banload | 8702aca7ecd0552f596d6af97c397ffead6302182d8c87ae8dd3feea9dd8a5b4

Analysis

max time kernel
149s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2024 10:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

flash_decompiler (1).exe
Size

26.9MB
MD5

3ccc94c98531d1389f3d1ed06d64f081
SHA1

dfbd71b2f0c9b2af5a643f597b04d1d933ff71a0
SHA256

8702aca7ecd0552f596d6af97c397ffead6302182d8c87ae8dd3feea9dd8a5b4
SHA512

8563141763b22da9e790ed49544f10a6cb52dbdcebb8082cb8997ebb966c949e88c64be7e260b84df4f5d8079fc270b95912d84b7433af60003b70fdedc75398
SSDEEP

786432:wa0DgoQ4T3vo3YcjGC8qq7ABxE9RUUuCS8G:waygoZTkjG0BxOZG

Score

10^/10

banload discovery downloader dropper evasion persistence privilege_escalation trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 8 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil64_14_0_0_176_ActiveX.exe\DisableExceptionChainValidation = "0"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil32_14_0_0_176_ActiveX.exe	install_flash_player_14_active_x.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil32_14_0_0_176_ActiveX.exe\DisableExceptionChainValidation = "0"	install_flash_player_14_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerApp.exe	install_flash_player_14_active_x.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerApp.exe\DisableExceptionChainValidation = "0"	install_flash_player_14_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerUpdateService.exe	install_flash_player_14_active_x.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerUpdateService.exe\DisableExceptionChainValidation = "0"	install_flash_player_14_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil64_14_0_0_176_ActiveX.exe	InstallFlashPlayer.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	FlashDecompiler.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	FlashDecompiler.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	FlashDecompiler.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	FlashDecompiler.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	FlashDecompiler.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	FlashDecompiler.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	flash_decompiler (1).tmp
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	install_flash_player_14_active_x.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	FlashDecompiler.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 10 IoCs

pid	Process
2084	flash_decompiler (1).tmp
4912	install_flash_player_14_active_x.exe
3128	InstallFlashPlayer.exe
2196	FlashPlayerUpdateService.exe
400	FlashDecompiler.exe
5012	FlashDecompiler.exe
3396	FlashDecompiler.exe
4260	FlashDecompiler.exe
3508	FlashDecompiler.exe
4896	FlashDecompiler.exe

Loads dropped DLL 33 IoCs

pid	Process
4912	install_flash_player_14_active_x.exe
4912	install_flash_player_14_active_x.exe
4912	install_flash_player_14_active_x.exe
3128	InstallFlashPlayer.exe
3128	InstallFlashPlayer.exe
3128	InstallFlashPlayer.exe
3128	InstallFlashPlayer.exe
4912	install_flash_player_14_active_x.exe
4912	install_flash_player_14_active_x.exe
4912	install_flash_player_14_active_x.exe
5012	FlashDecompiler.exe
5012	FlashDecompiler.exe
5012	FlashDecompiler.exe
5012	FlashDecompiler.exe
5012	FlashDecompiler.exe
5012	FlashDecompiler.exe
5012	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4896	FlashDecompiler.exe
4896	FlashDecompiler.exe
4896	FlashDecompiler.exe
4896	FlashDecompiler.exe
4896	FlashDecompiler.exe
4896	FlashDecompiler.exe
4896	FlashDecompiler.exe
4896	FlashDecompiler.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	install_flash_player_14_active_x.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	InstallFlashPlayer.exe

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
3128	InstallFlashPlayer.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File created	C:\Windows\system32\Macromed\Flash\Flash64_14_0_0_176.ocx	InstallFlashPlayer.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\Flash32_14_0_0_176.ocx	install_flash_player_14_active_x.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\FlashInstall.log	install_flash_player_14_active_x.exe
File created	C:\Windows\system32\Macromed\Flash\FlashUtil64_14_0_0_176_ActiveX.exe	InstallFlashPlayer.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_14_0_0_176_ActiveX.exe	install_flash_player_14_active_x.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_14_0_0_176_ActiveX.dll	install_flash_player_14_active_x.exe
File opened for modification	C:\Windows\system32\Macromed\Flash\FlashInstall.log	InstallFlashPlayer.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\Flash32_14_0_0_176.ocx	install_flash_player_14_active_x.exe
File created	C:\Windows\system32\Macromed\Flash\FlashUtil64_14_0_0_176_ActiveX.dll	InstallFlashPlayer.exe
File opened for modification	C:\Windows\system32\Macromed\Flash\FlashUtil64_14_0_0_176_ActiveX.exe	InstallFlashPlayer.exe
File opened for modification	C:\Windows\system32\Macromed\Flash\Flash64_14_0_0_176.ocx	InstallFlashPlayer.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe	install_flash_player_14_active_x.exe
File created	C:\Windows\system32\Macromed\Flash\activex.vch	InstallFlashPlayer.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\activex.vch	install_flash_player_14_active_x.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_14_0_0_176_ActiveX.exe	install_flash_player_14_active_x.exe

