45b74a50c20e74c1b41f3f35d10725971d74fcdaf077c06cbe51f2784e741315

Analysis

max time kernel
42s
max time network
47s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03-11-2022 23:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45b74a50c20e74c1b41f3f35d10725971d74fcdaf077c06cbe51f2784e741315.exe
Size

25.1MB
MD5

b4775fcffd1877ffa155fffc0832cbd8
SHA1

c1e419c89fbd9aadcd1d436ec2c98f3be1db8dad
SHA256

45b74a50c20e74c1b41f3f35d10725971d74fcdaf077c06cbe51f2784e741315
SHA512

6c697f8df1d5e3395b3caa8bc89c1e74706c23cef21cbf7abb62efaebeb02c09228e4079d62a7e65f56a6232f9b85ba9fb1e174772313a574e03d91df3b4e8e0
SSDEEP

786432:d3GJ4ZidZLnUH8ANG3Yjonnb1f5VgXoPq:cqyLnKFgbx5VgYPq

Score

8^/10

discovery evasion exploit persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

Adobe_Flash_Player_ActiveX_v34_0_0_277.exeAdobe_Flash_Player_NPAPI_v34_0_0_277.exeAdobe_Flash_Player_PPAPI_v34_0_0_277.exe

pid process

556 Adobe_Flash_Player_ActiveX_v34_0_0_277.exe
568 Adobe_Flash_Player_NPAPI_v34_0_0_277.exe
580 Adobe_Flash_Player_PPAPI_v34_0_0_277.exe

Possible privilege escalation attempt 16 IoCs

exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exe

pid	process
888	takeown.exe
1696	icacls.exe
1944	takeown.exe
1284	icacls.exe
1868	takeown.exe
1588	icacls.exe
516	icacls.exe
976	takeown.exe
1308	icacls.exe
1396	icacls.exe
1156	icacls.exe
1044	icacls.exe
1616	icacls.exe
1200	icacls.exe
1776	takeown.exe
1512	takeown.exe

Registers COM server for autorun 1 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32\ = "C:\\Windows\\System32\\Macromed\\Flash\\Flash.ocx"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32\ = "C:\\Windows\\System32\\Macromed\\Flash\\Flash.ocx"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Loads dropped DLL 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

980 regsvr32.exe
1608 regsvr32.exe

pid	process
980	regsvr32.exe
1608	regsvr32.exe

Modifies file permissions 1 TTPs 16 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid	process
1696	icacls.exe
1200	icacls.exe
976	takeown.exe
1944	takeown.exe
1616	icacls.exe
1284	icacls.exe
1044	icacls.exe
888	takeown.exe
1308	icacls.exe
1396	icacls.exe
1156	icacls.exe
1868	takeown.exe
1512	takeown.exe
1588	icacls.exe
1776	takeown.exe
516	icacls.exe

Drops file in System32 directory 44 IoCs

Processes:

