banload | 8702aca7ecd0552f596d6af97c397ffead6302182d8c87ae8dd3feea9dd8a5b4

Analysis

max time kernel
125s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2023 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

flash_decompiler.exe
Size

26.9MB
MD5

3ccc94c98531d1389f3d1ed06d64f081
SHA1

dfbd71b2f0c9b2af5a643f597b04d1d933ff71a0
SHA256

8702aca7ecd0552f596d6af97c397ffead6302182d8c87ae8dd3feea9dd8a5b4
SHA512

8563141763b22da9e790ed49544f10a6cb52dbdcebb8082cb8997ebb966c949e88c64be7e260b84df4f5d8079fc270b95912d84b7433af60003b70fdedc75398
SSDEEP

786432:wa0DgoQ4T3vo3YcjGC8qq7ABxE9RUUuCS8G:waygoZTkjG0BxOZG

Score

10^/10

banload discovery downloader dropper evasion persistence trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload

Executes dropped EXE 6 IoCs

Processes:

flash_decompiler.tmpinstall_flash_player_14_active_x.exeInstallFlashPlayer.exeFlashPlayerUpdateService.exeFlashDecompiler.exeFlashDecompiler.exe

pid	process
2176	flash_decompiler.tmp
2780	install_flash_player_14_active_x.exe
1268	InstallFlashPlayer.exe
4864	FlashPlayerUpdateService.exe
4628	FlashDecompiler.exe
3732	FlashDecompiler.exe

Registers COM server for autorun 1 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

InstallFlashPlayer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32\ = "C:\\Windows\\system32\\Macromed\\Flash\\Flash64_14_0_0_176.ocx"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32\ThreadingModel = "Apartment"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32\ = "C:\\Windows\\system32\\Macromed\\Flash\\Flash64_14_0_0_176.ocx"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32\ThreadingModel = "Apartment"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32\ = "C:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_14_0_0_176_ActiveX.exe"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32	InstallFlashPlayer.exe

Sets file execution options in registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

InstallFlashPlayer.exeinstall_flash_player_14_active_x.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil64_14_0_0_176_ActiveX.exe	InstallFlashPlayer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil64_14_0_0_176_ActiveX.exe\DisableExceptionChainValidation = "0"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil32_14_0_0_176_ActiveX.exe	install_flash_player_14_active_x.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil32_14_0_0_176_ActiveX.exe\DisableExceptionChainValidation = "0"	install_flash_player_14_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerApp.exe	install_flash_player_14_active_x.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerApp.exe\DisableExceptionChainValidation = "0"	install_flash_player_14_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerUpdateService.exe	install_flash_player_14_active_x.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerUpdateService.exe\DisableExceptionChainValidation = "0"	install_flash_player_14_active_x.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

FlashDecompiler.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	FlashDecompiler.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	FlashDecompiler.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

flash_decompiler.tmpinstall_flash_player_14_active_x.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	flash_decompiler.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	install_flash_player_14_active_x.exe

Loads dropped DLL 17 IoCs

Processes:

install_flash_player_14_active_x.exeInstallFlashPlayer.exeFlashDecompiler.exe

pid	process
2780	install_flash_player_14_active_x.exe
2780	install_flash_player_14_active_x.exe
2780	install_flash_player_14_active_x.exe
1268	InstallFlashPlayer.exe
1268	InstallFlashPlayer.exe
1268	InstallFlashPlayer.exe
1268	InstallFlashPlayer.exe
2780	install_flash_player_14_active_x.exe
2780	install_flash_player_14_active_x.exe
3732	FlashDecompiler.exe
3732	FlashDecompiler.exe
3732	FlashDecompiler.exe
3732	FlashDecompiler.exe
3732	FlashDecompiler.exe
3732	FlashDecompiler.exe
3732	FlashDecompiler.exe
3732	FlashDecompiler.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

install_flash_player_14_active_x.exeInstallFlashPlayer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	install_flash_player_14_active_x.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	InstallFlashPlayer.exe

Drops file in System32 directory 15 IoCs

Processes:

install_flash_player_14_active_x.exeInstallFlashPlayer.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\Flash32_14_0_0_176.ocx	install_flash_player_14_active_x.exe
File created	C:\Windows\system32\Macromed\Flash\activex.vch	InstallFlashPlayer.exe
File opened for modification	C:\Windows\system32\Macromed\Flash\Flash64_14_0_0_176.ocx	InstallFlashPlayer.exe
File opened for modification	C:\Windows\system32\Macromed\Flash\FlashInstall.log	InstallFlashPlayer.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\Flash32_14_0_0_176.ocx	install_flash_player_14_active_x.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_14_0_0_176_ActiveX.exe	install_flash_player_14_active_x.exe
File opened for modification	C:\Windows\system32\Macromed\Flash\FlashUtil64_14_0_0_176_ActiveX.exe	InstallFlashPlayer.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\FlashInstall.log	install_flash_player_14_active_x.exe
File created	C:\Windows\system32\Macromed\Flash\Flash64_14_0_0_176.ocx	InstallFlashPlayer.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\activex.vch	install_flash_player_14_active_x.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe	install_flash_player_14_active_x.exe
File created	C:\Windows\system32\Macromed\Flash\FlashUtil64_14_0_0_176_ActiveX.exe	InstallFlashPlayer.exe
File created	C:\Windows\system32\Macromed\Flash\FlashUtil64_14_0_0_176_ActiveX.dll	InstallFlashPlayer.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_14_0_0_176_ActiveX.dll	install_flash_player_14_active_x.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_14_0_0_176_ActiveX.exe	install_flash_player_14_active_x.exe