Drops file in Program Files directory 39 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\avcodec-52.dll	flash_decompiler (1).tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\is-G25EP.tmp	flash_decompiler (1).tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tutorials\is-OQSGS.tmp	flash_decompiler (1).tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\is-SPJGI.tmp	flash_decompiler (1).tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-9P3L1.tmp	flash_decompiler (1).tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\is-IANA1.tmp	flash_decompiler (1).tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\is-519PE.tmp	flash_decompiler (1).tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-6646O.tmp	flash_decompiler (1).tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-6D9UT.tmp	flash_decompiler (1).tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-8VQET.tmp	flash_decompiler (1).tmp
File opened for modification	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe	flash_decompiler (1).tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tutorials\is-FE0AB.tmp	flash_decompiler (1).tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\is-IJJ8U.tmp	flash_decompiler (1).tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-M6AQ7.tmp	flash_decompiler (1).tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-VM3P8.tmp	flash_decompiler (1).tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\is-IDQMU.tmp	flash_decompiler (1).tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\is-851RM.tmp	flash_decompiler (1).tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\is-UQVAA.tmp	flash_decompiler (1).tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-ST2J6.tmp	flash_decompiler (1).tmp
File opened for modification	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe	flash_decompiler (1).tmp
File opened for modification	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\lame_enc.dll	flash_decompiler (1).tmp
File opened for modification	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\avutil-50.dll	flash_decompiler (1).tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\unins000.dat	flash_decompiler (1).tmp
File opened for modification	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\unins000.dat	flash_decompiler (1).tmp
File opened for modification	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\swscale-0.dll	flash_decompiler (1).tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\is-OPIHM.tmp	flash_decompiler (1).tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-1QNSO.tmp	flash_decompiler (1).tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\unins000.msg	flash_decompiler (1).tmp
File opened for modification	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\AutoUpdate.dll	flash_decompiler (1).tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\is-GUC1S.tmp	flash_decompiler (1).tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\is-1HK9J.tmp	flash_decompiler (1).tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\is-M1U9T.tmp	flash_decompiler (1).tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-1QOC0.tmp	flash_decompiler (1).tmp
File opened for modification	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\avformat-52.dll	flash_decompiler (1).tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\is-2UF2R.tmp	flash_decompiler (1).tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-7CO2F.tmp	flash_decompiler (1).tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-9T6T4.tmp	flash_decompiler (1).tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-O4DTO.tmp	flash_decompiler (1).tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-N8CG6.tmp	flash_decompiler (1).tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	flash_decompiler (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FlashDecompiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FlashDecompiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FlashDecompiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FlashDecompiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FlashDecompiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	flash_decompiler (1).tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install_flash_player_14_active_x.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FlashPlayerUpdateService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FlashDecompiler.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	FlashDecompiler.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	FlashDecompiler.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	FlashDecompiler.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	FlashDecompiler.exe

Modifies Internet Explorer settings 1 TTPs 24 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}\Compatibility Flags = "65536"	InstallFlashPlayer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\NAVIGATORPLUGINSLIST\SHOCKWAVE FLASH	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}	install_flash_player_14_active_x.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}\Compatibility Flags = "65536"	install_flash_player_14_active_x.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppName = "FlashUtil32_14_0_0_176_ActiveX.exe"	install_flash_player_14_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}	install_flash_player_14_active_x.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\NAVIGATORPLUGINSLIST\SHOCKWAVE FLASH	install_flash_player_14_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash	install_flash_player_14_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/x-shockwave-flash	install_flash_player_14_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppPath = "C:\\Windows\\system32\\Macromed\\Flash"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppName = "FlashUtil64_14_0_0_176_ActiveX.exe"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/x-shockwave-flash	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppPath = "C:\\Windows\\SysWOW64\\Macromed\\Flash"	install_flash_player_14_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/futuresplash	install_flash_player_14_active_x.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\Policy = "3"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/futuresplash	InstallFlashPlayer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Compatibility Flags = "0"	InstallFlashPlayer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\Policy = "3"	install_flash_player_14_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}	install_flash_player_14_active_x.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Compatibility Flags = "0"	install_flash_player_14_active_x.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\TypeLib	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CurVer\ = "FlashFactory.FlashFactory.1"	install_flash_player_14_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sor\Content Type = "text/plain"	install_flash_player_14_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D62F405A-97CC-641B-93FE-D85298F2F3AF}\Xlgwn = "]QwB\|ZvmmbqT"	FlashDecompiler.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\shell\open	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory.1\ = "Macromedia Flash Factory Object"	install_flash_player_14_active_x.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\{DED17083-AE52-13D1-B2E4-0060975B8649}\lmmZfZcBw = "F^sX`{SKu]]B^qCHa"	FlashDecompiler.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D62F405A-97CC-641B-93FE-D85298F2F3AF}\cgCoyAe = "Zf\x7f\\YzumUBNs`EwsSj}GkUy[SyqRRBJ"	FlashDecompiler.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D62F405A-97CC-641B-93FE-D85298F2F3AF}\Xlgwn = "YQwB\|ZtKbE{X"	FlashDecompiler.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Control	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.9\ = "Shockwave Flash Object"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\FLAGS	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	install_flash_player_14_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID\ = "ShockwaveFlash.ShockwaveFlash.14"	install_flash_player_14_active_x.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\0\win32	install_flash_player_14_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3\ = "Shockwave Flash Object"	install_flash_player_14_active_x.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\{DED17083-AE52-13D1-B2E4-0060975B8649}\Xlgwn = "ONBrkMHsuLmz"	FlashDecompiler.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\shell\open\command	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32\ = "C:\\Windows\\system32\\Macromed\\Flash\\Flash64_14_0_0_176.ocx, 1"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalizedString = "@C:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_14_0_0_176_ActiveX.exe,-101"	install_flash_player_14_active_x.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\{DED17083-AE52-13D1-B2E4-0060975B8649}\cgCoyAe = "b]f_uHThV`hN{AOapo~Fgkrj^\\awPHW"	FlashDecompiler.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.13\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalizedString = "@C:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_14_0_0_176_ActiveX.exe,-101"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\Shell\Open with Flash Decompiler\command\ = "C:\\Program Files (x86)\\Eltima Software\\Flash Decompiler Trillix\\FlashDecompiler.exe \"%1\""	flash_decompiler (1).tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D62F405A-97CC-641B-93FE-D85298F2F3AF}\Xlgwn = "_qwB\|ZtDgyLT"	FlashDecompiler.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\{DED17083-AE52-13D1-B2E4-0060975B8649}\Xlgwn = "M^BrkMK{iTI^"	FlashDecompiler.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\0	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D62F405A-97CC-641B-93FE-D85298F2F3AF}\ = "CLSID_SearchFolder"	FlashDecompiler.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib\ = "{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"	install_flash_player_14_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{57A0E746-3863-4D20-A811-950C84F1DB9B}\1.1	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}	install_flash_player_14_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable	install_flash_player_14_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D62F405A-97CC-641B-93FE-D85298F2F3AF}	FlashDecompiler.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D62F405A-97CC-641B-93FE-D85298F2F3AF}\lmmZfZcBw = "jayzGTEg[kn~}LjF["	FlashDecompiler.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\FLAGS	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.10\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\{DED17083-AE52-13D1-B2E4-0060975B8649}\lmmZfZcBw = "F^sX`{SKu]]B^qCHa"	FlashDecompiler.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\ = "IFlashAccessibility"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\DefaultIcon	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\{DED17083-AE52-13D1-B2E4-0060975B8649}\Xlgwn = "O~BrkMJgSPv\\"	FlashDecompiler.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.14\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	install_flash_player_14_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sor\Content Type = "text/plain"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\0\win32	install_flash_player_14_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\Shell\Open with Flash Decompiler	flash_decompiler (1).tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D62F405A-97CC-641B-93FE-D85298F2F3AF}\cgCoyAe = "Zf\x7f\\yzumUBNs@EwsSj}N{]y[SyqRRBJ"	FlashDecompiler.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus\ = "0"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D62F405A-97CC-641B-93FE-D85298F2F3AF}\Skxjsnh = "ky_i\x7fSL\\cg\|SaCYSz_HMflY"	FlashDecompiler.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-shockwave-flash\CLSID = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	install_flash_player_14_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{307F64C0-621D-4D56-BBC6-91EFC13CE40D}\TypeLib\ = "{57A0E746-3863-4D20-A811-950C84F1DB9B}"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ = "_IShockwaveFlashEvents"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32	InstallFlashPlayer.exe