xcopy.execmd.exexcopy.exexcopy.exexcopy.execmd.exexcopy.execmd.exexcopy.exexcopy.exexcopy.exexcopy.exeregsvr32.exeregsvr32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Macromed\Flash\flashplayer.xpt	xcopy.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\flashplayer.xpt	xcopy.exe
File opened for modification	C:\Windows\System32\Macromed\Flash\Cleaner_Flash_Player_NPAPI.bat	cmd.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\pepflashplayer.dll	xcopy.exe
File created	C:\Windows\System32\Macromed\Flash\Flash.ocx	xcopy.exe
File opened for modification	C:\Windows\System32\Macromed\Flash\Flash.ocx	xcopy.exe
File opened for modification	C:\Windows\System32\Macromed\Flash\Cleaner_Flash_Player_AX.bat	cmd.exe
File created	C:\Windows\System32\Macromed\Flash\pepflashplayer.dll	xcopy.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\manifest.json	xcopy.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\pepflashplayer.dll	xcopy.exe
File created	C:\Windows\System32\Macromed\Flash\Cleaner_Flash_Player_PPAPI.bat	cmd.exe
File created	C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl	xcopy.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\Flash.ocx	xcopy.exe
File opened for modification	C:\Windows\System32\Macromed\Flash	xcopy.exe
File opened for modification	C:\Windows\System32\Macromed\Flash	xcopy.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\Flash.ocx	xcopy.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash	xcopy.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\NPSWF.dll	xcopy.exe
File opened for modification	C:\Windows\System32\Macromed\Flash\pepflashplayer.dll	xcopy.exe
File opened for modification	C:\Windows\SysWOW64\FlashPlayerApp.exe	xcopy.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash	xcopy.exe
File opened for modification	C:\Windows\System32\Macromed\Flash\NPSWF.dll	xcopy.exe
File opened for modification	C:\Windows\System32\Macromed\Flash	xcopy.exe
File created	C:\Windows\System32\Macromed\Flash\Flash.ico	xcopy.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\manifest.json	xcopy.exe
File opened for modification	C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl	xcopy.exe
File created	C:\Windows\System32\Macromed\Flash\NPSWF.dll	xcopy.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin.exe	xcopy.exe
File created	C:\Windows\SysWOW64\FlashPlayerApp.exe	xcopy.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\Flash.ocx	xcopy.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\Flash.ocx	regsvr32.exe
File opened for modification	C:\Windows\System32\Macromed\Flash\Flash.ocx	xcopy.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin.exe	xcopy.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\Flash.ico	xcopy.exe
File created	C:\Windows\System32\Macromed\Flash\Cleaner_Flash_Player_NPAPI.bat	cmd.exe
File opened for modification	C:\Windows\System32\Macromed\Flash\Flash.ico	xcopy.exe
File created	C:\Windows\System32\Macromed\Flash\manifest.json	xcopy.exe
File opened for modification	C:\Windows\System32\Macromed\Flash\manifest.json	xcopy.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash	xcopy.exe
File opened for modification	C:\Windows\System32\Macromed\Flash\Flash.ocx	regsvr32.exe
File created	C:\Windows\System32\Macromed\Flash\Cleaner_Flash_Player_AX.bat	cmd.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\NPSWF.dll	xcopy.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\Flash.ico	xcopy.exe
File opened for modification	C:\Windows\System32\Macromed\Flash\Cleaner_Flash_Player_PPAPI.bat	cmd.exe

Drops file in Windows directory 1 IoCs

Processes:

xcopy.exe

description ioc process

File opened for modification C:\Windows\SysWOW64 xcopy.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

1000 sc.exe
972 sc.exe
1968 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

1260 timeout.exe
1968 timeout.exe
740 timeout.exe
Kills process with taskkill 6 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

1152 taskkill.exe
1260 taskkill.exe
1892 taskkill.exe
600 taskkill.exe
1020 taskkill.exe
1396 taskkill.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64	xcopy.exe

pid	process
1000	sc.exe
972	sc.exe
1968	sc.exe

pid	process
1260	timeout.exe
1968	timeout.exe
740	timeout.exe

pid	process
1152	taskkill.exe
1260	taskkill.exe
1892	taskkill.exe
600	taskkill.exe
1020	taskkill.exe
1396	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

Processes:

regsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}\Compatibility Flags = "65536"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/x-shockwave-flash	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/x-shockwave-flash	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/futuresplash	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}\Compatibility Flags = "65536"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/futuresplash	regsvr32.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.25	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.26\ = "Shockwave Flash Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.34\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus\1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-shockwave-flash\Extension = ".swf"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0\win32\ = "C:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash.ocx"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.16\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.20\ = "Shockwave Flash Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID\ = "FlashFactory.FlashFactory.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.21\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.25\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.33	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.32\ = "Shockwave Flash Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mfp\Content Type = "application/x-shockwave-flash"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.31\ = "Shockwave Flash Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID\ = "ShockwaveFlash.ShockwaveFlash"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.18\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage\.mfp	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory.1\CLSID\ = "{D27CDB70-AE6D-11cf-96B8-444553540000}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.11\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.24\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.28\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sol\Content Type = "text/plain"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.11\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\ = "Macromedia Flash Factory Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CurVer\ = "FlashFactory.FlashFactory.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.25\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7\ = "Shockwave Flash Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.19	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.31\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\ = "Shockwave Flash"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\ = "Shockwave Flash Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.9\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.12	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32\ = "C:\\Windows\\System32\\Macromed\\Flash\\Flash.ocx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.22\ = "Shockwave Flash Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.31\ = "Shockwave Flash Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mfp\ = "MacromediaFlashPaper.MacromediaFlashPaper"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.24\ = "Shockwave Flash Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.19\ = "Shockwave Flash Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.23\ = "Shockwave Flash Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID\ = "ShockwaveFlash.ShockwaveFlash.34"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.14\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.17\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.21\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.23\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\shell	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\ = "Macromedia Flash Paper"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.25\ = "Shockwave Flash Object"	regsvr32.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 5 IoCs

Processes:

Adobe_Flash_Player_ActiveX_v34_0_0_277.exeregsvr32.exeregsvr32.exeAdobe_Flash_Player_NPAPI_v34_0_0_277.exeAdobe_Flash_Player_PPAPI_v34_0_0_277.exe

pid	process
556	Adobe_Flash_Player_ActiveX_v34_0_0_277.exe
980	regsvr32.exe
1252	regsvr32.exe
568	Adobe_Flash_Player_NPAPI_v34_0_0_277.exe
580	Adobe_Flash_Player_PPAPI_v34_0_0_277.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1152	taskkill.exe
Token: SeDebugPrivilege	1260	taskkill.exe
Token: SeDebugPrivilege	1892	taskkill.exe
Token: SeDebugPrivilege	600	taskkill.exe
Token: SeDebugPrivilege	1020	taskkill.exe
Token: SeDebugPrivilege	1396	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

980 regsvr32.exe
1608 regsvr32.exe

pid	process
980	regsvr32.exe
1608	regsvr32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

45b74a50c20e74c1b41f3f35d10725971d74fcdaf077c06cbe51f2784e741315.execmd.execmd.exeAdobe_Flash_Player_ActiveX_v34_0_0_277.execmd.exe