Drops file in Program Files directory 39 IoCs

Processes:

flash_decompiler.tmp

description	ioc	process
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\is-FT2IV.tmp	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-EDRH9.tmp	flash_decompiler.tmp
File opened for modification	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe	flash_decompiler.tmp
File opened for modification	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\avcodec-52.dll	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\is-31PFL.tmp	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\is-4DNDH.tmp	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tutorials\is-P2UL1.tmp	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\is-J52I9.tmp	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\is-3TK63.tmp	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\unins000.msg	flash_decompiler.tmp
File opened for modification	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\lame_enc.dll	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\is-L3DS1.tmp	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\is-7JL3F.tmp	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\is-0G8K9.tmp	flash_decompiler.tmp
File opened for modification	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\unins000.dat	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\is-VL23N.tmp	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-7J6CI.tmp	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-O9224.tmp	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-VL9N0.tmp	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-VN075.tmp	flash_decompiler.tmp
File opened for modification	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\swscale-0.dll	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tutorials\is-07T8Q.tmp	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-7C5SF.tmp	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-URNLI.tmp	flash_decompiler.tmp
File opened for modification	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\AutoUpdate.dll	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\unins000.dat	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\is-1NHFK.tmp	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-B40DG.tmp	flash_decompiler.tmp
File opened for modification	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\avutil-50.dll	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-VLOU8.tmp	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-5ELD1.tmp	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\is-1429V.tmp	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-G9DSU.tmp	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-86IFL.tmp	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-8HLV0.tmp	flash_decompiler.tmp
File opened for modification	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\avformat-52.dll	flash_decompiler.tmp
File opened for modification	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\is-A987O.tmp	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\is-I9PN9.tmp	flash_decompiler.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

FlashDecompiler.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	FlashDecompiler.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	FlashDecompiler.exe

Modifies Internet Explorer settings 1 TTPs 24 IoCs

adware spyware

Modify Registry

T1112

Processes:

InstallFlashPlayer.exeinstall_flash_player_14_active_x.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}	InstallFlashPlayer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Compatibility Flags = "0"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash	install_flash_player_14_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}	install_flash_player_14_active_x.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\Policy = "3"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppName = "FlashUtil64_14_0_0_176_ActiveX.exe"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/x-shockwave-flash	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppName = "FlashUtil32_14_0_0_176_ActiveX.exe"	install_flash_player_14_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/futuresplash	install_flash_player_14_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}	InstallFlashPlayer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\NAVIGATORPLUGINSLIST\SHOCKWAVE FLASH	InstallFlashPlayer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\Policy = "3"	install_flash_player_14_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppPath = "C:\\Windows\\SysWOW64\\Macromed\\Flash"	install_flash_player_14_active_x.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Compatibility Flags = "0"	install_flash_player_14_active_x.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppPath = "C:\\Windows\\system32\\Macromed\\Flash"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}	install_flash_player_14_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}	install_flash_player_14_active_x.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}\Compatibility Flags = "65536"	install_flash_player_14_active_x.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\NAVIGATORPLUGINSLIST\SHOCKWAVE FLASH	install_flash_player_14_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/x-shockwave-flash	install_flash_player_14_active_x.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}\Compatibility Flags = "65536"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/futuresplash	InstallFlashPlayer.exe

Modifies registry class 64 IoCs

Processes:

InstallFlashPlayer.exeinstall_flash_player_14_active_x.exeFlashDecompiler.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib	install_flash_player_14_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.6\CLSID	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7\CLSID	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.10\ = "Shockwave Flash Object"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage\.spl	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.swf\ = "ShockwaveFlash.ShockwaveFlash"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\HELPDIR	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\shell\open	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.swf\Content Type = "application/x-shockwave-flash"	install_flash_player_14_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CurVer	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32\ThreadingModel = "Apartment"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage\.swf	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32\ThreadingModel = "Apartment"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mfp	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory.1\ = "Macromedia Flash Factory Object"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\FLAGS	install_flash_player_14_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/futuresplash\CLSID = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	install_flash_player_14_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\shell	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\0\win32\ = "C:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_14_0_0_176_ActiveX.exe"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib\Version = "1.0"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{307F64C0-621D-4D56-BBC6-91EFC13CE40D}	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\ = "Macromedia Flash Paper"	install_flash_player_14_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage\.mfp	install_flash_player_14_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID	install_flash_player_14_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CLSID	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Control	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\shell\open\command	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib	install_flash_player_14_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.spl\Content Type = "application/futuresplash"	install_flash_player_14_active_x.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{307F64C0-621D-4D56-BBC6-91EFC13CE40D}\ProxyStubClsid32	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CurVer\ = "FlashFactory.FlashFactory.1"	install_flash_player_14_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{57A0E746-3863-4D20-A811-950C84F1DB9B}\1.1\0\win32\ = "C:\\Windows\\SysWow64\\Macromed\\Flash\\Flash32_14_0_0_176.ocx\\2"	install_flash_player_14_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\ = "FlashBroker"	install_flash_player_14_active_x.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32	install_flash_player_14_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	install_flash_player_14_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CLSID\ = "{D27CDB70-AE6D-11cf-96B8-444553540000}"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ = "Macromedia Flash Factory Object"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.spl\ = "ShockwaveFlash.ShockwaveFlash"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{307F64C0-621D-4D56-BBC6-91EFC13CE40D}\ = "ISimpleTextSelection"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib\Version = "1.0"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\TypeLib\ = "{57A0E746-3863-4D20-A811-950C84F1DB9B}"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Control	install_flash_player_14_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D62F405A-97CC-641B-93FE-D85298F2F3AF}	FlashDecompiler.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4\ = "Shockwave Flash Object"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mfp\ = "MacromediaFlashPaper.MacromediaFlashPaper"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ = "IShockwaveFlash"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\TypeLib\Version = "1.1"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\ = "Macromedia Flash Factory Object"	install_flash_player_14_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.11	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mfp\Content Type = "application/x-shockwave-flash"	install_flash_player_14_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.6\ = "Shockwave Flash Object"	install_flash_player_14_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version\ = "1.0"	install_flash_player_14_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\	InstallFlashPlayer.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

