Malware Analysis Report

2024-10-16 03:30

Sample ID 240905-mh9fkazaph
Target flash_decompiler (1).exe
SHA256 8702aca7ecd0552f596d6af97c397ffead6302182d8c87ae8dd3feea9dd8a5b4
Tags
banload discovery downloader dropper evasion persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8702aca7ecd0552f596d6af97c397ffead6302182d8c87ae8dd3feea9dd8a5b4

Threat Level: Known bad

The file flash_decompiler (1).exe was found to be: Known bad.

Malicious Activity Summary

banload discovery downloader dropper evasion persistence privilege_escalation trojan

Banload

Event Triggered Execution: Image File Execution Options Injection

Checks computer location settings

Checks BIOS information in registry

Executes dropped EXE

Event Triggered Execution: Component Object Model Hijacking

Loads dropped DLL

Network Service Discovery

Checks installed software on the system

Checks whether UAC is enabled

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

NTFS ADS

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-05 10:29

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-05 10:29

Reported

2024-09-05 10:31

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

108s

Command Line

"C:\Users\Admin\AppData\Local\Temp\flash_decompiler (1).exe"

Signatures

Banload

trojan dropper downloader banload

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil64_14_0_0_176_ActiveX.exe\DisableExceptionChainValidation = "0" C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil32_14_0_0_176_ActiveX.exe C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil32_14_0_0_176_ActiveX.exe\DisableExceptionChainValidation = "0" C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerApp.exe C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerApp.exe\DisableExceptionChainValidation = "0" C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerUpdateService.exe C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerUpdateService.exe\DisableExceptionChainValidation = "0" C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil64_14_0_0_176_ActiveX.exe C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A

