banload | 8702aca7ecd0552f596d6af97c397ffead6302182d8c87ae8dd3feea9dd8a5b4

Analysis

max time kernel
143s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

flash_decompiler.exe
Size

26.9MB
MD5

3ccc94c98531d1389f3d1ed06d64f081
SHA1

dfbd71b2f0c9b2af5a643f597b04d1d933ff71a0
SHA256

8702aca7ecd0552f596d6af97c397ffead6302182d8c87ae8dd3feea9dd8a5b4
SHA512

8563141763b22da9e790ed49544f10a6cb52dbdcebb8082cb8997ebb966c949e88c64be7e260b84df4f5d8079fc270b95912d84b7433af60003b70fdedc75398
SSDEEP

786432:wa0DgoQ4T3vo3YcjGC8qq7ABxE9RUUuCS8G:waygoZTkjG0BxOZG

Score

10^/10

banload discovery downloader dropper evasion persistence privilege_escalation trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload
Banload family
banload

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 8 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil64_14_0_0_176_ActiveX.exe\DisableExceptionChainValidation = "0"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil32_14_0_0_176_ActiveX.exe	install_flash_player_14_active_x.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil32_14_0_0_176_ActiveX.exe\DisableExceptionChainValidation = "0"	install_flash_player_14_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerApp.exe	install_flash_player_14_active_x.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerApp.exe\DisableExceptionChainValidation = "0"	install_flash_player_14_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerUpdateService.exe	install_flash_player_14_active_x.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerUpdateService.exe\DisableExceptionChainValidation = "0"	install_flash_player_14_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil64_14_0_0_176_ActiveX.exe	InstallFlashPlayer.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	FlashDecompiler.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	FlashDecompiler.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	flash_decompiler.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	install_flash_player_14_active_x.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 6 IoCs

pid	Process
3648	flash_decompiler.tmp
1788	install_flash_player_14_active_x.exe
2108	InstallFlashPlayer.exe
4404	FlashPlayerUpdateService.exe
3160	FlashDecompiler.exe
4188	FlashDecompiler.exe

Loads dropped DLL 17 IoCs

pid	Process
1788	install_flash_player_14_active_x.exe
1788	install_flash_player_14_active_x.exe
1788	install_flash_player_14_active_x.exe
2108	InstallFlashPlayer.exe
2108	InstallFlashPlayer.exe
2108	InstallFlashPlayer.exe
2108	InstallFlashPlayer.exe
1788	install_flash_player_14_active_x.exe
1788	install_flash_player_14_active_x.exe
1788	install_flash_player_14_active_x.exe
4188	FlashDecompiler.exe
4188	FlashDecompiler.exe
4188	FlashDecompiler.exe
4188	FlashDecompiler.exe
4188	FlashDecompiler.exe
4188	FlashDecompiler.exe
4188	FlashDecompiler.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	install_flash_player_14_active_x.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	InstallFlashPlayer.exe

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2108	InstallFlashPlayer.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Macromed\Flash\FlashInstall.log	InstallFlashPlayer.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe	install_flash_player_14_active_x.exe
File created	C:\Windows\system32\Macromed\Flash\Flash64_14_0_0_176.ocx	InstallFlashPlayer.exe
File opened for modification	C:\Windows\system32\Macromed\Flash\FlashUtil64_14_0_0_176_ActiveX.exe	InstallFlashPlayer.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\FlashInstall.log	install_flash_player_14_active_x.exe
File created	C:\Windows\system32\Macromed\Flash\FlashUtil64_14_0_0_176_ActiveX.exe	InstallFlashPlayer.exe
File created	C:\Windows\system32\Macromed\Flash\FlashUtil64_14_0_0_176_ActiveX.dll	InstallFlashPlayer.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_14_0_0_176_ActiveX.dll	install_flash_player_14_active_x.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\activex.vch	install_flash_player_14_active_x.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_14_0_0_176_ActiveX.exe	install_flash_player_14_active_x.exe
File created	C:\Windows\system32\Macromed\Flash\activex.vch	InstallFlashPlayer.exe
File opened for modification	C:\Windows\system32\Macromed\Flash\Flash64_14_0_0_176.ocx	InstallFlashPlayer.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\Flash32_14_0_0_176.ocx	install_flash_player_14_active_x.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_14_0_0_176_ActiveX.exe	install_flash_player_14_active_x.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\Flash32_14_0_0_176.ocx	install_flash_player_14_active_x.exe

