transformice client\tools\swfdecript.exe
c:\users\admin\desktop\transformice client\tools\rabcdasm.exe
c:\users\admin\desktop\transformice client\tools\rabcasm.exe
c:\users\admin\desktop\transformice client\tools\liblzma.dll
c:\users\admin\desktop\transformice client\tools\abcreplace.exe
c:\users\admin\desktop\transformice client\tools\abcexport.exe
c:\users\admin\desktop\transformice client\transformice client.exe
c:\users\admin\desktop\transformice client\interop.shockwaveflashobjects.dll
c:\users\admin\desktop\transformice client\flood hack.exe
c:\users\admin\desktop\transformice client\farm mice.exe
c:\users\admin\desktop\transformice client\axinterop.shockwaveflashobjects.dll
c:\windows\system32\netutils.dll

PID
3144
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\TransformiceClient.rar"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\imm32.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\users\admin\appdata\local\temp\rar$exa3144.4637\transformice client\transformice client.exe
c:\windows\system32\rpcrtremote.dll

PID
4076
CMD
"C:\Users\admin\AppData\Local\Temp\Rar$EXa3144.4637\Transformice Client\Transformice Client.exe"
Path
C:\Users\admin\AppData\Local\Temp\Rar$EXa3144.4637\Transformice Client\Transformice Client.exe
Indicators
Parent process
WinRAR.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
iCooper™
Description
Transformice Client
Version
1.0.0.1
Modules
Image
c:\users\admin\appdata\local\temp\rar$exa3144.4637\transformice client\transformice client.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\97e047cf68e9a7d90e196d072cd49cac\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\oleaut32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\e071297bb06faa961bef045ae5f25fdc\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\21a1606b6c00f9abe7db55c02e0f87c9\system.core.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\system32\bcrypt.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\61dfb69c9ad6ed96809170d54d80b8a6\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\2dc6cfd856864312d563098f9486361c\system.windows.forms.ni.dll
c:\windows\system32\uxtheme.dll
c:\windows\microsoft.net\assembly\gac_msil\system.windows.forms\v4.0_4.0.0.0__b77a5c561934e089\system.windows.forms.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\cd03f9386e02f56502e01a25ddd7e0a7\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\7c8f75f367134a030cba4a127dc62a2f\system.xml.ni.dll
c:\windows\system32\shell32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.v9921e851#\f971acbc25b64dfe4d70e5b25837c780\microsoft.visualbasic.ni.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.management\e588691224a17737f3a164cc2d46c156\system.management.ni.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\microsoft.net\framework\v4.0.30319\wminet_utils.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\credssp.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\secur32.dll
c:\windows\system32\schannel.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\gpapi.dll
c:\users\admin\appdata\local\temp\rar$exa3144.4637\transformice client\axinterop.shockwaveflashobjects.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\users\admin\appdata\local\temp\rar$exa3144.4637\transformice client\tools\abcexport.exe
c:\users\admin\appdata\local\temp\rar$exa3144.4637\transformice client\tools\rabcdasm.exe
c:\users\admin\appdata\local\temp\rar$exa3144.4637\transformice client\tools\swfdecript.exe
c:\users\admin\appdata\local\temp\rar$exa3144.4637\transformice client\tools\rabcasm.exe
c:\users\admin\appdata\local\temp\rar$exa3144.4637\transformice client\tools\abcreplace.exe
c:\windows\system32\macromed\flash\flash32_26_0_0_131.ocx
c:\windows\system32\winmm.dll
c:\windows\system32\dsound.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\mscms.dll
c:\windows\system32\dinput8.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\sxs.dll
c:\users\admin\appdata\local\temp\rar$exa3144.4637\transformice client\interop.shockwaveflashobjects.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\accessibility\bbbbd997a1621cf1e739f922fe653459\accessibility.ni.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\audioses.dll
c:\windows\system32\mlang.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\avrt.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\system32\wintrust.dll

PID
3040
CMD
"C:\Users\admin\AppData\Local\Temp\Rar$EXa3144.4637\Transformice Client\Tools\abcexport.exe" Chargeur.swf
Path
C:\Users\admin\AppData\Local\Temp\Rar$EXa3144.4637\Transformice Client\Tools\abcexport.exe
Indicators
No indicators
Parent process
Transformice Client.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\rar$exa3144.4637\transformice client\tools\abcexport.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\temp\rar$exa3144.4637\transformice client\tools\liblzma.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\dbghelp.dll