NTFS ADS 3 IoCs

description	ioc	Process
File created	C:\ProgramData\TEMP:DED17083	FlashDecompiler.exe
File opened for modification	C:\ProgramData\TEMP:DED17083	FlashDecompiler.exe
File opened for modification	C:\ProgramData\TEMP:DED17083	FlashDecompiler.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2084	flash_decompiler (1).tmp
2084	flash_decompiler (1).tmp
4912	install_flash_player_14_active_x.exe
4912	install_flash_player_14_active_x.exe
3128	InstallFlashPlayer.exe
3128	InstallFlashPlayer.exe
3128	InstallFlashPlayer.exe
3128	InstallFlashPlayer.exe
4912	install_flash_player_14_active_x.exe
4912	install_flash_player_14_active_x.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4260	FlashDecompiler.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: 33	5012	FlashDecompiler.exe
Token: SeIncBasePriorityPrivilege	5012	FlashDecompiler.exe
Token: 33	5012	FlashDecompiler.exe
Token: SeIncBasePriorityPrivilege	5012	FlashDecompiler.exe
Token: 33	4260	FlashDecompiler.exe
Token: SeIncBasePriorityPrivilege	4260	FlashDecompiler.exe
Token: 33	4260	FlashDecompiler.exe
Token: SeIncBasePriorityPrivilege	4260	FlashDecompiler.exe
Token: 33	4964	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4964	AUDIODG.EXE
Token: 33	4896	FlashDecompiler.exe
Token: SeIncBasePriorityPrivilege	4896	FlashDecompiler.exe
Token: 33	4896	FlashDecompiler.exe
Token: SeIncBasePriorityPrivilege	4896	FlashDecompiler.exe

Suspicious use of FindShellTrayWindow 58 IoCs

pid	Process
2084	flash_decompiler (1).tmp
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4896	FlashDecompiler.exe
4896	FlashDecompiler.exe
4896	FlashDecompiler.exe
4896	FlashDecompiler.exe
4896	FlashDecompiler.exe
4896	FlashDecompiler.exe
4896	FlashDecompiler.exe
4896	FlashDecompiler.exe
4896	FlashDecompiler.exe
4896	FlashDecompiler.exe
4896	FlashDecompiler.exe
4896	FlashDecompiler.exe
4896	FlashDecompiler.exe
4896	FlashDecompiler.exe
4896	FlashDecompiler.exe
4896	FlashDecompiler.exe