Drops file in Program Files directory 39 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\unins000.dat	flash_decompiler.tmp
File opened for modification	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\swscale-0.dll	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\is-KV6NE.tmp	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\is-7UHEG.tmp	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-IGNEE.tmp	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-3CPOI.tmp	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-8ATVV.tmp	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-2OB6O.tmp	flash_decompiler.tmp
File opened for modification	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\AutoUpdate.dll	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tutorials\is-CTFST.tmp	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-N9EBL.tmp	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-T3LCE.tmp	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-CPM2U.tmp	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-NTLJ8.tmp	flash_decompiler.tmp
File opened for modification	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe	flash_decompiler.tmp
File opened for modification	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\lame_enc.dll	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\is-DIIP2.tmp	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\is-HHNPH.tmp	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tutorials\is-7I6RE.tmp	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\is-DT45L.tmp	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-F2PJC.tmp	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\unins000.msg	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-75C4U.tmp	flash_decompiler.tmp
File opened for modification	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\avformat-52.dll	flash_decompiler.tmp
File opened for modification	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\avcodec-52.dll	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\unins000.dat	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\is-VR8U1.tmp	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\is-09RCI.tmp	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\is-N54L1.tmp	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\is-A9P75.tmp	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\is-9H0M8.tmp	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\is-47BTP.tmp	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-FFPJT.tmp	flash_decompiler.tmp
File opened for modification	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\avutil-50.dll	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\is-1DSSV.tmp	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-DH502.tmp	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\localizations\is-O96CS.tmp	flash_decompiler.tmp
File opened for modification	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe	flash_decompiler.tmp
File created	C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\is-RVR8D.tmp	flash_decompiler.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	flash_decompiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	flash_decompiler.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install_flash_player_14_active_x.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FlashPlayerUpdateService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FlashDecompiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FlashDecompiler.exe

Modifies Internet Explorer settings 1 TTPs 24 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/futuresplash	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}	install_flash_player_14_active_x.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Compatibility Flags = "0"	install_flash_player_14_active_x.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}	install_flash_player_14_active_x.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\Policy = "3"	install_flash_player_14_active_x.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}\Compatibility Flags = "65536"	install_flash_player_14_active_x.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\NAVIGATORPLUGINSLIST\SHOCKWAVE FLASH	install_flash_player_14_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/x-shockwave-flash	install_flash_player_14_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}	install_flash_player_14_active_x.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\Policy = "3"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppPath = "C:\\Windows\\system32\\Macromed\\Flash"	InstallFlashPlayer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\NAVIGATORPLUGINSLIST\SHOCKWAVE FLASH	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash	install_flash_player_14_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/futuresplash	install_flash_player_14_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppName = "FlashUtil64_14_0_0_176_ActiveX.exe"	InstallFlashPlayer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}\Compatibility Flags = "65536"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/x-shockwave-flash	InstallFlashPlayer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Compatibility Flags = "0"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppPath = "C:\\Windows\\SysWOW64\\Macromed\\Flash"	install_flash_player_14_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppName = "FlashUtil32_14_0_0_176_ActiveX.exe"	install_flash_player_14_active_x.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\ = "Shockwave Flash Object"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\ = "IFlashObject"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID\ = "FlashFactory.FlashFactory.1"	install_flash_player_14_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.spl\ = "ShockwaveFlash.ShockwaveFlash"	install_flash_player_14_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/futuresplash\Extension = ".spl"	install_flash_player_14_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CurVer	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.8\CLSID	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32\ThreadingModel = "Apartment"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID\ = "FlashFactory.FlashFactory.1"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib\Version = "1.0"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\0	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\TypeLib\ = "{57A0E746-3863-4D20-A811-950C84F1DB9B}"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{307F64C0-621D-4D56-BBC6-91EFC13CE40D}\TypeLib\Version = "1.1"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib\ = "{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"	install_flash_player_14_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\ = "Macromedia Flash Paper"	install_flash_player_14_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D62F405A-97CC-641B-93FE-D85298F2F3AF}\InProcServer32\ = "%SystemRoot%\\SysWow64\\windowscodecs.dll"	FlashDecompiler.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib\ = "{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.14	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.13\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	install_flash_player_14_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.swf\ = "ShockwaveFlash.ShockwaveFlash"	install_flash_player_14_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\ = "FlashBroker"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.spl\Content Type = "application/futuresplash"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib\Version = "1.0"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{307F64C0-621D-4D56-BBC6-91EFC13CE40D}\ProxyStubClsid32	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32\ = "C:\\Windows\\SysWow64\\Macromed\\Flash\\Flash32_14_0_0_176.ocx"	install_flash_player_14_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11cf-96B8-444553540000}"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.13\CLSID	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.14\CLSID	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/futuresplash\Extension = ".spl"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D62F405A-97CC-641B-93FE-D85298F2F3AF}\InProcServer32	FlashDecompiler.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.8\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{307F64C0-621D-4D56-BBC6-91EFC13CE40D}	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	install_flash_player_14_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{57A0E746-3863-4D20-A811-950C84F1DB9B}\1.1\0\win32	install_flash_player_14_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32\ = "C:\\Windows\\system32\\Macromed\\Flash\\Flash64_14_0_0_176.ocx, 1"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ = "_IShockwaveFlashEvents"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\ = "Shockwave Flash Object"	install_flash_player_14_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\Shell\Open with Flash Decompiler\command	flash_decompiler.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32	install_flash_player_14_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.6\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.9	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\HELPDIR	install_flash_player_14_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory.1\ = "Macromedia Flash Factory Object"	install_flash_player_14_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	install_flash_player_14_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version	install_flash_player_14_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{57A0E746-3863-4D20-A811-950C84F1DB9B}\1.1\0	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\ = "Macromedia Flash Factory Object"	install_flash_player_14_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID\ = "ShockwaveFlash.ShockwaveFlash"	install_flash_player_14_active_x.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3648	flash_decompiler.tmp
3648	flash_decompiler.tmp
1788	install_flash_player_14_active_x.exe
1788	install_flash_player_14_active_x.exe
2108	InstallFlashPlayer.exe
2108	InstallFlashPlayer.exe
2108	InstallFlashPlayer.exe
2108	InstallFlashPlayer.exe
1788	install_flash_player_14_active_x.exe
1788	install_flash_player_14_active_x.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	4188	FlashDecompiler.exe
Token: SeIncBasePriorityPrivilege	4188	FlashDecompiler.exe
Token: 33	4188	FlashDecompiler.exe
Token: SeIncBasePriorityPrivilege	4188	FlashDecompiler.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3648	flash_decompiler.tmp