PID
3872
CMD
"C:\Users\admin\AppData\Local\Temp\Rar$EXa3144.4637\Transformice Client\Tools\rabcdasm.exe" Chargeur-0.abc
Path
C:\Users\admin\AppData\Local\Temp\Rar$EXa3144.4637\Transformice Client\Tools\rabcdasm.exe
Indicators
No indicators
Parent process
Transformice Client.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\rar$exa3144.4637\transformice client\tools\rabcdasm.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\dbghelp.dll

PID
2672
CMD
"C:\Users\admin\AppData\Local\Temp\Rar$EXa3144.4637\Transformice Client\Tools\swfdecript.exe" Transformice.swf Transformice.swf
Path
C:\Users\admin\AppData\Local\Temp\Rar$EXa3144.4637\Transformice Client\Tools\swfdecript.exe
Indicators
No indicators
Parent process
Transformice Client.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
1.0.0.0
Modules
Image
c:\users\admin\appdata\local\temp\rar$exa3144.4637\transformice client\tools\swfdecript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\97e047cf68e9a7d90e196d072cd49cac\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\oleaut32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\e071297bb06faa961bef045ae5f25fdc\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\21a1606b6c00f9abe7db55c02e0f87c9\system.core.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\temp\rar$exa3144.4637\transformice client\tools\swfdump.exe

PID
3616
CMD
"swfdump.exe" -a "C:\Users\admin\AppData\Roaming\iCooper\Multi\Transformice.swf"
Path
C:\Users\admin\AppData\Local\Temp\Rar$EXa3144.4637\Transformice Client\Tools\swfdump.exe
Indicators
No indicators
Parent process
swfdecript.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\rar$exa3144.4637\transformice client\tools\swfdump.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

PID
2444
CMD
"C:\Users\admin\AppData\Local\Temp\Rar$EXa3144.4637\Transformice Client\Tools\abcexport.exe" Transformice.swf
Path
C:\Users\admin\AppData\Local\Temp\Rar$EXa3144.4637\Transformice Client\Tools\abcexport.exe
Indicators
No indicators
Parent process
Transformice Client.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\rar$exa3144.4637\transformice client\tools\abcexport.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\temp\rar$exa3144.4637\transformice client\tools\liblzma.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\dbghelp.dll

PID
3512
CMD
"C:\Users\admin\AppData\Local\Temp\Rar$EXa3144.4637\Transformice Client\Tools\rabcdasm.exe" Transformice-0.abc
Path
C:\Users\admin\AppData\Local\Temp\Rar$EXa3144.4637\Transformice Client\Tools\rabcdasm.exe
Indicators
No indicators
Parent process
Transformice Client.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\rar$exa3144.4637\transformice client\tools\rabcdasm.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\dbghelp.dll

PID
840
CMD
"C:\Users\admin\AppData\Local\Temp\Rar$EXa3144.4637\Transformice Client\Tools\rabcasm.exe" Chargeur-0/Chargeur-0.main.asasm
Path
C:\Users\admin\AppData\Local\Temp\Rar$EXa3144.4637\Transformice Client\Tools\rabcasm.exe
Indicators
No indicators
Parent process
Transformice Client.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\rar$exa3144.4637\transformice client\tools\rabcasm.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\dbghelp.dll

PID
3068
CMD
"C:\Users\admin\AppData\Local\Temp\Rar$EXa3144.4637\Transformice Client\Tools\abcreplace.exe" Chargeur.swf 0 Chargeur-0/Chargeur-0.main.abc
Path
C:\Users\admin\AppData\Local\Temp\Rar$EXa3144.4637\Transformice Client\Tools\abcreplace.exe
Indicators
No indicators
Parent process
Transformice Client.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\rar$exa3144.4637\transformice client\tools\abcreplace.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\temp\rar$exa3144.4637\transformice client\tools\liblzma.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\dbghelp.dll

