Malware Analysis Report

2025-01-22 23:10

Sample ID 241207-y7mtmsxldk
Target flash_decompiler.exe
SHA256 8702aca7ecd0552f596d6af97c397ffead6302182d8c87ae8dd3feea9dd8a5b4
Tags
banload discovery downloader dropper evasion persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8702aca7ecd0552f596d6af97c397ffead6302182d8c87ae8dd3feea9dd8a5b4

Threat Level: Known bad

The file flash_decompiler.exe was found to be: Known bad.

Malicious Activity Summary

banload discovery downloader dropper evasion persistence privilege_escalation trojan

Banload

Banload family

Event Triggered Execution: Image File Execution Options Injection

Executes dropped EXE

Event Triggered Execution: Component Object Model Hijacking

Checks BIOS information in registry

Loads dropped DLL

Network Service Discovery

Checks installed software on the system

Checks whether UAC is enabled

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

NTFS ADS

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-07 20:25

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-07 20:25

Reported

2024-12-07 20:27

Platform

win11-20241007-en

Max time kernel

85s

Max time network

60s

Command Line

"C:\Users\Admin\AppData\Local\Temp\flash_decompiler.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil64_14_0_0_176_ActiveX.exe\DisableExceptionChainValidation = "0" C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil32_14_0_0_176_ActiveX.exe C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil32_14_0_0_176_ActiveX.exe\DisableExceptionChainValidation = "0" C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerApp.exe C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerApp.exe\DisableExceptionChainValidation = "0" C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerUpdateService.exe C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerUpdateService.exe\DisableExceptionChainValidation = "0" C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil64_14_0_0_176_ActiveX.exe C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A