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1788	install_flash_player_14_active_x.exe
2108	InstallFlashPlayer.exe
2108	InstallFlashPlayer.exe
4188	FlashDecompiler.exe
4188	FlashDecompiler.exe
4188	FlashDecompiler.exe
4188	FlashDecompiler.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3644 wrote to memory of 3648	3644	flash_decompiler.exe	85
PID 3644 wrote to memory of 3648	3644	flash_decompiler.exe	85
PID 3644 wrote to memory of 3648	3644	flash_decompiler.exe	85
PID 3648 wrote to memory of 1788	3648	flash_decompiler.tmp	99
PID 3648 wrote to memory of 1788	3648	flash_decompiler.tmp	99
PID 3648 wrote to memory of 1788	3648	flash_decompiler.tmp	99
PID 1788 wrote to memory of 2108	1788	install_flash_player_14_active_x.exe	100
PID 1788 wrote to memory of 2108	1788	install_flash_player_14_active_x.exe	100
PID 1788 wrote to memory of 4404	1788	install_flash_player_14_active_x.exe	103
PID 1788 wrote to memory of 4404	1788	install_flash_player_14_active_x.exe	103
PID 1788 wrote to memory of 4404	1788	install_flash_player_14_active_x.exe	103
PID 3648 wrote to memory of 3160	3648	flash_decompiler.tmp	108
PID 3648 wrote to memory of 3160	3648	flash_decompiler.tmp	108
PID 3648 wrote to memory of 3160	3648	flash_decompiler.tmp	108
PID 3160 wrote to memory of 4188	3160	FlashDecompiler.exe	109
PID 3160 wrote to memory of 4188	3160	FlashDecompiler.exe	109
PID 3160 wrote to memory of 4188	3160	FlashDecompiler.exe	109
PID 3160 wrote to memory of 4188	3160	FlashDecompiler.exe	109
PID 3160 wrote to memory of 4188	3160	FlashDecompiler.exe	109