flash_decompiler.tmpinstall_flash_player_14_active_x.exeInstallFlashPlayer.exe

pid	process
2176	flash_decompiler.tmp
2176	flash_decompiler.tmp
2780	install_flash_player_14_active_x.exe
2780	install_flash_player_14_active_x.exe
1268	InstallFlashPlayer.exe
1268	InstallFlashPlayer.exe
1268	InstallFlashPlayer.exe
1268	InstallFlashPlayer.exe
2780	install_flash_player_14_active_x.exe
2780	install_flash_player_14_active_x.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

FlashDecompiler.exe

pid process

3732 FlashDecompiler.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

FlashDecompiler.exeAUDIODG.EXE

description	pid	process
Token: 33	3732	FlashDecompiler.exe
Token: SeIncBasePriorityPrivilege	3732	FlashDecompiler.exe
Token: 33	3732	FlashDecompiler.exe
Token: SeIncBasePriorityPrivilege	3732	FlashDecompiler.exe
Token: 33	2364	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2364	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 21 IoCs

Processes:

flash_decompiler.tmpFlashDecompiler.exe

pid	process
2176	flash_decompiler.tmp
3732	FlashDecompiler.exe
3732	FlashDecompiler.exe
3732	FlashDecompiler.exe
3732	FlashDecompiler.exe
3732	FlashDecompiler.exe
3732	FlashDecompiler.exe
3732	FlashDecompiler.exe
3732	FlashDecompiler.exe
3732	FlashDecompiler.exe
3732	FlashDecompiler.exe
3732	FlashDecompiler.exe
3732	FlashDecompiler.exe
3732	FlashDecompiler.exe
3732	FlashDecompiler.exe
3732	FlashDecompiler.exe
3732	FlashDecompiler.exe
3732	FlashDecompiler.exe
3732	FlashDecompiler.exe
3732	FlashDecompiler.exe
3732	FlashDecompiler.exe

Suspicious use of SendNotifyMessage 20 IoCs

Processes:

FlashDecompiler.exe

pid	process
3732	FlashDecompiler.exe
3732	FlashDecompiler.exe
3732	FlashDecompiler.exe
3732	FlashDecompiler.exe
3732	FlashDecompiler.exe
3732	FlashDecompiler.exe
3732	FlashDecompiler.exe
3732	FlashDecompiler.exe
3732	FlashDecompiler.exe
3732	FlashDecompiler.exe
3732	FlashDecompiler.exe
3732	FlashDecompiler.exe
3732	FlashDecompiler.exe
3732	FlashDecompiler.exe
3732	FlashDecompiler.exe
3732	FlashDecompiler.exe
3732	FlashDecompiler.exe
3732	FlashDecompiler.exe
3732	FlashDecompiler.exe
3732	FlashDecompiler.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

install_flash_player_14_active_x.exeInstallFlashPlayer.exeFlashDecompiler.exe

pid	process
2780	install_flash_player_14_active_x.exe
1268	InstallFlashPlayer.exe
1268	InstallFlashPlayer.exe
3732	FlashDecompiler.exe
3732	FlashDecompiler.exe
3732	FlashDecompiler.exe
3732	FlashDecompiler.exe
3732	FlashDecompiler.exe
3732	FlashDecompiler.exe
3732	FlashDecompiler.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

flash_decompiler.exeflash_decompiler.tmpinstall_flash_player_14_active_x.exeFlashDecompiler.exe

description	pid	process	target process
PID 2280 wrote to memory of 2176	2280	flash_decompiler.exe	flash_decompiler.tmp
PID 2280 wrote to memory of 2176	2280	flash_decompiler.exe	flash_decompiler.tmp
PID 2280 wrote to memory of 2176	2280	flash_decompiler.exe	flash_decompiler.tmp
PID 2176 wrote to memory of 2780	2176	flash_decompiler.tmp	install_flash_player_14_active_x.exe
PID 2176 wrote to memory of 2780	2176	flash_decompiler.tmp	install_flash_player_14_active_x.exe
PID 2176 wrote to memory of 2780	2176	flash_decompiler.tmp	install_flash_player_14_active_x.exe
PID 2780 wrote to memory of 1268	2780	install_flash_player_14_active_x.exe	InstallFlashPlayer.exe
PID 2780 wrote to memory of 1268	2780	install_flash_player_14_active_x.exe	InstallFlashPlayer.exe
PID 2780 wrote to memory of 4864	2780	install_flash_player_14_active_x.exe	FlashPlayerUpdateService.exe
PID 2780 wrote to memory of 4864	2780	install_flash_player_14_active_x.exe	FlashPlayerUpdateService.exe
PID 2780 wrote to memory of 4864	2780	install_flash_player_14_active_x.exe	FlashPlayerUpdateService.exe
PID 2176 wrote to memory of 4628	2176	flash_decompiler.tmp	FlashDecompiler.exe
PID 2176 wrote to memory of 4628	2176	flash_decompiler.tmp	FlashDecompiler.exe
PID 2176 wrote to memory of 4628	2176	flash_decompiler.tmp	FlashDecompiler.exe
PID 4628 wrote to memory of 3732	4628	FlashDecompiler.exe	FlashDecompiler.exe
PID 4628 wrote to memory of 3732	4628	FlashDecompiler.exe	FlashDecompiler.exe
PID 4628 wrote to memory of 3732	4628	FlashDecompiler.exe	FlashDecompiler.exe
PID 4628 wrote to memory of 3732	4628	FlashDecompiler.exe	FlashDecompiler.exe
PID 4628 wrote to memory of 3732	4628	FlashDecompiler.exe	FlashDecompiler.exe