Network Service Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_14_0_0_176_ActiveX.exe C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
File opened for modification C:\Windows\SysWOW64\Macromed\Flash\Flash32_14_0_0_176.ocx C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
File created C:\Windows\SysWOW64\Macromed\Flash\Flash32_14_0_0_176.ocx C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
File opened for modification C:\Windows\system32\Macromed\Flash\Flash64_14_0_0_176.ocx C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
File created C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
File created C:\Windows\system32\Macromed\Flash\FlashUtil64_14_0_0_176_ActiveX.exe C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
File created C:\Windows\SysWOW64\Macromed\Flash\activex.vch C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
File created C:\Windows\system32\Macromed\Flash\activex.vch C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
File created C:\Windows\system32\Macromed\Flash\FlashUtil64_14_0_0_176_ActiveX.dll C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
File opened for modification C:\Windows\system32\Macromed\Flash\FlashUtil64_14_0_0_176_ActiveX.exe C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
File opened for modification C:\Windows\system32\Macromed\Flash\FlashInstall.log C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
File created C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_14_0_0_176_ActiveX.dll C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
File opened for modification C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_14_0_0_176_ActiveX.exe C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
File opened for modification C:\Windows\SysWOW64\Macromed\Flash\FlashInstall.log C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
File created C:\Windows\system32\Macromed\Flash\Flash64_14_0_0_176.ocx C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\is-CLVSI.tmp C:\Users\Admin\AppData\Local\Temp\is-BRJHE.tmp\flash_decompiler.tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\is-6PJ7K.tmp C:\Users\Admin\AppData\Local\Temp\is-BRJHE.tmp\flash_decompiler.tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\is-NHPRM.tmp C:\Users\Admin\AppData\Local\Temp\is-BRJHE.tmp\flash_decompiler.tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\is-BQSS3.tmp C:\Users\Admin\AppData\Local\Temp\is-BRJHE.tmp\flash_decompiler.tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-35MEA.tmp C:\Users\Admin\AppData\Local\Temp\is-BRJHE.tmp\flash_decompiler.tmp N/A
File opened for modification C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\avcodec-52.dll C:\Users\Admin\AppData\Local\Temp\is-BRJHE.tmp\flash_decompiler.tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\is-M2J8E.tmp C:\Users\Admin\AppData\Local\Temp\is-BRJHE.tmp\flash_decompiler.tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tutorials\is-UP3VC.tmp C:\Users\Admin\AppData\Local\Temp\is-BRJHE.tmp\flash_decompiler.tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\is-MR5PG.tmp C:\Users\Admin\AppData\Local\Temp\is-BRJHE.tmp\flash_decompiler.tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-EMA3L.tmp C:\Users\Admin\AppData\Local\Temp\is-BRJHE.tmp\flash_decompiler.tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\unins000.msg C:\Users\Admin\AppData\Local\Temp\is-BRJHE.tmp\flash_decompiler.tmp N/A
File opened for modification C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\lame_enc.dll C:\Users\Admin\AppData\Local\Temp\is-BRJHE.tmp\flash_decompiler.tmp N/A
File opened for modification C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\swscale-0.dll C:\Users\Admin\AppData\Local\Temp\is-BRJHE.tmp\flash_decompiler.tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\is-3AAHM.tmp C:\Users\Admin\AppData\Local\Temp\is-BRJHE.tmp\flash_decompiler.tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\is-QT96P.tmp C:\Users\Admin\AppData\Local\Temp\is-BRJHE.tmp\flash_decompiler.tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-D9DGE.tmp C:\Users\Admin\AppData\Local\Temp\is-BRJHE.tmp\flash_decompiler.tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-S7QFD.tmp C:\Users\Admin\AppData\Local\Temp\is-BRJHE.tmp\flash_decompiler.tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-JK7QO.tmp C:\Users\Admin\AppData\Local\Temp\is-BRJHE.tmp\flash_decompiler.tmp N/A
File opened for modification C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe C:\Users\Admin\AppData\Local\Temp\is-BRJHE.tmp\flash_decompiler.tmp N/A
File opened for modification C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\AutoUpdate.dll C:\Users\Admin\AppData\Local\Temp\is-BRJHE.tmp\flash_decompiler.tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-BRJHE.tmp\flash_decompiler.tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\is-UJ7D8.tmp C:\Users\Admin\AppData\Local\Temp\is-BRJHE.tmp\flash_decompiler.tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-PKANB.tmp C:\Users\Admin\AppData\Local\Temp\is-BRJHE.tmp\flash_decompiler.tmp N/A
File opened for modification C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\avformat-52.dll C:\Users\Admin\AppData\Local\Temp\is-BRJHE.tmp\flash_decompiler.tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tutorials\is-PPF4U.tmp C:\Users\Admin\AppData\Local\Temp\is-BRJHE.tmp\flash_decompiler.tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-84I0C.tmp C:\Users\Admin\AppData\Local\Temp\is-BRJHE.tmp\flash_decompiler.tmp N/A
File opened for modification C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-BRJHE.tmp\flash_decompiler.tmp N/A
File opened for modification C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe C:\Users\Admin\AppData\Local\Temp\is-BRJHE.tmp\flash_decompiler.tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\is-NIDQE.tmp C:\Users\Admin\AppData\Local\Temp\is-BRJHE.tmp\flash_decompiler.tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\is-5CJ1O.tmp C:\Users\Admin\AppData\Local\Temp\is-BRJHE.tmp\flash_decompiler.tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-N837E.tmp C:\Users\Admin\AppData\Local\Temp\is-BRJHE.tmp\flash_decompiler.tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-Q9T1E.tmp C:\Users\Admin\AppData\Local\Temp\is-BRJHE.tmp\flash_decompiler.tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-TC1E4.tmp C:\Users\Admin\AppData\Local\Temp\is-BRJHE.tmp\flash_decompiler.tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-RL5OG.tmp C:\Users\Admin\AppData\Local\Temp\is-BRJHE.tmp\flash_decompiler.tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\is-4912T.tmp C:\Users\Admin\AppData\Local\Temp\is-BRJHE.tmp\flash_decompiler.tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-LBOMG.tmp C:\Users\Admin\AppData\Local\Temp\is-BRJHE.tmp\flash_decompiler.tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\is-3J6NV.tmp C:\Users\Admin\AppData\Local\Temp\is-BRJHE.tmp\flash_decompiler.tmp N/A
File created C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-8NUHT.tmp C:\Users\Admin\AppData\Local\Temp\is-BRJHE.tmp\flash_decompiler.tmp N/A