Network Service Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\Macromed\Flash\Flash64_14_0_0_176.ocx C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
File opened for modification C:\Windows\SysWOW64\Macromed\Flash\Flash32_14_0_0_176.ocx C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
File opened for modification C:\Windows\SysWOW64\Macromed\Flash\FlashInstall.log C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
File created C:\Windows\system32\Macromed\Flash\FlashUtil64_14_0_0_176_ActiveX.exe C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
File created C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_14_0_0_176_ActiveX.exe C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
File created C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_14_0_0_176_ActiveX.dll C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
File opened for modification C:\Windows\system32\Macromed\Flash\FlashInstall.log C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
File created C:\Windows\SysWOW64\Macromed\Flash\Flash32_14_0_0_176.ocx C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
File created C:\Windows\system32\Macromed\Flash\FlashUtil64_14_0_0_176_ActiveX.dll C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
File opened for modification C:\Windows\system32\Macromed\Flash\FlashUtil64_14_0_0_176_ActiveX.exe C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
File opened for modification C:\Windows\system32\Macromed\Flash\Flash64_14_0_0_176.ocx C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
File created C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
File created C:\Windows\system32\Macromed\Flash\activex.vch C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
File created C:\Windows\SysWOW64\Macromed\Flash\activex.vch C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
File opened for modification C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_14_0_0_176_ActiveX.exe C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\avcodec-52.dll C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\is-G25EP.tmp C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tutorials\is-OQSGS.tmp C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\is-SPJGI.tmp C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-9P3L1.tmp C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\is-IANA1.tmp C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\is-519PE.tmp C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-6646O.tmp C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-6D9UT.tmp C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-8VQET.tmp C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp N/A
File opened for modification C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tutorials\is-FE0AB.tmp C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\is-IJJ8U.tmp C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-M6AQ7.tmp C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-VM3P8.tmp C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\is-IDQMU.tmp C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\is-851RM.tmp C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\is-UQVAA.tmp C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-ST2J6.tmp C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp N/A
File opened for modification C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp N/A
File opened for modification C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\lame_enc.dll C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp N/A
File opened for modification C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\avutil-50.dll C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp N/A
File opened for modification C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp N/A
File opened for modification C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\swscale-0.dll C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\is-OPIHM.tmp C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-1QNSO.tmp C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\unins000.msg C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp N/A
File opened for modification C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\AutoUpdate.dll C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\is-GUC1S.tmp C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\is-1HK9J.tmp C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\is-M1U9T.tmp C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-1QOC0.tmp C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp N/A
File opened for modification C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\avformat-52.dll C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\is-2UF2R.tmp C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-7CO2F.tmp C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-9T6T4.tmp C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-O4DTO.tmp C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-N8CG6.tmp C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\flash_decompiler (1).exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}\Compatibility Flags = "65536" C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\NAVIGATORPLUGINSLIST\SHOCKWAVE FLASH C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32} C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}\Compatibility Flags = "65536" C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32} C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000} C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppName = "FlashUtil32_14_0_0_176_ActiveX.exe" C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000} C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\NAVIGATORPLUGINSLIST\SHOCKWAVE FLASH C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/x-shockwave-flash C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppPath = "C:\\Windows\\system32\\Macromed\\Flash" C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppName = "FlashUtil64_14_0_0_176_ActiveX.exe" C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000} C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/x-shockwave-flash C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppPath = "C:\\Windows\\SysWOW64\\Macromed\\Flash" C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/futuresplash C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/futuresplash C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Compatibility Flags = "0" C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\Policy = "3" C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000} C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Compatibility Flags = "0" C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\TypeLib C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CurVer\ = "FlashFactory.FlashFactory.1" C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sor\Content Type = "text/plain" C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D62F405A-97CC-641B-93FE-D85298F2F3AF}\Xlgwn = "]QwB|ZvmmbqT" C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\shell\open C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory.1\ = "Macromedia Flash Factory Object" C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\{DED17083-AE52-13D1-B2E4-0060975B8649}\lmmZfZcBw = "F^sX`{SKu]]B^qCHa" C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D62F405A-97CC-641B-93FE-D85298F2F3AF}\cgCoyAe = "Zf\x7f\\YzumUBNs`EwsSj}GkUy[SyqRRBJ" C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D62F405A-97CC-641B-93FE-D85298F2F3AF}\Xlgwn = "YQwB|ZtKbE{X" C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000} C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Control C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}" C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.9\ = "Shockwave Flash Object" C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID\ = "ShockwaveFlash.ShockwaveFlash.14" C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\0\win32 C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3\ = "Shockwave Flash Object" C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\{DED17083-AE52-13D1-B2E4-0060975B8649}\Xlgwn = "ONBrkMHsuLmz" C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\shell\open\command C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32\ = "C:\\Windows\\system32\\Macromed\\Flash\\Flash64_14_0_0_176.ocx, 1" C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalizedString = "@C:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_14_0_0_176_ActiveX.exe,-101" C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\{DED17083-AE52-13D1-B2E4-0060975B8649}\cgCoyAe = "b]f_uHThV`hN{AOapo~Fgkrj^\\awPHW" C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9} C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.13\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalizedString = "@C:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_14_0_0_176_ActiveX.exe,-101" C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\Shell\Open with Flash Decompiler\command\ = "C:\\Program Files (x86)\\Eltima Software\\Flash Decompiler Trillix\\FlashDecompiler.exe \"%1\"" C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D62F405A-97CC-641B-93FE-D85298F2F3AF}\Xlgwn = "_qwB|ZtDgyLT" C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\{DED17083-AE52-13D1-B2E4-0060975B8649}\Xlgwn = "M^BrkMK{iTI^" C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\0 C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D62F405A-97CC-641B-93FE-D85298F2F3AF}\ = "CLSID_SearchFolder" C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib\ = "{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{57A0E746-3863-4D20-A811-950C84F1DB9B}\1.1 C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66} C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D62F405A-97CC-641B-93FE-D85298F2F3AF} C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D62F405A-97CC-641B-93FE-D85298F2F3AF}\lmmZfZcBw = "jayzGTEg[kn~}LjF[" C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.10\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\{DED17083-AE52-13D1-B2E4-0060975B8649}\lmmZfZcBw = "F^sX`{SKu]]B^qCHa" C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\ = "IFlashAccessibility" C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\DefaultIcon C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4 C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\{DED17083-AE52-13D1-B2E4-0060975B8649}\Xlgwn = "O~BrkMJgSPv\\" C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.14\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sor\Content Type = "text/plain" C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\0\win32 C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\Shell\Open with Flash Decompiler C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D62F405A-97CC-641B-93FE-D85298F2F3AF}\cgCoyAe = "Zf\x7f\\yzumUBNs@EwsSj}N{]y[SyqRRBJ" C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus\ = "0" C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D62F405A-97CC-641B-93FE-D85298F2F3AF}\Skxjsnh = "ky_i\x7fSL\\cg|SaCYSz_HMflY" C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-shockwave-flash\CLSID = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{307F64C0-621D-4D56-BBC6-91EFC13CE40D}\TypeLib\ = "{57A0E746-3863-4D20-A811-950C84F1DB9B}" C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ = "_IShockwaveFlashEvents" C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F} C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32 C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\ProgramData\TEMP:DED17083 C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
File opened for modification C:\ProgramData\TEMP:DED17083 C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
File opened for modification C:\ProgramData\TEMP:DED17083 C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
Token: 33 N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
Token: 33 N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
Token: 33 N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
Token: 33 N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4928 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\flash_decompiler (1).exe C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp
PID 4928 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\flash_decompiler (1).exe C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp
PID 4928 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\flash_decompiler (1).exe C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp
PID 2084 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe
PID 2084 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe
PID 2084 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe
PID 4912 wrote to memory of 3128 N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe
PID 4912 wrote to memory of 3128 N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe
PID 4912 wrote to memory of 2196 N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
PID 4912 wrote to memory of 2196 N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
PID 4912 wrote to memory of 2196 N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
PID 2084 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe
PID 2084 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe
PID 2084 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe
PID 400 wrote to memory of 5012 N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe
PID 400 wrote to memory of 5012 N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe
PID 400 wrote to memory of 5012 N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe
PID 400 wrote to memory of 5012 N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe
PID 400 wrote to memory of 5012 N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe
PID 3396 wrote to memory of 4260 N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe
PID 3396 wrote to memory of 4260 N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe
PID 3396 wrote to memory of 4260 N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe
PID 3396 wrote to memory of 4260 N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe
PID 3396 wrote to memory of 4260 N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe
PID 4260 wrote to memory of 3508 N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe
PID 4260 wrote to memory of 3508 N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe
PID 4260 wrote to memory of 3508 N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe
PID 3508 wrote to memory of 4896 N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe
PID 3508 wrote to memory of 4896 N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe
PID 3508 wrote to memory of 4896 N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe
PID 3508 wrote to memory of 4896 N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe
PID 3508 wrote to memory of 4896 N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe

Processes

C:\Users\Admin\AppData\Local\Temp\flash_decompiler (1).exe

"C:\Users\Admin\AppData\Local\Temp\flash_decompiler (1).exe"

C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp

"C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp" /SL5="$A0286,27643739,119296,C:\Users\Admin\AppData\Local\Temp\flash_decompiler (1).exe"

C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe

"C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe" /install

C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe

"C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe" -install -skipARPEntry -iv 1 -au 4294967295

C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe

C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -install

C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe

"C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe"

C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe

"C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe"

C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe

"C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe"

C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe

"C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x398 0x498

C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe

"C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe" ""

C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe

"C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe" ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 52.111.227.13:443 tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/4928-0-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4928-2-0x0000000000401000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-RFV56.tmp\flash_decompiler (1).tmp

MD5 c9cf73dd30f17a16fdc1c96aea79c75d
SHA1 73572ec70cc6dbe8096da804c1d1e7fb3cc0baab
SHA256 ba46791872b52dd5b8669c60e3b0ed77b3c9fac4c12c228130bad6db6c3380f9
SHA512 e1fd8a1d65c60dedcfdcb10cf028fab51e96a8dc6442f7af5073a86a1373dd30b6e35f4e6c64d590ca0131de5146500cde00f2b72927fd48e7b835a47fa0e942

memory/2084-7-0x0000000000400000-0x000000000052B000-memory.dmp

C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe

MD5 f84400792447ebf6adaa615bcf149eb5
SHA1 16231b509d8e689dc34ae36597d41c4fb1b3a67e
SHA256 cb3043490ce4bf1210098746af8be5a19e7a6d5ae153d34636efbe4bf9af3ef8
SHA512 edf5193b6058c949766d545e7fad87db03fd1eaed5e9d75caed4bbda13ec560a67957391930e582c82c9005023db73585e722b6bc31f9fb0d36cb903be8a7efe