C:\Users\Admin\AppData\Local\Temp\flash_decompiler.exe
"C:\Users\Admin\AppData\Local\Temp\flash_decompiler.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2280

C:\Users\Admin\AppData\Local\Temp\is-PUCV1.tmp\flash_decompiler.tmp
"C:\Users\Admin\AppData\Local\Temp\is-PUCV1.tmp\flash_decompiler.tmp" /SL5="$80064,27643739,119296,C:\Users\Admin\AppData\Local\Temp\flash_decompiler.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2176

C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe
"C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe" /install
3⤵
- Executes dropped EXE
- Sets file execution options in registry
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2780

C:\Users\Admin\AppData\Local\Temp\{459DFAFA-456D-4B9B-A597-BF1E626D78EB}\InstallFlashPlayer.exe
"C:\Users\Admin\AppData\Local\Temp\{459DFAFA-456D-4B9B-A597-BF1E626D78EB}\InstallFlashPlayer.exe" -install -skipARPEntry -iv 1 -au 4294967295
4⤵
- Executes dropped EXE
- Registers COM server for autorun
- Sets file execution options in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1268

C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -install
4⤵
- Executes dropped EXE
PID:4864

C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe
"C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4628

C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe
"C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe"
4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3732

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4ec 0x4b4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2364

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\AutoUpdate.dll
Filesize
1.6MB

MD5
b4715ca0f9f08fde8c82ffb89b455460

SHA1
c789d6a8f4b0dae97ebda5b99af7bf1a337882aa

SHA256
00b4e9748dfbdecca3bb3500768bb5e26d7de06ba81050ff0abec35e57517a45

SHA512
961dfd1652b828a7d2e6940908b237adc93559f6f2048026b62bcd46ca38cc0d8d06dacfdaffa381236ddc787a90ce0b5d7f82793474778f494c60b431b6b61f

Download Submit
C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\AutoUpdate.dll
Filesize
1.6MB

MD5
b4715ca0f9f08fde8c82ffb89b455460

SHA1
c789d6a8f4b0dae97ebda5b99af7bf1a337882aa

SHA256
00b4e9748dfbdecca3bb3500768bb5e26d7de06ba81050ff0abec35e57517a45

SHA512
961dfd1652b828a7d2e6940908b237adc93559f6f2048026b62bcd46ca38cc0d8d06dacfdaffa381236ddc787a90ce0b5d7f82793474778f494c60b431b6b61f

Download Submit
C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe
Filesize
6.2MB

MD5
180990e3ecf117281e5f270700ce9f07

SHA1
b6c27f55dd4b45f62d21db2030f5d5f1b78c89ba

SHA256
bb476cc25abd354478005d594c25ea61cf1f9b7dee977c9873aae0f128cd47da

SHA512
f2e5a8c3a763338be61b1f647410bcb68aa0be0c9e1e8546cca21153f2defe1b11baa650e129edf1649f47a8c3ebf3ecc9699591555971c92795323fa265d5c6

Download Submit
C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe
Filesize
6.2MB

MD5
180990e3ecf117281e5f270700ce9f07

SHA1
b6c27f55dd4b45f62d21db2030f5d5f1b78c89ba

SHA256
bb476cc25abd354478005d594c25ea61cf1f9b7dee977c9873aae0f128cd47da

SHA512
f2e5a8c3a763338be61b1f647410bcb68aa0be0c9e1e8546cca21153f2defe1b11baa650e129edf1649f47a8c3ebf3ecc9699591555971c92795323fa265d5c6

Download Submit
C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe
Filesize
6.2MB

MD5
180990e3ecf117281e5f270700ce9f07

SHA1
b6c27f55dd4b45f62d21db2030f5d5f1b78c89ba

SHA256
bb476cc25abd354478005d594c25ea61cf1f9b7dee977c9873aae0f128cd47da

SHA512
f2e5a8c3a763338be61b1f647410bcb68aa0be0c9e1e8546cca21153f2defe1b11baa650e129edf1649f47a8c3ebf3ecc9699591555971c92795323fa265d5c6

Download Submit
C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\avcodec-52.dll
Filesize
2.7MB

MD5
7ce4c8d8c43dadebee3a83d9e4aa37b9

SHA1
9e8ee1a9be72dc03fce99316253ddb9e8b42f279

SHA256
0fb7a0e27e5b6aca0fb04d6161c43d8ffb9f3e7c0d9c416b308c1a58ef7ac0aa

SHA512
0b21cd8b7c3b92101ec11236d7e3f68ddccf23b317bca1854849d34e67469e349c8a75ecc6b978bc046fcd70270f3125c6eacdd12dea09c042edd536a4c8a123

Download Submit
C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\avcodec-52.dll
Filesize
2.7MB