Suspicious use of SendNotifyMessage 56 IoCs

pid	Process
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4896	FlashDecompiler.exe
4896	FlashDecompiler.exe
4896	FlashDecompiler.exe
4896	FlashDecompiler.exe
4896	FlashDecompiler.exe
4896	FlashDecompiler.exe
4896	FlashDecompiler.exe
4896	FlashDecompiler.exe
4896	FlashDecompiler.exe
4896	FlashDecompiler.exe
4896	FlashDecompiler.exe
4896	FlashDecompiler.exe
4896	FlashDecompiler.exe
4896	FlashDecompiler.exe
4896	FlashDecompiler.exe
4896	FlashDecompiler.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
4912	install_flash_player_14_active_x.exe
3128	InstallFlashPlayer.exe
3128	InstallFlashPlayer.exe
5012	FlashDecompiler.exe
5012	FlashDecompiler.exe
5012	FlashDecompiler.exe
5012	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4260	FlashDecompiler.exe
4896	FlashDecompiler.exe
4896	FlashDecompiler.exe
4896	FlashDecompiler.exe
4896	FlashDecompiler.exe
4896	FlashDecompiler.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 2084	4928	flash_decompiler (1).exe	86
PID 4928 wrote to memory of 2084	4928	flash_decompiler (1).exe	86
PID 4928 wrote to memory of 2084	4928	flash_decompiler (1).exe	86
PID 2084 wrote to memory of 4912	2084	flash_decompiler (1).tmp	92
PID 2084 wrote to memory of 4912	2084	flash_decompiler (1).tmp	92
PID 2084 wrote to memory of 4912	2084	flash_decompiler (1).tmp	92
PID 4912 wrote to memory of 3128	4912	install_flash_player_14_active_x.exe	95
PID 4912 wrote to memory of 3128	4912	install_flash_player_14_active_x.exe	95
PID 4912 wrote to memory of 2196	4912	install_flash_player_14_active_x.exe	97
PID 4912 wrote to memory of 2196	4912	install_flash_player_14_active_x.exe	97
PID 4912 wrote to memory of 2196	4912	install_flash_player_14_active_x.exe	97
PID 2084 wrote to memory of 400	2084	flash_decompiler (1).tmp	100
PID 2084 wrote to memory of 400	2084	flash_decompiler (1).tmp	100
PID 2084 wrote to memory of 400	2084	flash_decompiler (1).tmp	100
PID 400 wrote to memory of 5012	400	FlashDecompiler.exe	101
PID 400 wrote to memory of 5012	400	FlashDecompiler.exe	101
PID 400 wrote to memory of 5012	400	FlashDecompiler.exe	101
PID 400 wrote to memory of 5012	400	FlashDecompiler.exe	101
PID 400 wrote to memory of 5012	400	FlashDecompiler.exe	101
PID 3396 wrote to memory of 4260	3396	FlashDecompiler.exe	108
PID 3396 wrote to memory of 4260	3396	FlashDecompiler.exe	108
PID 3396 wrote to memory of 4260	3396	FlashDecompiler.exe	108
PID 3396 wrote to memory of 4260	3396	FlashDecompiler.exe	108
PID 3396 wrote to memory of 4260	3396	FlashDecompiler.exe	108
PID 4260 wrote to memory of 3508	4260	FlashDecompiler.exe	111
PID 4260 wrote to memory of 3508	4260	FlashDecompiler.exe	111
PID 4260 wrote to memory of 3508	4260	FlashDecompiler.exe	111
PID 3508 wrote to memory of 4896	3508	FlashDecompiler.exe	112
PID 3508 wrote to memory of 4896	3508	FlashDecompiler.exe	112
PID 3508 wrote to memory of 4896	3508	FlashDecompiler.exe	112
PID 3508 wrote to memory of 4896	3508	FlashDecompiler.exe	112
PID 3508 wrote to memory of 4896	3508	FlashDecompiler.exe	112

C:\Users\Admin\AppData\Local\Temp\flash_decompiler (1).exe
"C:\Users\Admin\AppData\Local\Temp\flash_decompiler (1).exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp
  "C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp" /SL5="$A0286,27643739,119296,C:\Users\Admin\AppData\Local\Temp\flash_decompiler (1).exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe
    "C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe" /install
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4912
  - - C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe
      "C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe" -install -skipARPEntry -iv 1 -au 4294967295
      4⤵
      Event Triggered Execution: Image File Execution Options Injection
      Executes dropped EXE
      Loads dropped DLL
      Checks whether UAC is enabled
      Network Service Discovery
      Drops file in System32 directory
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:3128
  - - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
      C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -install
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2196
- - C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe
    "C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:400
  - - C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe
      "C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe"
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:5012

C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe
"C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3396
- C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe
  "C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe"
  2⤵
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4260
- - C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe
    "C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe" ""
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3508
  - - C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe
      "C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe" ""
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Modifies registry class
      NTFS ADS
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:4896

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x398 0x498
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\AutoUpdate.dll

Filesize
1.6MB

MD5
b4715ca0f9f08fde8c82ffb89b455460

SHA1
c789d6a8f4b0dae97ebda5b99af7bf1a337882aa

SHA256
00b4e9748dfbdecca3bb3500768bb5e26d7de06ba81050ff0abec35e57517a45

SHA512
961dfd1652b828a7d2e6940908b237adc93559f6f2048026b62bcd46ca38cc0d8d06dacfdaffa381236ddc787a90ce0b5d7f82793474778f494c60b431b6b61f

Download Submit
C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe

Filesize
6.2MB

MD5
180990e3ecf117281e5f270700ce9f07

SHA1
b6c27f55dd4b45f62d21db2030f5d5f1b78c89ba

SHA256
bb476cc25abd354478005d594c25ea61cf1f9b7dee977c9873aae0f128cd47da

SHA512
f2e5a8c3a763338be61b1f647410bcb68aa0be0c9e1e8546cca21153f2defe1b11baa650e129edf1649f47a8c3ebf3ecc9699591555971c92795323fa265d5c6

Download Submit
C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\avcodec-52.dll