C:\Users\Admin\AppData\Local\Temp\{03B85C4B-9B1B-4424-B93A-5A14AB413490}\fpb.tmp

MD5 e23251f56bd9de8dd18a8d68885dab78
SHA1 84358654fd43202d39c342cc394f3dc88fcabe03
SHA256 91d6e2237a156e502c4f2041ca3ff38d769b2003384cdfaa51f227f3e9b5ab25
SHA512 32f45ee1217aef553b11584212e15b73fbe04a2aece882d1cd2b39b0232160ffd42958d7f0d4c7d6b8efeec41af550ac53d3c39a08f1af36ecd419d40dc521d4

C:\Users\Admin\AppData\Local\Temp\{9189343F-DB4E-481E-B855-11EDD103A4DF}\fpb.tmp

MD5 7805e5fd154a06c713fe9c6e3d4f02c9
SHA1 757b51d549a72a6157bcef7cbed38058c303c61c
SHA256 2d40a95b58ca7db3b11a7b73079e856074c3fd76c4e0f9d7c2741c5ecadd242e
SHA512 36201753349b94d5216bd56f2b2af240544654c4c3def195dfae74efe5b893cae25e6653d831be18c03b98a67f8413c3b607200ee9b4562a5f4d4ccaea7bbde4

C:\Users\Admin\AppData\Local\Temp\{BFF93593-BB4D-4A3B-B9A1-FFD8A9B5A0ED}\InstallFlashPlayer.exe

MD5 734b50e3625e44791d0cb607422c2a85
SHA1 88ba4d5b9e5a01714ae85b82c3c6ec73833ccfbf
SHA256 3fd01a451c76e699b4e87dfd29d8fb84800eebddcd3c2976691193947fab9467
SHA512 8ccc2e973b88b4dbab531a59c1298b7ee49a78e1dac1aad6bb2f4b5489356fb3bc3d53ef779d4b22c97462e4e1af6f03d4d4e38b9a7738ead389920e5c62a77f

memory/4928-49-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2084-51-0x0000000000400000-0x000000000052B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{69E891E0-72DE-4ADE-8D97-0112A7C66184}\fpb.tmp

MD5 9d08e472e123b7701e90ca38168a8fb5
SHA1 3811ca63a36ea3128e50ab16edcf126f238b20a7
SHA256 c14c86a7b7b3b72644b9cd212ccc128e0a0a34dd20dc7d0a4d4fc8580dd36ade
SHA512 9341850fe1ba838dd54f4c985679f90dfd804c1149c85dce1a362dd7ebc8b336f448ca02d30bad4d91ba22f43b00e975e1d6551bf3329f27afc7dae571cf5e90

C:\Users\Admin\AppData\Local\Temp\{07FB48D3-7972-4BB7-9414-A7D86CD593FC}\fpb.tmp

MD5 69a24367f48f7984a5b343551a171072
SHA1 082182f7419175e62f28bf18f97210a1e0117fe1
SHA256 6ac3e542dfb2b06fcb7771211e9c392e72bbe690982cb4cbdd810949587b2c42
SHA512 ef8b50ba4fc402b92b4c14e1e259c861c8da26e0e2be61b3275fefb2cd6e66362cb81d8cd989bb41496e6641977da4c7c05031f2055ecffdba9eaa23c6203ed3

C:\Windows\System32\Macromed\Flash\Flash64_14_0_0_176.ocx

MD5 2d70c6bfe45293ad77679b597d48dc8f
SHA1 4179ce679fdc31ac4a1210f294b6c7b885b0764d
SHA256 88efae613403eb3979eb6eaa148bd50bd9b5f70a1b64f53625cb1c0917ad999a
SHA512 52f26b09485e97f305b5ad5707db5283cb3275ad0f8684b205995591e1e1ac5e6bf6edffa90d940da1938fd61621d815b3b8e6bb2e9debcdc73cebf5ab2a4cad

memory/3128-91-0x0000000063200000-0x0000000064983000-memory.dmp

C:\Windows\SysWOW64\Macromed\Flash\Flash32_14_0_0_176.ocx

MD5 224abf3a6e87b978da13457246f3089b
SHA1 a3702389e1dba21ecc408c352feee32e2afa6deb
SHA256 89fac246784237bb1af6944883eefba6d9475fd824595bcde57743ddac918511
SHA512 10740e3a6b3343f6db89eda8d186afb54127bd7fcb8b4b0c750fecbb6fc7a05b466c358373ce80b0b135a6988fa431996abeff4ba792efe97c7013f9b40ed5f6