MD5
7ce4c8d8c43dadebee3a83d9e4aa37b9

SHA1
9e8ee1a9be72dc03fce99316253ddb9e8b42f279

SHA256
0fb7a0e27e5b6aca0fb04d6161c43d8ffb9f3e7c0d9c416b308c1a58ef7ac0aa

SHA512
0b21cd8b7c3b92101ec11236d7e3f68ddccf23b317bca1854849d34e67469e349c8a75ecc6b978bc046fcd70270f3125c6eacdd12dea09c042edd536a4c8a123

Download Submit
C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\avcodec-52.dll
Filesize
2.7MB

MD5
7ce4c8d8c43dadebee3a83d9e4aa37b9

SHA1
9e8ee1a9be72dc03fce99316253ddb9e8b42f279

SHA256
0fb7a0e27e5b6aca0fb04d6161c43d8ffb9f3e7c0d9c416b308c1a58ef7ac0aa

SHA512
0b21cd8b7c3b92101ec11236d7e3f68ddccf23b317bca1854849d34e67469e349c8a75ecc6b978bc046fcd70270f3125c6eacdd12dea09c042edd536a4c8a123

Download Submit
C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\avformat-52.dll
Filesize
630KB

MD5
5903c75593c744acd1c49d290bb24fe1

SHA1
13014411f3d6d16926c96fdd6e89253ed55ba250

SHA256
a974a051e8d26dbe0a672e710f9b3ab71d1407580301fa7d64d35eef96cd7056

SHA512
201e820fc80c8d2f44ac0483b91bb40383cef534a692c85872142b7b39ea29bf85151b13a41d5d97a10767facc8e9f8a49e333daee43a73a7d0f815b6362ee4b

Download Submit
C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\avformat-52.dll
Filesize
630KB

MD5
5903c75593c744acd1c49d290bb24fe1

SHA1
13014411f3d6d16926c96fdd6e89253ed55ba250

SHA256
a974a051e8d26dbe0a672e710f9b3ab71d1407580301fa7d64d35eef96cd7056

SHA512
201e820fc80c8d2f44ac0483b91bb40383cef534a692c85872142b7b39ea29bf85151b13a41d5d97a10767facc8e9f8a49e333daee43a73a7d0f815b6362ee4b

Download Submit
C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\avutil-50.dll
Filesize
99KB

MD5
d7cfb561dc0170a3db0c9352b31a06f2

SHA1
84f0ee0f528fd2368951430a7ad63dc441963e45

SHA256
a23151c333250549de42b83c6aff06c0880ed829331c9cafa158d1b39a4c58ff

SHA512
eb541e663ed6ab9ee41ad7ea16997d63b1b586d3b78a7a9d4bc78f651dbdd5b5263f3b39c0dc85736cdd67d150739872a87511bfdd45ac120c9297bfffb3b6df

Download Submit
C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\avutil-50.dll
Filesize
99KB

MD5
d7cfb561dc0170a3db0c9352b31a06f2

SHA1
84f0ee0f528fd2368951430a7ad63dc441963e45

SHA256
a23151c333250549de42b83c6aff06c0880ed829331c9cafa158d1b39a4c58ff

SHA512
eb541e663ed6ab9ee41ad7ea16997d63b1b586d3b78a7a9d4bc78f651dbdd5b5263f3b39c0dc85736cdd67d150739872a87511bfdd45ac120c9297bfffb3b6df

Download Submit
C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\lame_enc.DLL
Filesize
286KB

MD5
0a9b1ff3db39aeba0ba1ce1eca3bc62b

SHA1
3d21ec0d2ffe3a5b122cc165f34067c45ef5a126

SHA256
ca6af76acd53124c033648369d31268723398d5c3422113fc59e9dc630d17f91

SHA512
a4cd4f513db67c48e8eb1ade323302430a11285e8e3b90b0c4394bc63bd9957373ad0d64bca2458cec8a0c5edfcf57459fc378dcded2e22e9468c1e2d34d8a6d

Download Submit
C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\lame_enc.dll
Filesize
286KB

MD5
0a9b1ff3db39aeba0ba1ce1eca3bc62b

SHA1
3d21ec0d2ffe3a5b122cc165f34067c45ef5a126

SHA256
ca6af76acd53124c033648369d31268723398d5c3422113fc59e9dc630d17f91

SHA512
a4cd4f513db67c48e8eb1ade323302430a11285e8e3b90b0c4394bc63bd9957373ad0d64bca2458cec8a0c5edfcf57459fc378dcded2e22e9468c1e2d34d8a6d

Download Submit
C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\swscale-0.dll
Filesize
151KB

MD5
c9ea8c737889cd4f87b72b06239d4a4f

SHA1
b6dae6ac26725f3e23fd2f184c490a8dd489bc42

SHA256
513381fbbd4950c172699070af6a45c8c3193488e26202e33df4397f45816730

SHA512
bc999121aac043d445a21fe4d18d8122dc46ae9c672c647f773d9d9dfc10a00a2735616706c75363d0ec52a9731434221a695fc5b94e49b850d88112e6601489

Download Submit
C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\swscale-0.dll
Filesize
151KB

MD5
c9ea8c737889cd4f87b72b06239d4a4f

SHA1
b6dae6ac26725f3e23fd2f184c490a8dd489bc42

SHA256
513381fbbd4950c172699070af6a45c8c3193488e26202e33df4397f45816730

SHA512
bc999121aac043d445a21fe4d18d8122dc46ae9c672c647f773d9d9dfc10a00a2735616706c75363d0ec52a9731434221a695fc5b94e49b850d88112e6601489