C:\Users\Admin\AppData\Local\Temp\flash_decompiler.exe
"C:\Users\Admin\AppData\Local\Temp\flash_decompiler.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3644
- C:\Users\Admin\AppData\Local\Temp\is-R21SM.tmp\flash_decompiler.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-R21SM.tmp\flash_decompiler.tmp" /SL5="$C006C,27643739,119296,C:\Users\Admin\AppData\Local\Temp\flash_decompiler.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3648
- - C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe
    "C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe" /install
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1788
  - - C:\Users\Admin\AppData\Local\Temp\{6B1CEEE4-211D-4C28-B43C-62FED5E4094E}\InstallFlashPlayer.exe
      "C:\Users\Admin\AppData\Local\Temp\{6B1CEEE4-211D-4C28-B43C-62FED5E4094E}\InstallFlashPlayer.exe" -install -skipARPEntry -iv 1 -au 4294967295
      4⤵
      Event Triggered Execution: Image File Execution Options Injection
      Executes dropped EXE
      Loads dropped DLL
      Checks whether UAC is enabled
      Network Service Discovery
      Drops file in System32 directory
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2108
  - - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
      C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -install
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4404
- - C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe
    "C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3160
  - - C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe
      "C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe"
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\AutoUpdate.dll

Filesize
1.6MB

MD5
b4715ca0f9f08fde8c82ffb89b455460

SHA1
c789d6a8f4b0dae97ebda5b99af7bf1a337882aa

SHA256
00b4e9748dfbdecca3bb3500768bb5e26d7de06ba81050ff0abec35e57517a45

SHA512
961dfd1652b828a7d2e6940908b237adc93559f6f2048026b62bcd46ca38cc0d8d06dacfdaffa381236ddc787a90ce0b5d7f82793474778f494c60b431b6b61f

Download Submit
C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe

Filesize
6.2MB

MD5
180990e3ecf117281e5f270700ce9f07

SHA1
b6c27f55dd4b45f62d21db2030f5d5f1b78c89ba

SHA256
bb476cc25abd354478005d594c25ea61cf1f9b7dee977c9873aae0f128cd47da

SHA512
f2e5a8c3a763338be61b1f647410bcb68aa0be0c9e1e8546cca21153f2defe1b11baa650e129edf1649f47a8c3ebf3ecc9699591555971c92795323fa265d5c6

Download Submit
C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\avcodec-52.dll

Filesize
2.7MB

MD5
7ce4c8d8c43dadebee3a83d9e4aa37b9

SHA1
9e8ee1a9be72dc03fce99316253ddb9e8b42f279

SHA256
0fb7a0e27e5b6aca0fb04d6161c43d8ffb9f3e7c0d9c416b308c1a58ef7ac0aa

SHA512
0b21cd8b7c3b92101ec11236d7e3f68ddccf23b317bca1854849d34e67469e349c8a75ecc6b978bc046fcd70270f3125c6eacdd12dea09c042edd536a4c8a123

Download Submit
C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\avformat-52.dll

Filesize
630KB

MD5
5903c75593c744acd1c49d290bb24fe1

SHA1
13014411f3d6d16926c96fdd6e89253ed55ba250

SHA256
a974a051e8d26dbe0a672e710f9b3ab71d1407580301fa7d64d35eef96cd7056

SHA512
201e820fc80c8d2f44ac0483b91bb40383cef534a692c85872142b7b39ea29bf85151b13a41d5d97a10767facc8e9f8a49e333daee43a73a7d0f815b6362ee4b

Download Submit
C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\avutil-50.dll

Filesize
99KB

MD5
d7cfb561dc0170a3db0c9352b31a06f2

SHA1
84f0ee0f528fd2368951430a7ad63dc441963e45

SHA256
a23151c333250549de42b83c6aff06c0880ed829331c9cafa158d1b39a4c58ff

SHA512
eb541e663ed6ab9ee41ad7ea16997d63b1b586d3b78a7a9d4bc78f651dbdd5b5263f3b39c0dc85736cdd67d150739872a87511bfdd45ac120c9297bfffb3b6df

Download Submit
C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\lame_enc.dll

Filesize
286KB

MD5
0a9b1ff3db39aeba0ba1ce1eca3bc62b

SHA1
3d21ec0d2ffe3a5b122cc165f34067c45ef5a126

SHA256
ca6af76acd53124c033648369d31268723398d5c3422113fc59e9dc630d17f91

SHA512
a4cd4f513db67c48e8eb1ade323302430a11285e8e3b90b0c4394bc63bd9957373ad0d64bca2458cec8a0c5edfcf57459fc378dcded2e22e9468c1e2d34d8a6d

Download Submit
C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\swscale-0.dll