Filesize
2.7MB

MD5
7ce4c8d8c43dadebee3a83d9e4aa37b9

SHA1
9e8ee1a9be72dc03fce99316253ddb9e8b42f279

SHA256
0fb7a0e27e5b6aca0fb04d6161c43d8ffb9f3e7c0d9c416b308c1a58ef7ac0aa

SHA512
0b21cd8b7c3b92101ec11236d7e3f68ddccf23b317bca1854849d34e67469e349c8a75ecc6b978bc046fcd70270f3125c6eacdd12dea09c042edd536a4c8a123

Download Submit
C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\avformat-52.dll

Filesize
630KB

MD5
5903c75593c744acd1c49d290bb24fe1

SHA1
13014411f3d6d16926c96fdd6e89253ed55ba250

SHA256
a974a051e8d26dbe0a672e710f9b3ab71d1407580301fa7d64d35eef96cd7056

SHA512
201e820fc80c8d2f44ac0483b91bb40383cef534a692c85872142b7b39ea29bf85151b13a41d5d97a10767facc8e9f8a49e333daee43a73a7d0f815b6362ee4b

Download Submit
C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\avutil-50.dll

Filesize
99KB

MD5
d7cfb561dc0170a3db0c9352b31a06f2

SHA1
84f0ee0f528fd2368951430a7ad63dc441963e45

SHA256
a23151c333250549de42b83c6aff06c0880ed829331c9cafa158d1b39a4c58ff

SHA512
eb541e663ed6ab9ee41ad7ea16997d63b1b586d3b78a7a9d4bc78f651dbdd5b5263f3b39c0dc85736cdd67d150739872a87511bfdd45ac120c9297bfffb3b6df

Download Submit
C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\lame_enc.dll

Filesize
286KB

MD5
0a9b1ff3db39aeba0ba1ce1eca3bc62b

SHA1
3d21ec0d2ffe3a5b122cc165f34067c45ef5a126

SHA256
ca6af76acd53124c033648369d31268723398d5c3422113fc59e9dc630d17f91

SHA512
a4cd4f513db67c48e8eb1ade323302430a11285e8e3b90b0c4394bc63bd9957373ad0d64bca2458cec8a0c5edfcf57459fc378dcded2e22e9468c1e2d34d8a6d

Download Submit
C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\swscale-0.dll

Filesize
151KB

MD5
c9ea8c737889cd4f87b72b06239d4a4f

SHA1
b6dae6ac26725f3e23fd2f184c490a8dd489bc42

SHA256
513381fbbd4950c172699070af6a45c8c3193488e26202e33df4397f45816730

SHA512
bc999121aac043d445a21fe4d18d8122dc46ae9c672c647f773d9d9dfc10a00a2735616706c75363d0ec52a9731434221a695fc5b94e49b850d88112e6601489

Download Submit
C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe

Filesize
17.7MB

MD5
f84400792447ebf6adaa615bcf149eb5

SHA1
16231b509d8e689dc34ae36597d41c4fb1b3a67e

SHA256
cb3043490ce4bf1210098746af8be5a19e7a6d5ae153d34636efbe4bf9af3ef8

SHA512
edf5193b6058c949766d545e7fad87db03fd1eaed5e9d75caed4bbda13ec560a67957391930e582c82c9005023db73585e722b6bc31f9fb0d36cb903be8a7efe

Download Submit
C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tutorials\fd_demo_limits.swf

Filesize
811KB

MD5
39a58b195a0c0c3fc7fa104e9e8ff2fa

SHA1
0da735a8d3db03b405ccf5ab0ebea5827cf4a564

SHA256
07e0e16492f4a8bff66b92622062c4950b05a64c879731523d643bbc0b94d78a

SHA512
9ade4be4618353500cb05c372668d56a941eb8a3aac7348df684d3362fd0e508dbabe8bf78dddafe90b99be0ca90a0990005d41f5a5726c2dc57a6bc5958d5e7

Download Submit
C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tutorials\fd_intro.swf

Filesize
535KB

MD5
27ee9e17cb9c15d526e81c2a5e4f3524

SHA1
03ab26767124533b11ae46eca68ae861c32d0b5f

SHA256
72c39bda39402e786a1e77043435758c4742d43dd84dbf839b5bbffc5f4c56e4

SHA512
98e89b84782318f5fc771b73fd804664770fbdba4018ebd1bd78b89346a29d1988b490b2703f72bf7650f1065136aec142a16bd452615fe089527eaab18d02af

Download Submit
C:\ProgramData\AutoUpdate\FlashDecompiler.exe\SkippedVersions.xml

Filesize
60B

MD5
35e1ba488afb8750e88202c2725276c7

SHA1
542113bc9038aaf39ae80026d732b3bdbe10db37

SHA256
362b352cab09d9ab37d5558e8283652e747be017369d05b5a517a61765ccaf34

SHA512
bb72bafd23d82be55fad592fefcb367b128b8d2ac4ebb706af093b5d1b8513d4bcb4b25c2b088f6e025e550f0944edd972fb6d0f0c4c57bc119e66bbb653b4b0

Download Submit
C:\ProgramData\AutoUpdate\FlashDecompiler.exe\Statistics.xml

Filesize
55B

MD5
6f4a6f22eb4e1d9c0af83b8e413e88b8

SHA1
aae506ed4366c5490c6acd9f7a466f135111d743

SHA256
7f21b4b275cf9d504c05ad6eb3b0cd26e499980d0dba4e52cfc09bd838c1871b

SHA512
e7b8a572ba0aacc00ad98517ad1fd84bf30cd09f3ebd3ed66b13bcba24dc95833a537e3b2d8ed9bd4387187aedec20dd14e0da03dc2c598705992e669bd4fa8b