File opened for modification C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\avutil-50.dll C:\Users\Admin\AppData\Local\Temp\is-BRJHE.tmp\flash_decompiler.tmp N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\flash_decompiler.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-BRJHE.tmp\flash_decompiler.tmp N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000} C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/x-shockwave-flash C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppPath = "C:\\Windows\\SysWOW64\\Macromed\\Flash" C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000} C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32} C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppPath = "C:\\Windows\\system32\\Macromed\\Flash" C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\NAVIGATORPLUGINSLIST\SHOCKWAVE FLASH C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\Policy = "3" C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/x-shockwave-flash C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000} C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32} C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Compatibility Flags = "0" C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppName = "FlashUtil32_14_0_0_176_ActiveX.exe" C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000} C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}\Compatibility Flags = "65536" C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppName = "FlashUtil64_14_0_0_176_ActiveX.exe" C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}\Compatibility Flags = "65536" C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\NAVIGATORPLUGINSLIST\SHOCKWAVE FLASH C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/futuresplash C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/futuresplash C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Compatibility Flags = "0" C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D62F405A-97CC-641B-93FE-D85298F2F3AF}\RIouRqs = "\\" C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D62F405A-97CC-641B-93FE-D85298F2F3AF}\RIouRqs = "a" C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CurVer\ = "ShockwaveFlash.ShockwaveFlash.14" C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Control C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.spl\ = "ShockwaveFlash.ShockwaveFlash" C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.14\ = "Shockwave Flash Object" C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0 C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4\ = "Shockwave Flash Object" C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32 C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\ = "Shockwave Flash" C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus\1 C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66} C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.8\CLSID C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.swf\ = "ShockwaveFlash.ShockwaveFlash" C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{307F64C0-621D-4D56-BBC6-91EFC13CE40D}\TypeLib C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.11\ = "Shockwave Flash Object" C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories\{31CAF6E4-D6AA-4090-A050-A5AC8972E9EF} C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ = "IFlashBroker5" C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{57A0E746-3863-4D20-A811-950C84F1DB9B}\1.1\0 C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7\ = "Shockwave Flash Object" C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.9 C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-shockwave-flash\Extension = ".swf" C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D62F405A-97CC-641B-93FE-D85298F2F3AF}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\System\\ado\\msado15.dll" C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.12\ = "Shockwave Flash Object" C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{307F64C0-621D-4D56-BBC6-91EFC13CE40D}\ = "ISimpleTextSelection" C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32 C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.swf\Content Type = "application/x-shockwave-flash" C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/futuresplash\CLSID = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.12\ = "Shockwave Flash Object" C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9} C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\FLAGS C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3\ = "Shockwave Flash Object" C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000} C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}" C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\ = "IFlashAccessibility" C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\{DED17083-AE52-13D1-B2E4-0060975B8649}\dvnyoow = "Hxd|hD~[P}tM}KjEYTae\x7fxAZK" C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CurVer\ = "ShockwaveFlash.ShockwaveFlash.14" C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\HELPDIR\ = "C:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_14_0_0_176_ActiveX.exe" C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CLSID\ = "{D27CDB70-AE6D-11cf-96B8-444553540000}" C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mfp\Content Type = "application/x-shockwave-flash" C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66} C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.12\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D62F405A-97CC-641B-93FE-D85298F2F3AF}\uquecgxfqG = "ky_i\x7fSL\\cg|SaCYSzUDLf" C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D62F405A-97CC-641B-93FE-D85298F2F3AF}\ghiipgYgvNnb = "jayzGTEg[kn~}LjF[^QwB|Zw\x7fp}M" C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1 C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.8\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ = "IShockwaveFlash" C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0 C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CurVer C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0\win64\ = "C:\\Windows\\system32\\Macromed\\Flash\\Flash64_14_0_0_176.ocx" C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\ProgramData\TEMP:DED17083 C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
File opened for modification C:\ProgramData\TEMP:DED17083 C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-BRJHE.tmp\flash_decompiler.tmp N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A
N/A N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4520 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\flash_decompiler.exe C:\Users\Admin\AppData\Local\Temp\is-BRJHE.tmp\flash_decompiler.tmp
PID 4520 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\flash_decompiler.exe C:\Users\Admin\AppData\Local\Temp\is-BRJHE.tmp\flash_decompiler.tmp
PID 4520 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\flash_decompiler.exe C:\Users\Admin\AppData\Local\Temp\is-BRJHE.tmp\flash_decompiler.tmp
PID 2116 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\is-BRJHE.tmp\flash_decompiler.tmp C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe
PID 2116 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\is-BRJHE.tmp\flash_decompiler.tmp C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe
PID 2116 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\is-BRJHE.tmp\flash_decompiler.tmp C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe
PID 4504 wrote to memory of 3716 N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe
PID 4504 wrote to memory of 3716 N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe
PID 4504 wrote to memory of 4472 N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
PID 4504 wrote to memory of 4472 N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
PID 4504 wrote to memory of 4472 N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
PID 2116 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\is-BRJHE.tmp\flash_decompiler.tmp C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe
PID 2116 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\is-BRJHE.tmp\flash_decompiler.tmp C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe
PID 2116 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\is-BRJHE.tmp\flash_decompiler.tmp C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe
PID 3884 wrote to memory of 1148 N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe
PID 3884 wrote to memory of 1148 N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe
PID 3884 wrote to memory of 1148 N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe
PID 3884 wrote to memory of 1148 N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe
PID 3884 wrote to memory of 1148 N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe
PID 2928 wrote to memory of 1172 N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe
PID 2928 wrote to memory of 1172 N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe
PID 2928 wrote to memory of 1172 N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe
PID 2928 wrote to memory of 1172 N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe
PID 2928 wrote to memory of 1172 N/A C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe

Processes

C:\Users\Admin\AppData\Local\Temp\flash_decompiler.exe

"C:\Users\Admin\AppData\Local\Temp\flash_decompiler.exe"

C:\Users\Admin\AppData\Local\Temp\is-BRJHE.tmp\flash_decompiler.tmp

"C:\Users\Admin\AppData\Local\Temp\is-BRJHE.tmp\flash_decompiler.tmp" /SL5="$50228,27643739,119296,C:\Users\Admin\AppData\Local\Temp\flash_decompiler.exe"

C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe

"C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe" /install

C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe

"C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe" -install -skipARPEntry -iv 1 -au 4294967295

C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe

C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -install

C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe

"C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe"

C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe

"C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe"

C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe

"C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe"

C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe

"C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x0000000000000484

Network

N/A

Files

memory/4520-0-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4520-2-0x0000000000401000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-BRJHE.tmp\flash_decompiler.tmp

MD5 c9cf73dd30f17a16fdc1c96aea79c75d
SHA1 73572ec70cc6dbe8096da804c1d1e7fb3cc0baab
SHA256 ba46791872b52dd5b8669c60e3b0ed77b3c9fac4c12c228130bad6db6c3380f9
SHA512 e1fd8a1d65c60dedcfdcb10cf028fab51e96a8dc6442f7af5073a86a1373dd30b6e35f4e6c64d590ca0131de5146500cde00f2b72927fd48e7b835a47fa0e942

memory/2116-7-0x0000000000400000-0x000000000052B000-memory.dmp

memory/4520-12-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2116-13-0x0000000000400000-0x000000000052B000-memory.dmp

memory/2116-19-0x0000000000400000-0x000000000052B000-memory.dmp

C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe

MD5 f84400792447ebf6adaa615bcf149eb5
SHA1 16231b509d8e689dc34ae36597d41c4fb1b3a67e
SHA256 cb3043490ce4bf1210098746af8be5a19e7a6d5ae153d34636efbe4bf9af3ef8
SHA512 edf5193b6058c949766d545e7fad87db03fd1eaed5e9d75caed4bbda13ec560a67957391930e582c82c9005023db73585e722b6bc31f9fb0d36cb903be8a7efe

C:\Users\Admin\AppData\Local\Temp\{E813C26A-B06E-4130-A7D4-EA20B2DDAF42}\fpb.tmp

MD5 e23251f56bd9de8dd18a8d68885dab78
SHA1 84358654fd43202d39c342cc394f3dc88fcabe03
SHA256 91d6e2237a156e502c4f2041ca3ff38d769b2003384cdfaa51f227f3e9b5ab25
SHA512 32f45ee1217aef553b11584212e15b73fbe04a2aece882d1cd2b39b0232160ffd42958d7f0d4c7d6b8efeec41af550ac53d3c39a08f1af36ecd419d40dc521d4