Filesize
151KB

MD5
c9ea8c737889cd4f87b72b06239d4a4f

SHA1
b6dae6ac26725f3e23fd2f184c490a8dd489bc42

SHA256
513381fbbd4950c172699070af6a45c8c3193488e26202e33df4397f45816730

SHA512
bc999121aac043d445a21fe4d18d8122dc46ae9c672c647f773d9d9dfc10a00a2735616706c75363d0ec52a9731434221a695fc5b94e49b850d88112e6601489

Download Submit
C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe

Filesize
17.7MB

MD5
f84400792447ebf6adaa615bcf149eb5

SHA1
16231b509d8e689dc34ae36597d41c4fb1b3a67e

SHA256
cb3043490ce4bf1210098746af8be5a19e7a6d5ae153d34636efbe4bf9af3ef8

SHA512
edf5193b6058c949766d545e7fad87db03fd1eaed5e9d75caed4bbda13ec560a67957391930e582c82c9005023db73585e722b6bc31f9fb0d36cb903be8a7efe

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-R21SM.tmp\flash_decompiler.tmp

Filesize
1.1MB

MD5
c9cf73dd30f17a16fdc1c96aea79c75d

SHA1
73572ec70cc6dbe8096da804c1d1e7fb3cc0baab

SHA256
ba46791872b52dd5b8669c60e3b0ed77b3c9fac4c12c228130bad6db6c3380f9

SHA512
e1fd8a1d65c60dedcfdcb10cf028fab51e96a8dc6442f7af5073a86a1373dd30b6e35f4e6c64d590ca0131de5146500cde00f2b72927fd48e7b835a47fa0e942

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5071411A-F658-4094-B289-FC2737F47948}\fpb.tmp

Filesize
553KB

MD5
69a24367f48f7984a5b343551a171072

SHA1
082182f7419175e62f28bf18f97210a1e0117fe1

SHA256
6ac3e542dfb2b06fcb7771211e9c392e72bbe690982cb4cbdd810949587b2c42

SHA512
ef8b50ba4fc402b92b4c14e1e259c861c8da26e0e2be61b3275fefb2cd6e66362cb81d8cd989bb41496e6641977da4c7c05031f2055ecffdba9eaa23c6203ed3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6B1CEEE4-211D-4C28-B43C-62FED5E4094E}\InstallFlashPlayer.exe

Filesize
8.9MB

MD5
734b50e3625e44791d0cb607422c2a85

SHA1
88ba4d5b9e5a01714ae85b82c3c6ec73833ccfbf

SHA256
3fd01a451c76e699b4e87dfd29d8fb84800eebddcd3c2976691193947fab9467

SHA512
8ccc2e973b88b4dbab531a59c1298b7ee49a78e1dac1aad6bb2f4b5489356fb3bc3d53ef779d4b22c97462e4e1af6f03d4d4e38b9a7738ead389920e5c62a77f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{93FCFA57-F480-412E-A435-5455739B407E}\fpb.tmp

Filesize
501KB

MD5
7805e5fd154a06c713fe9c6e3d4f02c9

SHA1
757b51d549a72a6157bcef7cbed38058c303c61c

SHA256
2d40a95b58ca7db3b11a7b73079e856074c3fd76c4e0f9d7c2741c5ecadd242e

SHA512
36201753349b94d5216bd56f2b2af240544654c4c3def195dfae74efe5b893cae25e6653d831be18c03b98a67f8413c3b607200ee9b4562a5f4d4ccaea7bbde4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{EEEF41B0-B423-4311-8EDB-49C0FD893E5D}\fpb.tmp

Filesize
525KB

MD5
9d08e472e123b7701e90ca38168a8fb5

SHA1
3811ca63a36ea3128e50ab16edcf126f238b20a7

SHA256
c14c86a7b7b3b72644b9cd212ccc128e0a0a34dd20dc7d0a4d4fc8580dd36ade

SHA512
9341850fe1ba838dd54f4c985679f90dfd804c1149c85dce1a362dd7ebc8b336f448ca02d30bad4d91ba22f43b00e975e1d6551bf3329f27afc7dae571cf5e90

Download Submit
C:\Users\Admin\AppData\Local\Temp\{FAE51B55-9669-4FA6-B9CD-BCB746DBA432}\fpb.tmp

Filesize
831KB

MD5
e23251f56bd9de8dd18a8d68885dab78

SHA1
84358654fd43202d39c342cc394f3dc88fcabe03

SHA256
91d6e2237a156e502c4f2041ca3ff38d769b2003384cdfaa51f227f3e9b5ab25

SHA512
32f45ee1217aef553b11584212e15b73fbe04a2aece882d1cd2b39b0232160ffd42958d7f0d4c7d6b8efeec41af550ac53d3c39a08f1af36ecd419d40dc521d4