C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe

MD5 9e5197d65ba34a4db45b8befc3288c23
SHA1 e7a6227ee35d0e7a559bee8431ac9951526f7936
SHA256 ebbe6126b6b73616032f8e1731642e35c6cb6b395ef74bccb781cae076ee8434
SHA512 e3e350b973f18d711dd02c53cf10be6cff82b593c96d54809595ecfad6cbd080734e0f59144ee107115897c753c57010f13ecf175b73b5bbb3e711e924009216

C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe

MD5 180990e3ecf117281e5f270700ce9f07
SHA1 b6c27f55dd4b45f62d21db2030f5d5f1b78c89ba
SHA256 bb476cc25abd354478005d594c25ea61cf1f9b7dee977c9873aae0f128cd47da
SHA512 f2e5a8c3a763338be61b1f647410bcb68aa0be0c9e1e8546cca21153f2defe1b11baa650e129edf1649f47a8c3ebf3ecc9699591555971c92795323fa265d5c6

memory/400-202-0x0000000000400000-0x0000000001568000-memory.dmp

memory/5012-204-0x0000000000400000-0x0000000001568000-memory.dmp

memory/5012-211-0x0000000003720000-0x0000000003890000-memory.dmp

memory/5012-207-0x0000000003720000-0x0000000003890000-memory.dmp

memory/2084-213-0x0000000000400000-0x000000000052B000-memory.dmp

memory/4928-215-0x0000000000400000-0x0000000000428000-memory.dmp

memory/5012-219-0x0000000000400000-0x0000000001568000-memory.dmp

memory/5012-221-0x0000000000400000-0x0000000001568000-memory.dmp

memory/5012-222-0x0000000000400000-0x0000000001568000-memory.dmp

C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\AutoUpdate.dll

MD5 b4715ca0f9f08fde8c82ffb89b455460
SHA1 c789d6a8f4b0dae97ebda5b99af7bf1a337882aa
SHA256 00b4e9748dfbdecca3bb3500768bb5e26d7de06ba81050ff0abec35e57517a45
SHA512 961dfd1652b828a7d2e6940908b237adc93559f6f2048026b62bcd46ca38cc0d8d06dacfdaffa381236ddc787a90ce0b5d7f82793474778f494c60b431b6b61f

memory/5012-223-0x0000000000400000-0x0000000001568000-memory.dmp

C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\avcodec-52.dll

MD5 7ce4c8d8c43dadebee3a83d9e4aa37b9
SHA1 9e8ee1a9be72dc03fce99316253ddb9e8b42f279
SHA256 0fb7a0e27e5b6aca0fb04d6161c43d8ffb9f3e7c0d9c416b308c1a58ef7ac0aa
SHA512 0b21cd8b7c3b92101ec11236d7e3f68ddccf23b317bca1854849d34e67469e349c8a75ecc6b978bc046fcd70270f3125c6eacdd12dea09c042edd536a4c8a123

C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\swscale-0.dll

MD5 c9ea8c737889cd4f87b72b06239d4a4f
SHA1 b6dae6ac26725f3e23fd2f184c490a8dd489bc42
SHA256 513381fbbd4950c172699070af6a45c8c3193488e26202e33df4397f45816730
SHA512 bc999121aac043d445a21fe4d18d8122dc46ae9c672c647f773d9d9dfc10a00a2735616706c75363d0ec52a9731434221a695fc5b94e49b850d88112e6601489