C:\Users\Admin\AppData\Local\Temp\{A0FAA327-19CE-4849-A939-8484A2042B00}\fpb.tmp

MD5 7805e5fd154a06c713fe9c6e3d4f02c9
SHA1 757b51d549a72a6157bcef7cbed38058c303c61c
SHA256 2d40a95b58ca7db3b11a7b73079e856074c3fd76c4e0f9d7c2741c5ecadd242e
SHA512 36201753349b94d5216bd56f2b2af240544654c4c3def195dfae74efe5b893cae25e6653d831be18c03b98a67f8413c3b607200ee9b4562a5f4d4ccaea7bbde4

C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe

MD5 734b50e3625e44791d0cb607422c2a85
SHA1 88ba4d5b9e5a01714ae85b82c3c6ec73833ccfbf
SHA256 3fd01a451c76e699b4e87dfd29d8fb84800eebddcd3c2976691193947fab9467
SHA512 8ccc2e973b88b4dbab531a59c1298b7ee49a78e1dac1aad6bb2f4b5489356fb3bc3d53ef779d4b22c97462e4e1af6f03d4d4e38b9a7738ead389920e5c62a77f

C:\Users\Admin\AppData\Local\Temp\{B1DF2AD3-0479-4546-9F83-74E562CB51A8}\fpb.tmp

MD5 9d08e472e123b7701e90ca38168a8fb5
SHA1 3811ca63a36ea3128e50ab16edcf126f238b20a7
SHA256 c14c86a7b7b3b72644b9cd212ccc128e0a0a34dd20dc7d0a4d4fc8580dd36ade
SHA512 9341850fe1ba838dd54f4c985679f90dfd804c1149c85dce1a362dd7ebc8b336f448ca02d30bad4d91ba22f43b00e975e1d6551bf3329f27afc7dae571cf5e90

C:\Users\Admin\AppData\Local\Temp\{E6C06909-8896-4C96-BA75-70D2E99EE502}\fpb.tmp

MD5 69a24367f48f7984a5b343551a171072
SHA1 082182f7419175e62f28bf18f97210a1e0117fe1
SHA256 6ac3e542dfb2b06fcb7771211e9c392e72bbe690982cb4cbdd810949587b2c42
SHA512 ef8b50ba4fc402b92b4c14e1e259c861c8da26e0e2be61b3275fefb2cd6e66362cb81d8cd989bb41496e6641977da4c7c05031f2055ecffdba9eaa23c6203ed3

C:\Windows\System32\Macromed\Flash\Flash64_14_0_0_176.ocx

MD5 2d70c6bfe45293ad77679b597d48dc8f
SHA1 4179ce679fdc31ac4a1210f294b6c7b885b0764d
SHA256 88efae613403eb3979eb6eaa148bd50bd9b5f70a1b64f53625cb1c0917ad999a
SHA512 52f26b09485e97f305b5ad5707db5283cb3275ad0f8684b205995591e1e1ac5e6bf6edffa90d940da1938fd61621d815b3b8e6bb2e9debcdc73cebf5ab2a4cad

memory/3716-90-0x0000000062BC0000-0x0000000064343000-memory.dmp

C:\Windows\SysWOW64\Macromed\Flash\Flash32_14_0_0_176.ocx

MD5 224abf3a6e87b978da13457246f3089b
SHA1 a3702389e1dba21ecc408c352feee32e2afa6deb
SHA256 89fac246784237bb1af6944883eefba6d9475fd824595bcde57743ddac918511
SHA512 10740e3a6b3343f6db89eda8d186afb54127bd7fcb8b4b0c750fecbb6fc7a05b466c358373ce80b0b135a6988fa431996abeff4ba792efe97c7013f9b40ed5f6

C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe

MD5 9e5197d65ba34a4db45b8befc3288c23
SHA1 e7a6227ee35d0e7a559bee8431ac9951526f7936
SHA256 ebbe6126b6b73616032f8e1731642e35c6cb6b395ef74bccb781cae076ee8434
SHA512 e3e350b973f18d711dd02c53cf10be6cff82b593c96d54809595ecfad6cbd080734e0f59144ee107115897c753c57010f13ecf175b73b5bbb3e711e924009216