Download Submit
C:\ProgramData\Licenses\0B608C43E7FF4F3D3.Lic

Filesize
146B

MD5
e7508ea9f01f62da99a490eea1ff198e

SHA1
f3a49e037db70e9e3f320db59120f7c138fb4457

SHA256
efe3be66786b73138c9b1154f7e5baf11d60fee0bf21d96768e6cb97f11b01e2

SHA512
c036d7ee330c10a7c18f2c9b6304ae82433adea1683d14cd16d1dcba955abec7080aaf89acb94985a82aa603d3c76b1bfc7fae7ca1a92ae776f742e341398ecb

Download Submit
C:\ProgramData\Licenses\0B608C43E7FF4F3D3.Lic

Filesize
146B

MD5
7b0bae1f65447f716cdc95f55afe839a

SHA1
14507b2080856024d42692c1e77626050b8b7d87

SHA256
e9684595bde02e05a5a58d87997f2fa52784a56f582e73d036effa1cccdc1d62

SHA512
719283a4c1b9908601f9c30d5ad2d8b582de406dcac8941bed3de8c49ba453958e35c6b38fe734a3ebf31b337862ecd82974578f4babdc761485b5130c637212

Download Submit
C:\ProgramData\Licenses\0B608C43E7FF4F3D3.Lic

Filesize
146B

MD5
e8e7435171cfe37f31b8c09af2eb959e

SHA1
7a5e469e1de8b8612abdb7cb0ab16e2e13162c4b

SHA256
548547b3a781bf73a23d10a256217e364a0e256fdd0d2fe5ddbc90d5de8cac3f

SHA512
c8b268616309dc35aca558f15907dfeda37090a31e379cc5bcc0bd12f3a7323d16983049f267138d6fa18452ec2d39a0463381c016223cbbd9a12416e4cd5e72

Download Submit
C:\ProgramData\Licenses\0B608C43E7FF4F3D3.Lic

Filesize
146B

MD5
d829334d571b3f57c073b3cb7da28a96

SHA1
2757f20336d95b0685f1a9632e686c6884e17cdf

SHA256
a82c7b54d1aaf9fddb690b607bb64aa8de6d696f55c889fda87afa5d333540d3

SHA512
57ba6eeace6c8bdfdcd97204a2ac51c14f16099cdae6360f74fc93e6f9e1d4bb65a639c95b1ebfcbb3b9038f0fd9a79bd0128dd98afabd1c545895b9e938fa8f

Download Submit
C:\ProgramData\Licenses\0B608C43E7FF4F3D3.Lic

Filesize
146B

MD5
e1e60280dd274d0e7917486cec3f2413

SHA1
f60a37c2cefec2dc23b92ac39af0f56f261988e5

SHA256
7aeb3bf9fd277e0a952339c4d54ddbc94dfba731e9f5cc899a1239bd8ec22491

SHA512
5d639a039092976f2bffa69cf9e1542ccee3d7b5016ed7639c387d4caa19ff7a36a0c1eb01d116dea3b54177e43361f852b3678be191b93e0122e8f9551d26c8

Download Submit
C:\ProgramData\Licenses\0B608C43E7FF4F3D3.Lic

Filesize
146B

MD5
bb26135ac641e4dc3d6ec63a9e704347

SHA1
302e7b3b8e272bb71d4954ecf1c6c6c6bbf6d5d7

SHA256
e829c407984c26900aba9417896c33ee9d549161d01499838a5c4216f890c062

SHA512
dbc2e1038b411bc69ef8820d0d64479a62505edc4acc279952284c03e00996d69ad9f47f26ce4cc36b5911ba375937fc7b9dcf3793fc4de9b6ee5da510964087

Download Submit
C:\ProgramData\Licenses\0B608C43E7FF4F3D3.Lic

Filesize
146B

MD5
ca07f01af3dbf8a1cd6feb024cff6466

SHA1
a8cf289ecdf8f9004f20276c8a3dcab3f2b6ea3a

SHA256
9e9462c574ce9d5003e3af9c21d4f62852b9a17174c819c8d953f6d46cc499c0

SHA512
0e41b2ded4a0183267a0779c675dea741dc2e9b68d03ec3b6f4ac666ca45a92563825846101b35c6a6e8adee59376fa8dfdae028d3b90e91f1f3a63ea146acc7

Download Submit
C:\ProgramData\TEMP:DED17083

Filesize
146B

MD5
579cf70e50ecdb1dd33aec48f8a11db0

SHA1
b5b425ae36681edd4dfbcb448876276d70fa304f

SHA256
dae38ef18bccd056f228498fb6b034cad64138628f6d115d236abf2b7142e7a7

SHA512
b55f9cda4fec5dd27c5093868d09703c5c70511f448126790b3cbb7cf22b8ecd4582f60b911078ead5c3bf32c0b2955f12b0c1897f350564d340ffe33fbfed2f

Download Submit
C:\ProgramData\TEMP:DED17083

Filesize
146B

MD5
080b8711fe2bd33927e0754ed455f4a6

SHA1
ae7d7ea0ba529cf3187fc8d67db0bf9027f85100

SHA256
7755c47b82359e321f05e34bd6020e282839e388fd588aeb4e963654c3ec87a3

SHA512
23176a9938d3e03811e403b3dddaa53a5ef5383f3f58be09842213c3b06661756f9a1bcd37695a071fb6906811ef48c76432f866eb44b59df076575504bc9451