memory/5012-241-0x0000000004D30000-0x00000000052F9000-memory.dmp

memory/5012-242-0x0000000000400000-0x0000000001568000-memory.dmp

memory/5012-245-0x0000000064940000-0x0000000064A16000-memory.dmp

memory/5012-243-0x0000000003720000-0x0000000003890000-memory.dmp

memory/5012-240-0x0000000000400000-0x0000000001568000-memory.dmp

C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\avformat-52.dll

MD5 5903c75593c744acd1c49d290bb24fe1
SHA1 13014411f3d6d16926c96fdd6e89253ed55ba250
SHA256 a974a051e8d26dbe0a672e710f9b3ab71d1407580301fa7d64d35eef96cd7056
SHA512 201e820fc80c8d2f44ac0483b91bb40383cef534a692c85872142b7b39ea29bf85151b13a41d5d97a10767facc8e9f8a49e333daee43a73a7d0f815b6362ee4b

memory/5012-235-0x0000000004D30000-0x00000000052F9000-memory.dmp

C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\avutil-50.dll

MD5 d7cfb561dc0170a3db0c9352b31a06f2
SHA1 84f0ee0f528fd2368951430a7ad63dc441963e45
SHA256 a23151c333250549de42b83c6aff06c0880ed829331c9cafa158d1b39a4c58ff
SHA512 eb541e663ed6ab9ee41ad7ea16997d63b1b586d3b78a7a9d4bc78f651dbdd5b5263f3b39c0dc85736cdd67d150739872a87511bfdd45ac120c9297bfffb3b6df

C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\lame_enc.dll

MD5 0a9b1ff3db39aeba0ba1ce1eca3bc62b
SHA1 3d21ec0d2ffe3a5b122cc165f34067c45ef5a126
SHA256 ca6af76acd53124c033648369d31268723398d5c3422113fc59e9dc630d17f91
SHA512 a4cd4f513db67c48e8eb1ade323302430a11285e8e3b90b0c4394bc63bd9957373ad0d64bca2458cec8a0c5edfcf57459fc378dcded2e22e9468c1e2d34d8a6d

memory/5012-248-0x0000000003720000-0x0000000003890000-memory.dmp

memory/5012-267-0x000000006D780000-0x000000006D7A6000-memory.dmp

memory/5012-263-0x0000000000400000-0x0000000001568000-memory.dmp

memory/400-268-0x0000000000400000-0x0000000001568000-memory.dmp

memory/4260-279-0x00000000037A0000-0x0000000003910000-memory.dmp

memory/4260-283-0x00000000037A0000-0x0000000003910000-memory.dmp

C:\ProgramData\Licenses\0B608C43E7FF4F3D3.Lic

MD5 e7508ea9f01f62da99a490eea1ff198e
SHA1 f3a49e037db70e9e3f320db59120f7c138fb4457
SHA256 efe3be66786b73138c9b1154f7e5baf11d60fee0bf21d96768e6cb97f11b01e2
SHA512 c036d7ee330c10a7c18f2c9b6304ae82433adea1683d14cd16d1dcba955abec7080aaf89acb94985a82aa603d3c76b1bfc7fae7ca1a92ae776f742e341398ecb

memory/4260-290-0x0000000000400000-0x0000000001568000-memory.dmp

memory/4260-291-0x0000000000400000-0x0000000001568000-memory.dmp

memory/4260-293-0x0000000000400000-0x0000000001568000-memory.dmp

C:\ProgramData\AutoUpdate\FlashDecompiler.exe\Statistics.xml

MD5 6f4a6f22eb4e1d9c0af83b8e413e88b8
SHA1 aae506ed4366c5490c6acd9f7a466f135111d743
SHA256 7f21b4b275cf9d504c05ad6eb3b0cd26e499980d0dba4e52cfc09bd838c1871b
SHA512 e7b8a572ba0aacc00ad98517ad1fd84bf30cd09f3ebd3ed66b13bcba24dc95833a537e3b2d8ed9bd4387187aedec20dd14e0da03dc2c598705992e669bd4fa8b