C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe

MD5 180990e3ecf117281e5f270700ce9f07
SHA1 b6c27f55dd4b45f62d21db2030f5d5f1b78c89ba
SHA256 bb476cc25abd354478005d594c25ea61cf1f9b7dee977c9873aae0f128cd47da
SHA512 f2e5a8c3a763338be61b1f647410bcb68aa0be0c9e1e8546cca21153f2defe1b11baa650e129edf1649f47a8c3ebf3ecc9699591555971c92795323fa265d5c6

memory/4520-204-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2116-198-0x0000000000400000-0x000000000052B000-memory.dmp

memory/3884-205-0x0000000000400000-0x0000000001568000-memory.dmp

memory/1148-206-0x0000000003810000-0x0000000003980000-memory.dmp

memory/1148-210-0x0000000003810000-0x0000000003980000-memory.dmp

memory/1148-211-0x0000000000400000-0x0000000001568000-memory.dmp

memory/1148-216-0x0000000000400000-0x0000000001568000-memory.dmp

memory/1148-218-0x0000000000400000-0x0000000001568000-memory.dmp

memory/1148-219-0x0000000000400000-0x0000000001568000-memory.dmp

memory/1148-220-0x0000000000400000-0x0000000001568000-memory.dmp

C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\AutoUpdate.dll

MD5 b4715ca0f9f08fde8c82ffb89b455460
SHA1 c789d6a8f4b0dae97ebda5b99af7bf1a337882aa
SHA256 00b4e9748dfbdecca3bb3500768bb5e26d7de06ba81050ff0abec35e57517a45
SHA512 961dfd1652b828a7d2e6940908b237adc93559f6f2048026b62bcd46ca38cc0d8d06dacfdaffa381236ddc787a90ce0b5d7f82793474778f494c60b431b6b61f

C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\lame_enc.DLL

MD5 0a9b1ff3db39aeba0ba1ce1eca3bc62b
SHA1 3d21ec0d2ffe3a5b122cc165f34067c45ef5a126
SHA256 ca6af76acd53124c033648369d31268723398d5c3422113fc59e9dc630d17f91
SHA512 a4cd4f513db67c48e8eb1ade323302430a11285e8e3b90b0c4394bc63bd9957373ad0d64bca2458cec8a0c5edfcf57459fc378dcded2e22e9468c1e2d34d8a6d

C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\avutil-50.dll

MD5 d7cfb561dc0170a3db0c9352b31a06f2
SHA1 84f0ee0f528fd2368951430a7ad63dc441963e45
SHA256 a23151c333250549de42b83c6aff06c0880ed829331c9cafa158d1b39a4c58ff
SHA512 eb541e663ed6ab9ee41ad7ea16997d63b1b586d3b78a7a9d4bc78f651dbdd5b5263f3b39c0dc85736cdd67d150739872a87511bfdd45ac120c9297bfffb3b6df

C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\avcodec-52.dll

MD5 7ce4c8d8c43dadebee3a83d9e4aa37b9
SHA1 9e8ee1a9be72dc03fce99316253ddb9e8b42f279
SHA256 0fb7a0e27e5b6aca0fb04d6161c43d8ffb9f3e7c0d9c416b308c1a58ef7ac0aa
SHA512 0b21cd8b7c3b92101ec11236d7e3f68ddccf23b317bca1854849d34e67469e349c8a75ecc6b978bc046fcd70270f3125c6eacdd12dea09c042edd536a4c8a123

memory/1148-232-0x0000000004D40000-0x0000000005309000-memory.dmp

C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\avformat-52.dll

MD5 5903c75593c744acd1c49d290bb24fe1
SHA1 13014411f3d6d16926c96fdd6e89253ed55ba250
SHA256 a974a051e8d26dbe0a672e710f9b3ab71d1407580301fa7d64d35eef96cd7056
SHA512 201e820fc80c8d2f44ac0483b91bb40383cef534a692c85872142b7b39ea29bf85151b13a41d5d97a10767facc8e9f8a49e333daee43a73a7d0f815b6362ee4b

memory/1148-236-0x0000000064940000-0x0000000064A16000-memory.dmp

C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\swscale-0.dll

MD5 c9ea8c737889cd4f87b72b06239d4a4f
SHA1 b6dae6ac26725f3e23fd2f184c490a8dd489bc42
SHA256 513381fbbd4950c172699070af6a45c8c3193488e26202e33df4397f45816730
SHA512 bc999121aac043d445a21fe4d18d8122dc46ae9c672c647f773d9d9dfc10a00a2735616706c75363d0ec52a9731434221a695fc5b94e49b850d88112e6601489