PID
3392
CMD
"C:\Windows\system32\taskmgr.exe" /4
Path
C:\Windows\system32\taskmgr.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Windows Task Manager
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\taskmgr.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\pcwum.dll
c:\windows\system32\shell32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\credui.dll
c:\windows\system32\vdmdbg.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\slc.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\winsta.dll
c:\windows\system32\utildll.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\logoncli.dll
c:\windows\system32\browcli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\version.dll
c:\windows\system32\propsys.dll
c:\windows\system32\dwm.exe
c:\windows\system32\ctfmon.exe
c:\windows\explorer.exe
c:\windows\system32\audiodg.exe
c:\windows\system32\taskeng.exe
c:\windows\system32\windanr.exe
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\wtsapi32.dll

Registry activity

Total events
1269
Read events
1218
Write events
51
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
3144
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
3144
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
3144
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
LanguageList
en-US
3144
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Temp\TransformiceClient.rar
3144
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
3144
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
3144
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
3144
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
3144
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3144
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3144
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Placement
2C00000000000000010000000083FFFF0083FFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
3144
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General
LastFolder
C:\Users\admin\AppData\Local\Temp
3144
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
name
120
3144
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
size
80
3144
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
psize
80
3144
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
type
120
3144
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
mtime
100
3144
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
crc
70
3144
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_0
38000000730100000402000000000000D4D0C800000000000000000000000000AA0102000000000039000000B40200000000000001000000
3144
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_1
38000000730100000500000000000000D4D0C800000000000000000000000000A601020000000000160000002A0000000000000002000000
3144
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_2
38000000730100000400000000000000D4D0C800000000000000000000000000AC0103000000000016000000640000000000000003000000
4076
Transformice Client.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
4076
Transformice Client.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
4076
Transformice Client.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Transformice Client_RASAPI32
EnableFileTracing
0
4076
Transformice Client.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Transformice Client_RASAPI32
EnableConsoleTracing
0
4076
Transformice Client.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Transformice Client_RASAPI32
FileTracingMask
4294901760
4076
Transformice Client.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Transformice Client_RASAPI32
ConsoleTracingMask
4294901760
4076
Transformice Client.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Transformice Client_RASAPI32
MaxFileSize
1048576
4076
Transformice Client.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Transformice Client_RASAPI32
FileDirectory
%windir%\tracing
4076
Transformice Client.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Transformice Client_RASMANCS
EnableFileTracing
0
4076
Transformice Client.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Transformice Client_RASMANCS
EnableConsoleTracing
0
4076
Transformice Client.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Transformice Client_RASMANCS
FileTracingMask
4294901760
4076
Transformice Client.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Transformice Client_RASMANCS
ConsoleTracingMask
4294901760
4076
Transformice Client.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Transformice Client_RASMANCS
MaxFileSize
1048576
4076
Transformice Client.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Transformice Client_RASMANCS
FileDirectory
%windir%\tracing
4076
Transformice Client.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
LanguageList
en-US
4076
Transformice Client.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
4076
Transformice Client.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000077000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000