Download Submit
C:\ProgramData\TEMP:DED17083

Filesize
146B

MD5
b7f8ca2737ff503768217bdfef9a80d0

SHA1
4e444946833a447b79be2d1cb8c7266915937ce1

SHA256
ce5fc0d4876a2d5192ce330813cf8a8bcfe202a059248b4f139b097f67e8b19c

SHA512
d93341268d8dec2ae73973fa6bb61ced7b9bc0efbbe2f87395a6b9d9727b2f31bc55ef121b4a3376f6b116ad719f18b86b3a25d2083d0dd7d24afa4e11fc0223

Download Submit
C:\ProgramData\TEMP:DED17083

Filesize
146B

MD5
86b44f4b899b8b6ff189d1a3d64ebe1a

SHA1
a6136162f06d72a8cd9eb03298d72b443e4896b6

SHA256
a18b0b520d651dee025327874b63b470f2df350ce6a971c4e0363efea317c8d5

SHA512
b76f67b4890d25b7717d46d2582ce49777b01d9b7c511aabd80c7d397706e821b347ff416124d45ae2064b308e9bd1bb8e17c84323565d1ab7f743df543579ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp

Filesize
1.1MB

MD5
c9cf73dd30f17a16fdc1c96aea79c75d

SHA1
73572ec70cc6dbe8096da804c1d1e7fb3cc0baab

SHA256
ba46791872b52dd5b8669c60e3b0ed77b3c9fac4c12c228130bad6db6c3380f9

SHA512
e1fd8a1d65c60dedcfdcb10cf028fab51e96a8dc6442f7af5073a86a1373dd30b6e35f4e6c64d590ca0131de5146500cde00f2b72927fd48e7b835a47fa0e942

Download Submit
C:\Users\Admin\AppData\Local\Temp\{03B85C4B-9B1B-4424-B93A-5A14AB413490}\fpb.tmp

Filesize
831KB

MD5
e23251f56bd9de8dd18a8d68885dab78

SHA1
84358654fd43202d39c342cc394f3dc88fcabe03

SHA256
91d6e2237a156e502c4f2041ca3ff38d769b2003384cdfaa51f227f3e9b5ab25

SHA512
32f45ee1217aef553b11584212e15b73fbe04a2aece882d1cd2b39b0232160ffd42958d7f0d4c7d6b8efeec41af550ac53d3c39a08f1af36ecd419d40dc521d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{07FB48D3-7972-4BB7-9414-A7D86CD593FC}\fpb.tmp

Filesize
553KB

MD5
69a24367f48f7984a5b343551a171072

SHA1
082182f7419175e62f28bf18f97210a1e0117fe1

SHA256
6ac3e542dfb2b06fcb7771211e9c392e72bbe690982cb4cbdd810949587b2c42

SHA512
ef8b50ba4fc402b92b4c14e1e259c861c8da26e0e2be61b3275fefb2cd6e66362cb81d8cd989bb41496e6641977da4c7c05031f2055ecffdba9eaa23c6203ed3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{69E891E0-72DE-4ADE-8D97-0112A7C66184}\fpb.tmp

Filesize
525KB

MD5
9d08e472e123b7701e90ca38168a8fb5

SHA1
3811ca63a36ea3128e50ab16edcf126f238b20a7

SHA256
c14c86a7b7b3b72644b9cd212ccc128e0a0a34dd20dc7d0a4d4fc8580dd36ade

SHA512
9341850fe1ba838dd54f4c985679f90dfd804c1149c85dce1a362dd7ebc8b336f448ca02d30bad4d91ba22f43b00e975e1d6551bf3329f27afc7dae571cf5e90

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9189343F-DB4E-481E-B855-11EDD103A4DF}\fpb.tmp

Filesize
501KB

MD5
7805e5fd154a06c713fe9c6e3d4f02c9

SHA1
757b51d549a72a6157bcef7cbed38058c303c61c

SHA256
2d40a95b58ca7db3b11a7b73079e856074c3fd76c4e0f9d7c2741c5ecadd242e

SHA512
36201753349b94d5216bd56f2b2af240544654c4c3def195dfae74efe5b893cae25e6653d831be18c03b98a67f8413c3b607200ee9b4562a5f4d4ccaea7bbde4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe

Filesize
8.9MB

MD5
734b50e3625e44791d0cb607422c2a85

SHA1
88ba4d5b9e5a01714ae85b82c3c6ec73833ccfbf

SHA256
3fd01a451c76e699b4e87dfd29d8fb84800eebddcd3c2976691193947fab9467

SHA512
8ccc2e973b88b4dbab531a59c1298b7ee49a78e1dac1aad6bb2f4b5489356fb3bc3d53ef779d4b22c97462e4e1af6f03d4d4e38b9a7738ead389920e5c62a77f

Download Submit
C:\Windows\SysWOW64\Macromed\Flash\Flash32_14_0_0_176.ocx

Filesize
16.3MB

MD5
224abf3a6e87b978da13457246f3089b

SHA1
a3702389e1dba21ecc408c352feee32e2afa6deb

SHA256
89fac246784237bb1af6944883eefba6d9475fd824595bcde57743ddac918511

SHA512
10740e3a6b3343f6db89eda8d186afb54127bd7fcb8b4b0c750fecbb6fc7a05b466c358373ce80b0b135a6988fa431996abeff4ba792efe97c7013f9b40ed5f6

Download Submit
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe

Filesize
256KB

MD5
9e5197d65ba34a4db45b8befc3288c23

SHA1
e7a6227ee35d0e7a559bee8431ac9951526f7936

SHA256
ebbe6126b6b73616032f8e1731642e35c6cb6b395ef74bccb781cae076ee8434

SHA512
e3e350b973f18d711dd02c53cf10be6cff82b593c96d54809595ecfad6cbd080734e0f59144ee107115897c753c57010f13ecf175b73b5bbb3e711e924009216