memory/1148-241-0x0000000003810000-0x0000000003980000-memory.dmp

memory/1148-239-0x0000000000400000-0x0000000001568000-memory.dmp

memory/1148-235-0x0000000004D40000-0x0000000005309000-memory.dmp

memory/1148-240-0x0000000000400000-0x0000000001568000-memory.dmp

memory/1148-245-0x0000000003810000-0x0000000003980000-memory.dmp

memory/3884-260-0x0000000000400000-0x0000000001568000-memory.dmp

memory/1148-261-0x0000000000400000-0x0000000001568000-memory.dmp

memory/1148-266-0x000000006D780000-0x000000006D7A6000-memory.dmp

memory/2928-277-0x0000000000400000-0x0000000001568000-memory.dmp

memory/1172-278-0x00000000037E0000-0x0000000003950000-memory.dmp

memory/1172-282-0x00000000037E0000-0x0000000003950000-memory.dmp

C:\ProgramData\Licenses\0B608C43E7FF4F3D3.Lic

MD5 9a6105db95a1f696dde644892a6c37f6
SHA1 7e3c3ea52d2239d9535eed58b1a9faebad56742e
SHA256 faec55ed22d3f68f913dd61be99ab24649de6a5e8d899a363df29c14ee1777d8
SHA512 a82e85c32ac7ee8f04ca3276794f12d55b5806dba4ca471923472d5fd15a0d539b2f748e626a1e5d776e197e2a9af71d40dfa792d78ad115402345857effc8d2

memory/1172-290-0x0000000000400000-0x0000000001568000-memory.dmp

memory/1172-292-0x0000000000400000-0x0000000001568000-memory.dmp

memory/1172-289-0x0000000000400000-0x0000000001568000-memory.dmp

C:\ProgramData\AutoUpdate\FlashDecompiler.exe\SkippedVersions.xml

MD5 35e1ba488afb8750e88202c2725276c7
SHA1 542113bc9038aaf39ae80026d732b3bdbe10db37
SHA256 362b352cab09d9ab37d5558e8283652e747be017369d05b5a517a61765ccaf34
SHA512 bb72bafd23d82be55fad592fefcb367b128b8d2ac4ebb706af093b5d1b8513d4bcb4b25c2b088f6e025e550f0944edd972fb6d0f0c4c57bc119e66bbb653b4b0

C:\ProgramData\AutoUpdate\FlashDecompiler.exe\Statistics.xml

MD5 6f4a6f22eb4e1d9c0af83b8e413e88b8
SHA1 aae506ed4366c5490c6acd9f7a466f135111d743
SHA256 7f21b4b275cf9d504c05ad6eb3b0cd26e499980d0dba4e52cfc09bd838c1871b
SHA512 e7b8a572ba0aacc00ad98517ad1fd84bf30cd09f3ebd3ed66b13bcba24dc95833a537e3b2d8ed9bd4387187aedec20dd14e0da03dc2c598705992e669bd4fa8b

memory/1172-301-0x0000000004420000-0x00000000049E9000-memory.dmp

memory/1172-305-0x0000000000400000-0x0000000001568000-memory.dmp

memory/1172-306-0x00000000037E0000-0x0000000003950000-memory.dmp

memory/1172-304-0x0000000000400000-0x0000000001568000-memory.dmp

C:\Windows\SysWOW64\Macromed\Flash\activex.vch

MD5 d3df1022c8caacba253ebfb4eb593a66
SHA1 1720b3dd6004c8240e657147341bb7e6d07134e6
SHA256 26e2b59d2b3df2db5e95e17a29e5a7a9968a188cea67c956d804fd94f0a5dafb
SHA512 16bc1e0cd7e7bdbbb3212e4b7a76f3d6ef9c2b77a258110caf6c083d84a080ccf458056e0678f68581ccdc0840ae85d188b58dc40c143fd3ea348b26a3beffc8

memory/1172-293-0x0000000000400000-0x0000000001568000-memory.dmp

memory/1172-312-0x00000000037E0000-0x0000000003950000-memory.dmp

C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tutorials\fd_intro.swf

MD5 27ee9e17cb9c15d526e81c2a5e4f3524
SHA1 03ab26767124533b11ae46eca68ae861c32d0b5f
SHA256 72c39bda39402e786a1e77043435758c4742d43dd84dbf839b5bbffc5f4c56e4
SHA512 98e89b84782318f5fc771b73fd804664770fbdba4018ebd1bd78b89346a29d1988b490b2703f72bf7650f1065136aec142a16bd452615fe089527eaab18d02af