description	pid	process	target process
PID 1760 wrote to memory of 1144	1760	45b74a50c20e74c1b41f3f35d10725971d74fcdaf077c06cbe51f2784e741315.exe	cmd.exe
PID 1760 wrote to memory of 1144	1760	45b74a50c20e74c1b41f3f35d10725971d74fcdaf077c06cbe51f2784e741315.exe	cmd.exe
PID 1760 wrote to memory of 1144	1760	45b74a50c20e74c1b41f3f35d10725971d74fcdaf077c06cbe51f2784e741315.exe	cmd.exe
PID 1760 wrote to memory of 1144	1760	45b74a50c20e74c1b41f3f35d10725971d74fcdaf077c06cbe51f2784e741315.exe	cmd.exe
PID 1144 wrote to memory of 1236	1144	cmd.exe	attrib.exe
PID 1144 wrote to memory of 1236	1144	cmd.exe	attrib.exe
PID 1144 wrote to memory of 1236	1144	cmd.exe	attrib.exe
PID 1760 wrote to memory of 1148	1760	45b74a50c20e74c1b41f3f35d10725971d74fcdaf077c06cbe51f2784e741315.exe	cmd.exe
PID 1760 wrote to memory of 1148	1760	45b74a50c20e74c1b41f3f35d10725971d74fcdaf077c06cbe51f2784e741315.exe	cmd.exe
PID 1760 wrote to memory of 1148	1760	45b74a50c20e74c1b41f3f35d10725971d74fcdaf077c06cbe51f2784e741315.exe	cmd.exe
PID 1760 wrote to memory of 1148	1760	45b74a50c20e74c1b41f3f35d10725971d74fcdaf077c06cbe51f2784e741315.exe	cmd.exe
PID 1148 wrote to memory of 556	1148	cmd.exe	Adobe_Flash_Player_ActiveX_v34_0_0_277.exe
PID 1148 wrote to memory of 556	1148	cmd.exe	Adobe_Flash_Player_ActiveX_v34_0_0_277.exe
PID 1148 wrote to memory of 556	1148	cmd.exe	Adobe_Flash_Player_ActiveX_v34_0_0_277.exe
PID 1148 wrote to memory of 556	1148	cmd.exe	Adobe_Flash_Player_ActiveX_v34_0_0_277.exe
PID 1148 wrote to memory of 556	1148	cmd.exe	Adobe_Flash_Player_ActiveX_v34_0_0_277.exe
PID 1148 wrote to memory of 556	1148	cmd.exe	Adobe_Flash_Player_ActiveX_v34_0_0_277.exe
PID 1148 wrote to memory of 556	1148	cmd.exe	Adobe_Flash_Player_ActiveX_v34_0_0_277.exe
PID 556 wrote to memory of 1572	556	Adobe_Flash_Player_ActiveX_v34_0_0_277.exe	cmd.exe
PID 556 wrote to memory of 1572	556	Adobe_Flash_Player_ActiveX_v34_0_0_277.exe	cmd.exe
PID 556 wrote to memory of 1572	556	Adobe_Flash_Player_ActiveX_v34_0_0_277.exe	cmd.exe
PID 556 wrote to memory of 1572	556	Adobe_Flash_Player_ActiveX_v34_0_0_277.exe	cmd.exe
PID 1572 wrote to memory of 1644	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1644	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1644	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 972	1572	cmd.exe	sc.exe
PID 1572 wrote to memory of 972	1572	cmd.exe	sc.exe
PID 1572 wrote to memory of 972	1572	cmd.exe	sc.exe
PID 1572 wrote to memory of 1152	1572	cmd.exe	taskkill.exe
PID 1572 wrote to memory of 1152	1572	cmd.exe	taskkill.exe
PID 1572 wrote to memory of 1152	1572	cmd.exe	taskkill.exe
PID 1572 wrote to memory of 1260	1572	cmd.exe	taskkill.exe
PID 1572 wrote to memory of 1260	1572	cmd.exe	taskkill.exe
PID 1572 wrote to memory of 1260	1572	cmd.exe	taskkill.exe
PID 1572 wrote to memory of 820	1572	cmd.exe	schtasks.exe
PID 1572 wrote to memory of 820	1572	cmd.exe	schtasks.exe
PID 1572 wrote to memory of 820	1572	cmd.exe	schtasks.exe
PID 1572 wrote to memory of 2024	1572	cmd.exe	schtasks.exe
PID 1572 wrote to memory of 2024	1572	cmd.exe	schtasks.exe
PID 1572 wrote to memory of 2024	1572	cmd.exe	schtasks.exe
PID 1572 wrote to memory of 2016	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 2016	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 2016	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 2044	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 2044	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 2044	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 2000	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 2000	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 2000	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1992	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1992	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1992	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1412	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1412	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1412	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 600	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 600	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 600	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1960	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1960	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1960	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1964	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1964	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1964	1572	cmd.exe	reg.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1236 attrib.exe

pid	process
1236	attrib.exe

C:\Users\Admin\AppData\Local\Temp\45b74a50c20e74c1b41f3f35d10725971d74fcdaf077c06cbe51f2784e741315.exe
"C:\Users\Admin\AppData\Local\Temp\45b74a50c20e74c1b41f3f35d10725971d74fcdaf077c06cbe51f2784e741315.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000"
2⤵
- Suspicious use of WriteProcessMemory
PID:1144

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000"
3⤵
- Views/modifies file attributes
PID:1236

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\InstFlash.cmd" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1148

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Adobe_Flash_Player_ActiveX_v34_0_0_277.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Adobe_Flash_Player_ActiveX_v34_0_0_277.exe /ai /gm2
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:556