Download Submit
C:\Windows\SysWOW64\Macromed\Flash\activex.vch

Filesize
1.5MB

MD5
d3df1022c8caacba253ebfb4eb593a66

SHA1
1720b3dd6004c8240e657147341bb7e6d07134e6

SHA256
26e2b59d2b3df2db5e95e17a29e5a7a9968a188cea67c956d804fd94f0a5dafb

SHA512
16bc1e0cd7e7bdbbb3212e4b7a76f3d6ef9c2b77a258110caf6c083d84a080ccf458056e0678f68581ccdc0840ae85d188b58dc40c143fd3ea348b26a3beffc8

Download Submit
C:\Windows\System32\Macromed\Flash\Flash64_14_0_0_176.ocx

Filesize
22.6MB

MD5
2d70c6bfe45293ad77679b597d48dc8f

SHA1
4179ce679fdc31ac4a1210f294b6c7b885b0764d

SHA256
88efae613403eb3979eb6eaa148bd50bd9b5f70a1b64f53625cb1c0917ad999a

SHA512
52f26b09485e97f305b5ad5707db5283cb3275ad0f8684b205995591e1e1ac5e6bf6edffa90d940da1938fd61621d815b3b8e6bb2e9debcdc73cebf5ab2a4cad

Download Submit
memory/400-202-0x0000000000400000-0x0000000001568000-memory.dmp

Filesize
17.4MB

Download
memory/400-268-0x0000000000400000-0x0000000001568000-memory.dmp

Filesize
17.4MB

Download
memory/2084-51-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/2084-7-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/2084-213-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/3128-91-0x0000000063200000-0x0000000064983000-memory.dmp

Filesize
23.5MB

Download
memory/3396-386-0x0000000000400000-0x0000000001568000-memory.dmp

Filesize
17.4MB

Download
memory/4260-307-0x00000000037A0000-0x0000000003910000-memory.dmp

Filesize
1.4MB

Download
memory/4260-291-0x0000000000400000-0x0000000001568000-memory.dmp

Filesize
17.4MB

Download
memory/4260-364-0x000000006D780000-0x000000006D7A6000-memory.dmp

Filesize
152KB

Download
memory/4260-279-0x00000000037A0000-0x0000000003910000-memory.dmp

Filesize
1.4MB

Download
memory/4260-283-0x00000000037A0000-0x0000000003910000-memory.dmp

Filesize
1.4MB

Download
memory/4260-350-0x0000000000400000-0x0000000001568000-memory.dmp

Filesize
17.4MB

Download
memory/4260-290-0x0000000000400000-0x0000000001568000-memory.dmp

Filesize
17.4MB

Download
memory/4260-302-0x0000000004250000-0x0000000004819000-memory.dmp

Filesize
5.8MB

Download
memory/4260-293-0x0000000000400000-0x0000000001568000-memory.dmp

Filesize
17.4MB

Download
memory/4260-313-0x00000000037A0000-0x0000000003910000-memory.dmp

Filesize
1.4MB

Download
memory/4260-395-0x0000000000400000-0x0000000001568000-memory.dmp

Filesize
17.4MB

Download
memory/4260-294-0x0000000000400000-0x0000000001568000-memory.dmp

Filesize
17.4MB

Download
memory/4260-305-0x0000000000400000-0x0000000001568000-memory.dmp

Filesize
17.4MB

Download
memory/4260-306-0x0000000000400000-0x0000000001568000-memory.dmp

Filesize
17.4MB

Download
memory/4260-359-0x0000000004250000-0x0000000004819000-memory.dmp

Filesize
5.8MB

Download
memory/4928-49-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4928-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4928-215-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4928-2-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/5012-235-0x0000000004D30000-0x00000000052F9000-memory.dmp

Filesize
5.8MB

Download
memory/5012-241-0x0000000004D30000-0x00000000052F9000-memory.dmp

Filesize
5.8MB

Download
memory/5012-223-0x0000000000400000-0x0000000001568000-memory.dmp

Filesize
17.4MB

Download
memory/5012-242-0x0000000000400000-0x0000000001568000-memory.dmp

Filesize
17.4MB

Download
memory/5012-245-0x0000000064940000-0x0000000064A16000-memory.dmp

Filesize
856KB

Download
memory/5012-243-0x0000000003720000-0x0000000003890000-memory.dmp

Filesize
1.4MB

Download
memory/5012-222-0x0000000000400000-0x0000000001568000-memory.dmp

Filesize
17.4MB

Download
memory/5012-221-0x0000000000400000-0x0000000001568000-memory.dmp

Filesize
17.4MB

Download
memory/5012-240-0x0000000000400000-0x0000000001568000-memory.dmp

Filesize
17.4MB

Download
memory/5012-219-0x0000000000400000-0x0000000001568000-memory.dmp

Filesize
17.4MB

Download
memory/5012-263-0x0000000000400000-0x0000000001568000-memory.dmp

Filesize
17.4MB

Download
memory/5012-207-0x0000000003720000-0x0000000003890000-memory.dmp

Filesize
1.4MB

Download
memory/5012-211-0x0000000003720000-0x0000000003890000-memory.dmp

Filesize
1.4MB

Download
memory/5012-204-0x0000000000400000-0x0000000001568000-memory.dmp

Filesize
17.4MB

Download
memory/5012-248-0x0000000003720000-0x0000000003890000-memory.dmp

Filesize
1.4MB

Download
memory/5012-267-0x000000006D780000-0x000000006D7A6000-memory.dmp

Filesize
152KB

Download