Download Submit
C:\Windows\SysWOW64\Macromed\Flash\Flash32_14_0_0_176.ocx

Filesize
16.3MB

MD5
224abf3a6e87b978da13457246f3089b

SHA1
a3702389e1dba21ecc408c352feee32e2afa6deb

SHA256
89fac246784237bb1af6944883eefba6d9475fd824595bcde57743ddac918511

SHA512
10740e3a6b3343f6db89eda8d186afb54127bd7fcb8b4b0c750fecbb6fc7a05b466c358373ce80b0b135a6988fa431996abeff4ba792efe97c7013f9b40ed5f6

Download Submit
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe

Filesize
256KB

MD5
9e5197d65ba34a4db45b8befc3288c23

SHA1
e7a6227ee35d0e7a559bee8431ac9951526f7936

SHA256
ebbe6126b6b73616032f8e1731642e35c6cb6b395ef74bccb781cae076ee8434

SHA512
e3e350b973f18d711dd02c53cf10be6cff82b593c96d54809595ecfad6cbd080734e0f59144ee107115897c753c57010f13ecf175b73b5bbb3e711e924009216

Download Submit
C:\Windows\System32\Macromed\Flash\Flash64_14_0_0_176.ocx

Filesize
22.6MB

MD5
2d70c6bfe45293ad77679b597d48dc8f

SHA1
4179ce679fdc31ac4a1210f294b6c7b885b0764d

SHA256
88efae613403eb3979eb6eaa148bd50bd9b5f70a1b64f53625cb1c0917ad999a

SHA512
52f26b09485e97f305b5ad5707db5283cb3275ad0f8684b205995591e1e1ac5e6bf6edffa90d940da1938fd61621d815b3b8e6bb2e9debcdc73cebf5ab2a4cad

Download Submit
memory/2108-92-0x00000000760B0000-0x0000000077833000-memory.dmp

Filesize
23.5MB

Download
memory/2108-306-0x00000000760B0000-0x0000000077833000-memory.dmp

Filesize
23.5MB

Download
memory/3160-205-0x0000000000400000-0x0000000001568000-memory.dmp

Filesize
17.4MB

Download
memory/3160-265-0x0000000000400000-0x0000000001568000-memory.dmp

Filesize
17.4MB

Download
memory/3644-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3644-216-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3644-12-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3644-2-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/3648-201-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/3648-215-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/3648-19-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/3648-13-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/3648-7-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/4188-211-0x0000000000400000-0x0000000001568000-memory.dmp

Filesize
17.4MB

Download
memory/4188-239-0x0000000004A60000-0x0000000005029000-memory.dmp

Filesize
5.8MB

Download
memory/4188-241-0x0000000064940000-0x0000000064A16000-memory.dmp

Filesize
856KB

Download
memory/4188-245-0x0000000000400000-0x0000000001568000-memory.dmp

Filesize
17.4MB

Download
memory/4188-246-0x00000000037A0000-0x0000000003910000-memory.dmp

Filesize
1.4MB

Download
memory/4188-244-0x0000000000400000-0x0000000001568000-memory.dmp

Filesize
17.4MB

Download
memory/4188-240-0x0000000004A60000-0x0000000005029000-memory.dmp

Filesize
5.8MB

Download
memory/4188-224-0x0000000000400000-0x0000000001568000-memory.dmp

Filesize
17.4MB

Download
memory/4188-236-0x0000000004A60000-0x0000000005029000-memory.dmp

Filesize
5.8MB

Download
memory/4188-221-0x0000000000400000-0x0000000001568000-memory.dmp

Filesize
17.4MB

Download
memory/4188-223-0x0000000000400000-0x0000000001568000-memory.dmp

Filesize
17.4MB

Download
memory/4188-220-0x0000000000400000-0x0000000001568000-memory.dmp

Filesize
17.4MB

Download
memory/4188-249-0x00000000037A0000-0x0000000003910000-memory.dmp

Filesize
1.4MB

Download
memory/4188-210-0x00000000037A0000-0x0000000003910000-memory.dmp

Filesize
1.4MB

Download
memory/4188-266-0x0000000000400000-0x0000000001568000-memory.dmp

Filesize
17.4MB

Download
memory/4188-271-0x000000006D780000-0x000000006D7A6000-memory.dmp

Filesize
152KB

Download
memory/4188-206-0x00000000037A0000-0x0000000003910000-memory.dmp

Filesize
1.4MB

Download