Download Submit
C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe
Filesize
17.7MB

MD5
f84400792447ebf6adaa615bcf149eb5

SHA1
16231b509d8e689dc34ae36597d41c4fb1b3a67e

SHA256
cb3043490ce4bf1210098746af8be5a19e7a6d5ae153d34636efbe4bf9af3ef8

SHA512
edf5193b6058c949766d545e7fad87db03fd1eaed5e9d75caed4bbda13ec560a67957391930e582c82c9005023db73585e722b6bc31f9fb0d36cb903be8a7efe

Download Submit
C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe
Filesize
17.7MB

MD5
f84400792447ebf6adaa615bcf149eb5

SHA1
16231b509d8e689dc34ae36597d41c4fb1b3a67e

SHA256
cb3043490ce4bf1210098746af8be5a19e7a6d5ae153d34636efbe4bf9af3ef8

SHA512
edf5193b6058c949766d545e7fad87db03fd1eaed5e9d75caed4bbda13ec560a67957391930e582c82c9005023db73585e722b6bc31f9fb0d36cb903be8a7efe

Download Submit
C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tutorials\fd_demo_limits.swf
Filesize
811KB

MD5
39a58b195a0c0c3fc7fa104e9e8ff2fa

SHA1
0da735a8d3db03b405ccf5ab0ebea5827cf4a564

SHA256
07e0e16492f4a8bff66b92622062c4950b05a64c879731523d643bbc0b94d78a

SHA512
9ade4be4618353500cb05c372668d56a941eb8a3aac7348df684d3362fd0e508dbabe8bf78dddafe90b99be0ca90a0990005d41f5a5726c2dc57a6bc5958d5e7

Download Submit
C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tutorials\fd_intro.swf
Filesize
535KB

MD5
27ee9e17cb9c15d526e81c2a5e4f3524

SHA1
03ab26767124533b11ae46eca68ae861c32d0b5f

SHA256
72c39bda39402e786a1e77043435758c4742d43dd84dbf839b5bbffc5f4c56e4

SHA512
98e89b84782318f5fc771b73fd804664770fbdba4018ebd1bd78b89346a29d1988b490b2703f72bf7650f1065136aec142a16bd452615fe089527eaab18d02af

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PUCV1.tmp\flash_decompiler.tmp
Filesize
1.1MB

MD5
c9cf73dd30f17a16fdc1c96aea79c75d

SHA1
73572ec70cc6dbe8096da804c1d1e7fb3cc0baab

SHA256
ba46791872b52dd5b8669c60e3b0ed77b3c9fac4c12c228130bad6db6c3380f9

SHA512
e1fd8a1d65c60dedcfdcb10cf028fab51e96a8dc6442f7af5073a86a1373dd30b6e35f4e6c64d590ca0131de5146500cde00f2b72927fd48e7b835a47fa0e942

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PUCV1.tmp\flash_decompiler.tmp
Filesize
1.1MB

MD5
c9cf73dd30f17a16fdc1c96aea79c75d

SHA1
73572ec70cc6dbe8096da804c1d1e7fb3cc0baab

SHA256
ba46791872b52dd5b8669c60e3b0ed77b3c9fac4c12c228130bad6db6c3380f9

SHA512
e1fd8a1d65c60dedcfdcb10cf028fab51e96a8dc6442f7af5073a86a1373dd30b6e35f4e6c64d590ca0131de5146500cde00f2b72927fd48e7b835a47fa0e942

Download Submit
C:\Users\Admin\AppData\Local\Temp\{36ECC312-99F8-448F-9621-3AD9F67DCECC}\fpb.tmp
Filesize
831KB

MD5
e23251f56bd9de8dd18a8d68885dab78

SHA1
84358654fd43202d39c342cc394f3dc88fcabe03

SHA256
91d6e2237a156e502c4f2041ca3ff38d769b2003384cdfaa51f227f3e9b5ab25

SHA512
32f45ee1217aef553b11584212e15b73fbe04a2aece882d1cd2b39b0232160ffd42958d7f0d4c7d6b8efeec41af550ac53d3c39a08f1af36ecd419d40dc521d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{36ECC312-99F8-448F-9621-3AD9F67DCECC}\fpb.tmp
Filesize
831KB

MD5
e23251f56bd9de8dd18a8d68885dab78

SHA1
84358654fd43202d39c342cc394f3dc88fcabe03

SHA256
91d6e2237a156e502c4f2041ca3ff38d769b2003384cdfaa51f227f3e9b5ab25

SHA512
32f45ee1217aef553b11584212e15b73fbe04a2aece882d1cd2b39b0232160ffd42958d7f0d4c7d6b8efeec41af550ac53d3c39a08f1af36ecd419d40dc521d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{38BB4F51-7564-40B2-89F8-784FFE4A4EF7}\fpb.tmp
Filesize
525KB

MD5
9d08e472e123b7701e90ca38168a8fb5

SHA1
3811ca63a36ea3128e50ab16edcf126f238b20a7

SHA256
c14c86a7b7b3b72644b9cd212ccc128e0a0a34dd20dc7d0a4d4fc8580dd36ade

SHA512
9341850fe1ba838dd54f4c985679f90dfd804c1149c85dce1a362dd7ebc8b336f448ca02d30bad4d91ba22f43b00e975e1d6551bf3329f27afc7dae571cf5e90

Download Submit
C:\Users\Admin\AppData\Local\Temp\{459DFAFA-456D-4B9B-A597-BF1E626D78EB}\InstallFlashPlayer.exe
Filesize
8.9MB