C:\ProgramData\AutoUpdate\FlashDecompiler.exe\SkippedVersions.xml

MD5 35e1ba488afb8750e88202c2725276c7
SHA1 542113bc9038aaf39ae80026d732b3bdbe10db37
SHA256 362b352cab09d9ab37d5558e8283652e747be017369d05b5a517a61765ccaf34
SHA512 bb72bafd23d82be55fad592fefcb367b128b8d2ac4ebb706af093b5d1b8513d4bcb4b25c2b088f6e025e550f0944edd972fb6d0f0c4c57bc119e66bbb653b4b0

memory/4260-294-0x0000000000400000-0x0000000001568000-memory.dmp

memory/4260-305-0x0000000000400000-0x0000000001568000-memory.dmp

memory/4260-306-0x0000000000400000-0x0000000001568000-memory.dmp

memory/4260-307-0x00000000037A0000-0x0000000003910000-memory.dmp

memory/4260-302-0x0000000004250000-0x0000000004819000-memory.dmp

C:\Windows\SysWOW64\Macromed\Flash\activex.vch

MD5 d3df1022c8caacba253ebfb4eb593a66
SHA1 1720b3dd6004c8240e657147341bb7e6d07134e6
SHA256 26e2b59d2b3df2db5e95e17a29e5a7a9968a188cea67c956d804fd94f0a5dafb
SHA512 16bc1e0cd7e7bdbbb3212e4b7a76f3d6ef9c2b77a258110caf6c083d84a080ccf458056e0678f68581ccdc0840ae85d188b58dc40c143fd3ea348b26a3beffc8

memory/4260-313-0x00000000037A0000-0x0000000003910000-memory.dmp

C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tutorials\fd_intro.swf

MD5 27ee9e17cb9c15d526e81c2a5e4f3524
SHA1 03ab26767124533b11ae46eca68ae861c32d0b5f
SHA256 72c39bda39402e786a1e77043435758c4742d43dd84dbf839b5bbffc5f4c56e4
SHA512 98e89b84782318f5fc771b73fd804664770fbdba4018ebd1bd78b89346a29d1988b490b2703f72bf7650f1065136aec142a16bd452615fe089527eaab18d02af

C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tutorials\fd_demo_limits.swf

MD5 39a58b195a0c0c3fc7fa104e9e8ff2fa
SHA1 0da735a8d3db03b405ccf5ab0ebea5827cf4a564
SHA256 07e0e16492f4a8bff66b92622062c4950b05a64c879731523d643bbc0b94d78a
SHA512 9ade4be4618353500cb05c372668d56a941eb8a3aac7348df684d3362fd0e508dbabe8bf78dddafe90b99be0ca90a0990005d41f5a5726c2dc57a6bc5958d5e7

C:\ProgramData\Licenses\0B608C43E7FF4F3D3.Lic

MD5 7b0bae1f65447f716cdc95f55afe839a
SHA1 14507b2080856024d42692c1e77626050b8b7d87
SHA256 e9684595bde02e05a5a58d87997f2fa52784a56f582e73d036effa1cccdc1d62
SHA512 719283a4c1b9908601f9c30d5ad2d8b582de406dcac8941bed3de8c49ba453958e35c6b38fe734a3ebf31b337862ecd82974578f4babdc761485b5130c637212

C:\ProgramData\TEMP:DED17083

MD5 579cf70e50ecdb1dd33aec48f8a11db0
SHA1 b5b425ae36681edd4dfbcb448876276d70fa304f
SHA256 dae38ef18bccd056f228498fb6b034cad64138628f6d115d236abf2b7142e7a7
SHA512 b55f9cda4fec5dd27c5093868d09703c5c70511f448126790b3cbb7cf22b8ecd4582f60b911078ead5c3bf32c0b2955f12b0c1897f350564d340ffe33fbfed2f

memory/4260-350-0x0000000000400000-0x0000000001568000-memory.dmp

memory/4260-364-0x000000006D780000-0x000000006D7A6000-memory.dmp

memory/4260-359-0x0000000004250000-0x0000000004819000-memory.dmp

memory/3396-386-0x0000000000400000-0x0000000001568000-memory.dmp

C:\ProgramData\Licenses\0B608C43E7FF4F3D3.Lic

MD5 e8e7435171cfe37f31b8c09af2eb959e
SHA1 7a5e469e1de8b8612abdb7cb0ab16e2e13162c4b
SHA256 548547b3a781bf73a23d10a256217e364a0e256fdd0d2fe5ddbc90d5de8cac3f
SHA512 c8b268616309dc35aca558f15907dfeda37090a31e379cc5bcc0bd12f3a7323d16983049f267138d6fa18452ec2d39a0463381c016223cbbd9a12416e4cd5e72