Files activity

Executable files
12
Suspicious files
3
Text files
2682
Unknown types
20

Dropped files

PID
Process
Filename
Type
3144
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3144.4637\Transformice Client\AxInterop.ShockwaveFlashObjects.dll
executable
MD5: 63ee7b61bb397d3512c345a32a4596f1
SHA256: 7b514aca2a20f16b44c2b10dc7da99033f7c1d18f2e1f60cfae60fa70b6217dd
3144
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3144.4637\Transformice Client\Tools\rabcdasm.exe
executable
MD5: 1d285582ce38618a958212e87d06fcc3
SHA256: f74eaf1822b20b599276a172af874c2e98bc8ce5a4cab0a7468ac577f86181b9
3144
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3144.4637\Transformice Client\Tools\abcreplace.exe
executable
MD5: 4dd89af63cf75832ed61cb0fd5fd5650
SHA256: d20b874c050950a1d400694cc6d440b4bcb07e9db21e65444e5b9f6c3072ec80
3144
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3144.4637\Transformice Client\Tools\swfdump.exe
executable
MD5: 5bbfd38940063bb3ed78fc2137958b0a
SHA256: e803453fe8816cf26b62dbe77ab23ebbded35c0871e0bf78d86631bf3a034522
3144
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3144.4637\Transformice Client\Tools\rabcasm.exe
executable
MD5: a71c93bb550c24db1edb27212783ee6f
SHA256: c02a62fa65831f0d165aad63f9cf589bcb3800a9c1391050a076049014fcbdac
3144
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3144.4637\Transformice Client\Tools\swfdecript.exe
executable
MD5: b2838df135fe035279e47343492b0db5
SHA256: faef2860350ccf11b3f4ba1a39c194b461f022044814b5cdf68bf2ec47c94f4d
3144
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3144.4637\Transformice Client\Interop.ShockwaveFlashObjects.dll
executable
MD5: a2a2d58248cc3a58f6a9ccbc50db0807
SHA256: 466d3a71e5d313ac4c2bbaf107cbecb85970eb2d907b74ac578090f0ae4fe8c2
3144
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3144.4637\Transformice Client\Flood Hack.exe
executable
MD5: 031973b850bf94d477d299869b524f92
SHA256: 86d6f3b60e15d388530fab761aa31fcf9f88c5b6b1556dab376723be3f247eeb
3144
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3144.4637\Transformice Client\Farm Mice.exe
executable
MD5: b793fc4b4bb364f980f30afcd794d829
SHA256: 95e33d59556f0dc758231ce336e180dc8d1e9bc25624571cedff58f134530cd1
3144
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3144.4637\Transformice Client\Tools\liblzma.dll
executable
MD5: 0e5d3bc6ff20b7f7c82824e1d5e3512c
SHA256: 4f920f7ac2904171cb0f265239ee2225acb19769d3d438566c0d43e857dee8a9
3144
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3144.4637\Transformice Client\Transformice Client.exe
executable
MD5: 4e2e7935490b2e4a315a11746de81667
SHA256: 210e36c884c18613ad6bdee33ac60aa9a693a3c5bb220615ce4b6c2a2a747431
3144
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3144.4637\Transformice Client\Tools\abcexport.exe
executable
MD5: 5fb748be478db6282bbdebf7d5887849
SHA256: cd2957356f5aa384ec66f4a02bf0987a2665c406ad68b2d7e48da1732806fbf7
4076
Transformice Client.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\x_flecheHaut[1].png
image
MD5: 26a152b354d8f008649b8d5ce69db3c4
SHA256: d49a532e47b947e37ae40d8b3216ab4e72e695450cced1816912f7144265bd8f
4076
Transformice Client.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\x_flecheDroite[1].png
image
MD5: fd8bba53bab1ceaad8099de31bae4f1a
SHA256: 4b2e44c38f9792905b574e378d64c778f1b0a90fcee7dabe4893c4c6b5a05fad
4076
Transformice Client.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\4[1].jpg
image
MD5: d21356ee956b2078e5f96e7fb677b79b
SHA256: 1efb98206911d51216fcd2247065c3f9e0be505968c9fbfc88a1a88277fb9cba
4076
Transformice Client.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\deesse[1].png
image
MD5: 65ea96f79fd74a63ebb5d9f1659f847f
SHA256: bf03846df1597c22450c296eaf1f0bfdd62b5a02675326c25c306ab25b79e8c3
4076
Transformice Client.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\2[1].png
image
MD5: 7183881081b4ffb3c4fb3512071a3be9
SHA256: 8296cc53e4b20d99d236c0f6c002e3fe6887187b82b20774078ebabf725b30fb
4076
Transformice Client.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\3[1].png
image
MD5: 43c8d87aec7250e94dfc50709a2914c9
SHA256: cdad8f715aed8ba00c61d68d4fd604a3c7c0e063a7eaaaf46b612ac347d66696
4076
Transformice Client.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\1[1].jpg
image
MD5: cd7a54ad54b3b8c6e87f652c5f58fd97
SHA256: 7774a1aca90b3125d125700f4e406b2a81c79e34ed6b6e862cf632e6030d2a1f
4076
Transformice Client.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\x_illu_tribu[1].jpg
image
MD5: f5f2b0f81256e0c851422189a65095f3
SHA256: 6e2b4bf834956e351c3e9952e365c59651a1f372e475a3df5ceb19eb4770f1df
4076
Transformice Client.exe
C:\Users\admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\EX2ZR42M\localhost\Users\admin\AppData\Roaming\iCooper\Multi\Transformice.swf\Transformice.sol
sol
MD5: ee44229b5b9391a3f3cae34b468c0fd6
SHA256: 08d06c8c12f6041d8a0eb704c60999fc48127259edce6442008890f698bfedc6
4076
Transformice Client.exe