MD5
734b50e3625e44791d0cb607422c2a85

SHA1
88ba4d5b9e5a01714ae85b82c3c6ec73833ccfbf

SHA256
3fd01a451c76e699b4e87dfd29d8fb84800eebddcd3c2976691193947fab9467

SHA512
8ccc2e973b88b4dbab531a59c1298b7ee49a78e1dac1aad6bb2f4b5489356fb3bc3d53ef779d4b22c97462e4e1af6f03d4d4e38b9a7738ead389920e5c62a77f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{459DFAFA-456D-4B9B-A597-BF1E626D78EB}\InstallFlashPlayer.exe
Filesize
8.9MB

MD5
734b50e3625e44791d0cb607422c2a85

SHA1
88ba4d5b9e5a01714ae85b82c3c6ec73833ccfbf

SHA256
3fd01a451c76e699b4e87dfd29d8fb84800eebddcd3c2976691193947fab9467

SHA512
8ccc2e973b88b4dbab531a59c1298b7ee49a78e1dac1aad6bb2f4b5489356fb3bc3d53ef779d4b22c97462e4e1af6f03d4d4e38b9a7738ead389920e5c62a77f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5C9F07EA-8F0B-4C38-B977-9922EF632B6C}\fpb.tmp
Filesize
501KB

MD5
7805e5fd154a06c713fe9c6e3d4f02c9

SHA1
757b51d549a72a6157bcef7cbed38058c303c61c

SHA256
2d40a95b58ca7db3b11a7b73079e856074c3fd76c4e0f9d7c2741c5ecadd242e

SHA512
36201753349b94d5216bd56f2b2af240544654c4c3def195dfae74efe5b893cae25e6653d831be18c03b98a67f8413c3b607200ee9b4562a5f4d4ccaea7bbde4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9CEA85DF-4A3D-451A-9498-A46C22CD8333}\fpb.tmp
Filesize
553KB

MD5
69a24367f48f7984a5b343551a171072

SHA1
082182f7419175e62f28bf18f97210a1e0117fe1

SHA256
6ac3e542dfb2b06fcb7771211e9c392e72bbe690982cb4cbdd810949587b2c42

SHA512
ef8b50ba4fc402b92b4c14e1e259c861c8da26e0e2be61b3275fefb2cd6e66362cb81d8cd989bb41496e6641977da4c7c05031f2055ecffdba9eaa23c6203ed3

Download Submit
C:\Windows\SysWOW64\Macromed\Flash\Flash32_14_0_0_176.ocx
Filesize
16.3MB

MD5
224abf3a6e87b978da13457246f3089b

SHA1
a3702389e1dba21ecc408c352feee32e2afa6deb

SHA256
89fac246784237bb1af6944883eefba6d9475fd824595bcde57743ddac918511

SHA512
10740e3a6b3343f6db89eda8d186afb54127bd7fcb8b4b0c750fecbb6fc7a05b466c358373ce80b0b135a6988fa431996abeff4ba792efe97c7013f9b40ed5f6

Download Submit
C:\Windows\SysWOW64\Macromed\Flash\Flash32_14_0_0_176.ocx
Filesize
16.3MB

MD5
224abf3a6e87b978da13457246f3089b

SHA1
a3702389e1dba21ecc408c352feee32e2afa6deb

SHA256
89fac246784237bb1af6944883eefba6d9475fd824595bcde57743ddac918511

SHA512
10740e3a6b3343f6db89eda8d186afb54127bd7fcb8b4b0c750fecbb6fc7a05b466c358373ce80b0b135a6988fa431996abeff4ba792efe97c7013f9b40ed5f6

Download Submit
C:\Windows\SysWOW64\Macromed\Flash\Flash32_14_0_0_176.ocx
Filesize
16.3MB

MD5
224abf3a6e87b978da13457246f3089b

SHA1
a3702389e1dba21ecc408c352feee32e2afa6deb

SHA256
89fac246784237bb1af6944883eefba6d9475fd824595bcde57743ddac918511

SHA512
10740e3a6b3343f6db89eda8d186afb54127bd7fcb8b4b0c750fecbb6fc7a05b466c358373ce80b0b135a6988fa431996abeff4ba792efe97c7013f9b40ed5f6

Download Submit
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Filesize
256KB

MD5
9e5197d65ba34a4db45b8befc3288c23

SHA1
e7a6227ee35d0e7a559bee8431ac9951526f7936

SHA256
ebbe6126b6b73616032f8e1731642e35c6cb6b395ef74bccb781cae076ee8434

SHA512
e3e350b973f18d711dd02c53cf10be6cff82b593c96d54809595ecfad6cbd080734e0f59144ee107115897c753c57010f13ecf175b73b5bbb3e711e924009216

Download Submit
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Filesize
256KB

MD5
9e5197d65ba34a4db45b8befc3288c23

SHA1
e7a6227ee35d0e7a559bee8431ac9951526f7936

SHA256
ebbe6126b6b73616032f8e1731642e35c6cb6b395ef74bccb781cae076ee8434

SHA512
e3e350b973f18d711dd02c53cf10be6cff82b593c96d54809595ecfad6cbd080734e0f59144ee107115897c753c57010f13ecf175b73b5bbb3e711e924009216

Download Submit
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_14_0_0_176_ActiveX.exe
Filesize
831KB

