File name:

ffdec_19.1.2_setup.exe

Full analysis: https://app.any.run/tasks/7f6f026f-e2ac-4421-b8d9-e7784fa18228
Verdict: Malicious activity
Analysis date: January 19, 2024, 01:03:06
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
MD5:

E78ADE4E15A1A1395BDC9AD6FBC8403D

SHA1:

04DB1010A3E912AAF32DAB66F6C447610F0F6357

SHA256:

B2CFBD1AB691D8A439A633458EADE1D8BA80606626CF84A0C5215357B88B4C37

SSDEEP:

98304:YWIr9PKF4BQfdAdWR/QTO7y8xCbms+znVkZ+cgzkzKuHFLFthVK85sRqOOYIUoUX:0SwXv3MG5HPhVwHMY8ooIv1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • ffdec_19.1.2_setup.exe (PID: 2208)
      • javaw.exe (PID: 572)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • ffdec_19.1.2_setup.exe (PID: 2208)
      • javaw.exe (PID: 572)

    • The process creates files with name similar to system file names

      • ffdec_19.1.2_setup.exe (PID: 2208)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • ffdec_19.1.2_setup.exe (PID: 2208)

    • Checks for Java to be installed

      • ffdec.exe (PID: 1588)

    • Searches for installed software

      • javaw.exe (PID: 572)

  • INFO

    • Checks supported languages

      • ffdec_19.1.2_setup.exe (PID: 2208)
      • ffdec.exe (PID: 1588)
      • javaw.exe (PID: 572)

    • Reads the computer name

      • ffdec_19.1.2_setup.exe (PID: 2208)
      • javaw.exe (PID: 572)

    • Creates files in the program directory

      • ffdec_19.1.2_setup.exe (PID: 2208)
      • javaw.exe (PID: 572)

    • Create files in a temporary directory

      • ffdec_19.1.2_setup.exe (PID: 2208)
      • javaw.exe (PID: 572)

    • Creates files or folders in the user directory

      • javaw.exe (PID: 572)

    • Reads the machine GUID from the registry

      • javaw.exe (PID: 572)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:07:20 09:58:41+02:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 2.4
CodeSize: 44032
InitializedDataSize: 61952
UninitializedDataSize: 129024
EntryPoint: 0x4590
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
5
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start ffdec_19.1.2_setup.exe ffdec.exe no specs javaw.exe icacls.exe no specs ffdec_19.1.2_setup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
572"C:\Program Files\Java\jre1.8.0_271\bin\javaw.exe" -Xmx1024m -Djava.net.preferIPv4Stack=true -Djna.nosys=true -Dl5j.pid=1588 -Dl5j.encargs=1 -jar "C:\PROGRA~1\FFDec\ffdec.jar"C:\Program Files\Java\jre1.8.0_271\bin\javaw.exe
ffdec.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
HIGH
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.2710.9
Modules
Images
c:\program files\java\jre1.8.0_271\bin\javaw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1236C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)MC:\Windows\System32\icacls.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
1588"C:\Program Files\FFDec\ffdec.exe"C:\Program Files\FFDec\ffdec.exeffdec_19.1.2_setup.exe
User:
admin
Company:
JPEXS
Integrity Level:
HIGH
Description:
JPEXS Free Flash Decompiler launcher
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\program files\ffdec\ffdec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
2044"C:\Users\admin\AppData\Local\Temp\ffdec_19.1.2_setup.exe" C:\Users\admin\AppData\Local\Temp\ffdec_19.1.2_setup.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\ffdec_19.1.2_setup.exe
c:\windows\system32\ntdll.dll
2208"C:\Users\admin\AppData\Local\Temp\ffdec_19.1.2_setup.exe" C:\Users\admin\AppData\Local\Temp\ffdec_19.1.2_setup.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\ffdec_19.1.2_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
Total events
1 184
Read events
1 183
Write events
0
Delete events
1

Modification events

(PID) Process:(2208) ffdec_19.1.2_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E618D276-6596-41F4-8A98-447D442A77DB}_is1
Operation:delete keyName:(default)
Value:
Executable files
31
Suspicious files
14
Text files
114
Unknown types
0

Dropped files

PID
Process
Filename
Type
2208ffdec_19.1.2_setup.exeC:\Users\admin\AppData\Local\Temp\nsy608.tmp\StartMenu.dllexecutable
MD5:DCE59BEA993492508ED7121B31B1FC6D
SHA256:359A20BFF59F02DD94D677CA715AF93DF76DEE0EB5210608DA6EF05D986DC7E9
2208ffdec_19.1.2_setup.exeC:\Program Files\FFDec\ffdec.exeexecutable
MD5:C1C196B87E88E0EE86295F0AB6A7C17F
SHA256:B66B0182373A4992244284FB2AA6BDB1A72A3BFA442B6A34421D6E51915681C3
2208ffdec_19.1.2_setup.exeC:\Program Files\FFDec\ffdec.battext
MD5:8F8D6E28DCD3D4A38168AEF118E1B2EC
SHA256:01838E20CB73E9FA8F7537950F6B3F9DDD1FA8B3C91FD770DF3E5F71869FA755
2208ffdec_19.1.2_setup.exeC:\Program Files\FFDec\ffdec.jarjava
MD5:5CE8238819A25EF0F486AEC663EDCED0
SHA256:D5BB3E15037F28D56961BD1648489439B3446EA374AC1BAC97353CE687FA6B8C
2208ffdec_19.1.2_setup.exeC:\Program Files\FFDec\lib\JavactiveX.jarjava
MD5:94737B7083301B12623034E9C0BA3133
SHA256:8C8D643077B93E1D792B32415703AE3800C4689BCE05BB3700CAE20C26F86631
2208ffdec_19.1.2_setup.exeC:\Program Files\FFDec\translator.exeexecutable
MD5:18379910D60EAB3B81EB71E7C1E5BDA3
SHA256:AC045700AEB8BA8C7629B7D99240AD1DC80F8C997D26E48CC79BA379C2AFAB49
2208ffdec_19.1.2_setup.exeC:\Program Files\FFDec\license.txttext
MD5:3C34AFDC3ADF82D2448F12715A255122
SHA256:0B383D5A63DA644F628D99C33976EA6487ED89AAA59F0B3257992DEAC1171E6B
2208ffdec_19.1.2_setup.exeC:\Program Files\FFDec\flashlib\airglobal.swccompressed
MD5:F8BA21161960EAAB18B41D911D77E8AD
SHA256:169A531C3F4715E06FA31ECAD80637253B33CEEB60B077FCD96C6F35FA03BC2D
2208ffdec_19.1.2_setup.exeC:\Program Files\FFDec\flashlib\playerglobal32_0.swccompressed
MD5:513A4F254444E43B94BB0758398EA23C
SHA256:7D4D6168D27603CFB3B750302448E354E0BBC1BDD58F5D101C3DCF6891E9BB65
2208ffdec_19.1.2_setup.exeC:\Users\admin\AppData\Local\Temp\nsy608.tmp\modern-header.bmpimage
MD5:6C89D5A7C988506755C68DE07E6505F2
SHA256:7324B33545FC9FDD9C0FEE0597ABE552982E6FF755B9EC1D7F81927D9450DE9C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
572
javaw.exe
140.82.121.5:443
api.github.com
GITHUB
US
unknown

DNS requests

Domain
IP
Reputation
api.github.com
  • 140.82.121.5
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ffdec_19.1.2_setup.exe