memory/4260-395-0x0000000000400000-0x0000000001568000-memory.dmp

C:\ProgramData\Licenses\0B608C43E7FF4F3D3.Lic

MD5 d829334d571b3f57c073b3cb7da28a96
SHA1 2757f20336d95b0685f1a9632e686c6884e17cdf
SHA256 a82c7b54d1aaf9fddb690b607bb64aa8de6d696f55c889fda87afa5d333540d3
SHA512 57ba6eeace6c8bdfdcd97204a2ac51c14f16099cdae6360f74fc93e6f9e1d4bb65a639c95b1ebfcbb3b9038f0fd9a79bd0128dd98afabd1c545895b9e938fa8f

C:\ProgramData\TEMP:DED17083

MD5 080b8711fe2bd33927e0754ed455f4a6
SHA1 ae7d7ea0ba529cf3187fc8d67db0bf9027f85100
SHA256 7755c47b82359e321f05e34bd6020e282839e388fd588aeb4e963654c3ec87a3
SHA512 23176a9938d3e03811e403b3dddaa53a5ef5383f3f58be09842213c3b06661756f9a1bcd37695a071fb6906811ef48c76432f866eb44b59df076575504bc9451

C:\ProgramData\Licenses\0B608C43E7FF4F3D3.Lic

MD5 e1e60280dd274d0e7917486cec3f2413
SHA1 f60a37c2cefec2dc23b92ac39af0f56f261988e5
SHA256 7aeb3bf9fd277e0a952339c4d54ddbc94dfba731e9f5cc899a1239bd8ec22491
SHA512 5d639a039092976f2bffa69cf9e1542ccee3d7b5016ed7639c387d4caa19ff7a36a0c1eb01d116dea3b54177e43361f852b3678be191b93e0122e8f9551d26c8

C:\ProgramData\TEMP:DED17083

MD5 b7f8ca2737ff503768217bdfef9a80d0
SHA1 4e444946833a447b79be2d1cb8c7266915937ce1
SHA256 ce5fc0d4876a2d5192ce330813cf8a8bcfe202a059248b4f139b097f67e8b19c
SHA512 d93341268d8dec2ae73973fa6bb61ced7b9bc0efbbe2f87395a6b9d9727b2f31bc55ef121b4a3376f6b116ad719f18b86b3a25d2083d0dd7d24afa4e11fc0223

C:\ProgramData\Licenses\0B608C43E7FF4F3D3.Lic

MD5 bb26135ac641e4dc3d6ec63a9e704347
SHA1 302e7b3b8e272bb71d4954ecf1c6c6c6bbf6d5d7
SHA256 e829c407984c26900aba9417896c33ee9d549161d01499838a5c4216f890c062
SHA512 dbc2e1038b411bc69ef8820d0d64479a62505edc4acc279952284c03e00996d69ad9f47f26ce4cc36b5911ba375937fc7b9dcf3793fc4de9b6ee5da510964087

C:\ProgramData\Licenses\0B608C43E7FF4F3D3.Lic

MD5 ca07f01af3dbf8a1cd6feb024cff6466
SHA1 a8cf289ecdf8f9004f20276c8a3dcab3f2b6ea3a
SHA256 9e9462c574ce9d5003e3af9c21d4f62852b9a17174c819c8d953f6d46cc499c0
SHA512 0e41b2ded4a0183267a0779c675dea741dc2e9b68d03ec3b6f4ac666ca45a92563825846101b35c6a6e8adee59376fa8dfdae028d3b90e91f1f3a63ea146acc7

C:\ProgramData\TEMP:DED17083

MD5 86b44f4b899b8b6ff189d1a3d64ebe1a
SHA1 a6136162f06d72a8cd9eb03298d72b443e4896b6
SHA256 a18b0b520d651dee025327874b63b470f2df350ce6a971c4e0363efea317c8d5
SHA512 b76f67b4890d25b7717d46d2582ce49777b01d9b7c511aabd80c7d397706e821b347ff416124d45ae2064b308e9bd1bb8e17c84323565d1ab7f743df543579ab