MD5
e23251f56bd9de8dd18a8d68885dab78

SHA1
84358654fd43202d39c342cc394f3dc88fcabe03

SHA256
91d6e2237a156e502c4f2041ca3ff38d769b2003384cdfaa51f227f3e9b5ab25

SHA512
32f45ee1217aef553b11584212e15b73fbe04a2aece882d1cd2b39b0232160ffd42958d7f0d4c7d6b8efeec41af550ac53d3c39a08f1af36ecd419d40dc521d4

Download Submit
C:\Windows\SysWOW64\Macromed\Flash\activex.vch
Filesize
1.5MB

MD5
d3df1022c8caacba253ebfb4eb593a66

SHA1
1720b3dd6004c8240e657147341bb7e6d07134e6

SHA256
26e2b59d2b3df2db5e95e17a29e5a7a9968a188cea67c956d804fd94f0a5dafb

SHA512
16bc1e0cd7e7bdbbb3212e4b7a76f3d6ef9c2b77a258110caf6c083d84a080ccf458056e0678f68581ccdc0840ae85d188b58dc40c143fd3ea348b26a3beffc8

Download Submit
C:\Windows\System32\Macromed\Flash\Flash64_14_0_0_176.ocx
Filesize
22.6MB

MD5
2d70c6bfe45293ad77679b597d48dc8f

SHA1
4179ce679fdc31ac4a1210f294b6c7b885b0764d

SHA256
88efae613403eb3979eb6eaa148bd50bd9b5f70a1b64f53625cb1c0917ad999a

SHA512
52f26b09485e97f305b5ad5707db5283cb3275ad0f8684b205995591e1e1ac5e6bf6edffa90d940da1938fd61621d815b3b8e6bb2e9debcdc73cebf5ab2a4cad

Download Submit
C:\Windows\System32\Macromed\Flash\FlashUtil64_14_0_0_176_ActiveX.exe
Filesize
525KB

MD5
9d08e472e123b7701e90ca38168a8fb5

SHA1
3811ca63a36ea3128e50ab16edcf126f238b20a7

SHA256
c14c86a7b7b3b72644b9cd212ccc128e0a0a34dd20dc7d0a4d4fc8580dd36ade

SHA512
9341850fe1ba838dd54f4c985679f90dfd804c1149c85dce1a362dd7ebc8b336f448ca02d30bad4d91ba22f43b00e975e1d6551bf3329f27afc7dae571cf5e90

Download Submit
memory/1268-152-0x0000000061870000-0x0000000062FF3000-memory.dmp

Filesize
23.5MB

Download
memory/1268-212-0x0000000061870000-0x0000000062FF3000-memory.dmp

Filesize
23.5MB

Download
memory/1268-145-0x0000000000000000-mapping.dmp

Download
memory/2176-134-0x0000000000000000-mapping.dmp

Download
memory/2280-132-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2280-137-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2280-166-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2280-138-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2780-139-0x0000000000000000-mapping.dmp

Download
memory/3732-198-0x0000000000400000-0x0000000001568000-memory.dmp

Filesize
17.4MB

Download
memory/3732-201-0x00000000037C0000-0x0000000003930000-memory.dmp

Filesize
1.4MB

Download
memory/3732-178-0x0000000000400000-0x0000000001568000-memory.dmp

Filesize
17.4MB

Download
memory/3732-211-0x0000000064940000-0x0000000064A16000-memory.dmp

Filesize
856KB

Download
memory/3732-195-0x0000000004A70000-0x0000000005039000-memory.dmp

Filesize
5.8MB

Download
memory/3732-194-0x0000000000401000-0x0000000000A1C000-memory.dmp

Filesize
6.1MB

Download
memory/3732-174-0x0000000000400000-0x0000000001568000-memory.dmp

Filesize
17.4MB

Download
memory/3732-179-0x0000000000400000-0x0000000001568000-memory.dmp

Filesize
17.4MB

Download
memory/3732-196-0x0000000000401000-0x0000000000A1C000-memory.dmp

Filesize
6.1MB

Download
memory/3732-197-0x0000000064940000-0x0000000064A16000-memory.dmp

Filesize
856KB

Download
memory/3732-173-0x00000000037C0000-0x0000000003930000-memory.dmp

Filesize
1.4MB

Download
memory/3732-199-0x0000000000400000-0x0000000001568000-memory.dmp

Filesize
17.4MB

Download
memory/3732-210-0x0000000000400000-0x0000000001568000-memory.dmp

Filesize
17.4MB

Download
memory/3732-162-0x0000000000000000-mapping.dmp

Download
memory/3732-202-0x0000000000400000-0x0000000001568000-memory.dmp

Filesize
17.4MB

Download
memory/3732-175-0x0000000000400000-0x0000000001568000-memory.dmp

Filesize
17.4MB

Download
memory/3732-209-0x00000000037C0000-0x0000000003930000-memory.dmp

Filesize
1.4MB

Download
memory/3732-189-0x0000000004A70000-0x0000000005039000-memory.dmp

Filesize
5.8MB

Download
memory/3732-167-0x00000000037C0000-0x0000000003930000-memory.dmp

Filesize
1.4MB

Download
memory/3732-176-0x0000000000400000-0x0000000001568000-memory.dmp

Filesize
17.4MB

Download
memory/4628-208-0x0000000000400000-0x0000000001568000-memory.dmp

Filesize
17.4MB

Download
memory/4628-165-0x0000000000400000-0x0000000001568000-memory.dmp

Filesize
17.4MB

Download
memory/4628-200-0x0000000000400000-0x0000000001568000-memory.dmp

Filesize
17.4MB

Download
memory/4628-158-0x0000000000000000-mapping.dmp

Download
memory/4864-155-0x0000000000000000-mapping.dmp

Download