C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tutorials\fd_demo_limits.swf

MD5 39a58b195a0c0c3fc7fa104e9e8ff2fa
SHA1 0da735a8d3db03b405ccf5ab0ebea5827cf4a564
SHA256 07e0e16492f4a8bff66b92622062c4950b05a64c879731523d643bbc0b94d78a
SHA512 9ade4be4618353500cb05c372668d56a941eb8a3aac7348df684d3362fd0e508dbabe8bf78dddafe90b99be0ca90a0990005d41f5a5726c2dc57a6bc5958d5e7

memory/1172-381-0x000000006D780000-0x000000006D7A6000-memory.dmp

memory/1172-379-0x0000000004420000-0x00000000049E9000-memory.dmp

memory/2928-382-0x0000000000400000-0x0000000001568000-memory.dmp

memory/1172-377-0x0000000000400000-0x0000000001568000-memory.dmp

C:\ProgramData\TEMP:DED17083

MD5 aaef029536c13a35d304cdf49a9e805a
SHA1 1085c23fb8d1c53598b9cd5fe4f7723e418279d0
SHA256 bde6f71972446a2b4b9da1c764c50a87a428ff899d4b224d95ef880dc50e0309
SHA512 dbdb6056a87138bf8d0476c4751aa2ceb5fdb3ed376cf6001acdb6df07b573e2000c433778cd6a6f33f0abf3c4d24daf8c2cfa864c73b41525f607f04c59ed4e

C:\ProgramData\Licenses\0B608C43E7FF4F3D3.Lic

MD5 6eb7b17abd9b9ce9209a820209e643c4
SHA1 14942a2b7af3d2a7f767712778699bb0007851a7
SHA256 ab6d6162c9cccca1fdbfcb68511fc6852ba6d300daf25006dc0e3369956273fb
SHA512 93cd7613f937dd7a5a9b9da6a4ab4a70a1c940eaf2d84efe1d2ce6b49fc400edadeacb1b0102d971ae575cad88bf56acab19ce08684f8b9765b7a61dbc7cc614

C:\ProgramData\Licenses\0B608C43E7FF4F3D3.Lic

MD5 3b0d922ebbcf98dc56ba0bbc47c957a3
SHA1 e646bb5b28dd27ba7cdca8001ac1ca23d2da93df
SHA256 c40467a1eee6fda91bba0497995adf731549e4b1e0686672675525ac8445b904
SHA512 a99b661565a30c8c98e097309c96a066ccc8868ed411f4c0a28c5744267e2e7274be4e8f457e77f5acea2b84cfdf1ba98ceb6f664e4d3b99a60f784f5ca47fbe

memory/1172-394-0x0000000000400000-0x0000000001568000-memory.dmp

C:\ProgramData\Licenses\0B608C43E7FF4F3D3.Lic

MD5 9557bcb8d2bad82b11cf78c0e5e0ad8f
SHA1 db36dc3c03f373ed167c44f9676ed2e1be48320f
SHA256 4a318bdf83e3575aae0167ba400c286aef79456f4b568fc4415a46ebfadb301f
SHA512 6fa4f0c153b65e0dc08ff7d04e86f2d77c78f6a1e8289061847bb1ff1429600c3ebb9ee26a908ffd16c7014394eef50fcd34662a1680102d4331d4ec80931ba4

C:\ProgramData\TEMP:DED17083

MD5 8a306cd59357e2fe1c530925db78fa78
SHA1 e7728b88b7eb579e9949c0010ad5f42052276548
SHA256 bb7b720355e32bf300e912ae5bbfc82fc05747bc7dd65f356b49113d57a8e788
SHA512 d214ca3c0bcbeaa3f43d5873304d76f43723365a4d884d9a7ff48f9fb50bf66b44388e0991eb04c3a1e4ec7b036814f954ac3800c22231814c6d813deafd48f2