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c @pushd "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001" >nul 2>&1 & CALL "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\!)Install_Flash_Player_AX.bat"
4⤵
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\system32\reg.exe
REG QUERY "HKU\S-1-5-19"
5⤵
PID:1644

C:\Windows\system32\sc.exe
sc stop "Flash Helper Service"
5⤵
- Launches sc.exe
PID:972

C:\Windows\system32\taskkill.exe
taskkill /f /im FlashHelperService.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1152

C:\Windows\system32\taskkill.exe
taskkill /f /im FlashPlayerUpdateService.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1260

C:\Windows\system32\schtasks.exe
schtasks /delete /tn "Adobe Flash Player Updater" /f
5⤵
PID:820

C:\Windows\system32\schtasks.exe
schtasks /delete /tn "FlashHelper TaskMachineCore" /f
5⤵
PID:2024

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Macromedia\FlashHelper" /f
5⤵
PID:2016

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashHelper" /f
5⤵
PID:2044

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\services\Flash Helper Service" /f
5⤵
PID:2000

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\services\AdobeFlashPlayerUpdateSvc" /f
5⤵
PID:1992

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashHelperService.exe" /f
5⤵
PID:1412

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerUpdateService.exe" /f
5⤵
PID:600

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION" /f /v "FlashHelperService.exe"
5⤵
PID:1960

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION" /f /v "FlashHelperService.exe"
5⤵
PID:1964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver"
5⤵
PID:960

C:\Windows\system32\findstr.exe
findstr "\<6\.[0-9]\.[0-9][0-9]*\> \<10\.[0-9]\.[0-9][0-9]*\>"
5⤵
PID:860

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\Macromed\Flash\*" /a /r /d y
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1776

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\SysWOW64\Macromed\Flash\*" /a /r /d y
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
5⤵
PID:768

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\Macromed\*" /t /c /grant "Everyone:f"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
5⤵
PID:1820

C:\Windows\system32\icacls.exe
icacls "C:\Windows\SysWOW64\Macromed\*" /t /c /grant "Everyone:f"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
5⤵
PID:980

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\FlashPlayerApp.exe" /c /grant "Everyone:f"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
5⤵
PID:2008

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\FlashPlayerCPLApp.cpl" /c /grant "Everyone:f"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
5⤵
PID:1728

C:\Windows\system32\icacls.exe
icacls "C:\Windows\SysWOW64\FlashPlayerApp.exe" /c /grant "Everyone:f"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
5⤵
PID:1328

C:\Windows\system32\icacls.exe
icacls "C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl" /c /grant "Everyone:f"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1284

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Macromedia\FlashPlayer" /f
5⤵
PID:1196

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Macromedia\FlashPlayerActiveX" /f
5⤵
PID:1064

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Macromedia\FlashPlayerActiveXReleaseType" /f
5⤵
PID:1108

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayer" /f
5⤵
PID:1384

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerActiveX" /f
5⤵
PID:1688

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerActiveXReleaseType" /f
5⤵
PID:1716

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerApp.exe" /f
5⤵
PID:1880

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil32_ActiveX.exe" /f
5⤵
PID:1748

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil64_ActiveX.exe" /f
5⤵
PID:972

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerUpdateService.exe" /f
5⤵
PID:1680

C:\Windows\system32\xcopy.exe
xcopy /c/i/r/y "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\app\*" "C:\Windows\SysWOW64\"
5⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:1492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:1128

C:\Windows\system32\xcopy.exe
xcopy /c/i/r/y "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\x64files\Flash.ocx" "C:\Windows\System32\Macromed\Flash\"
5⤵
- Drops file in System32 directory
PID:772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:1660

C:\Windows\system32\xcopy.exe
xcopy /c/i/r/y "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\x32files\Flash.ocx" "C:\Windows\SysWOW64\Macromed\Flash\"
5⤵
- Drops file in System32 directory
PID:2024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver"
5⤵
PID:2020

C:\Windows\system32\find.exe
find "5."
5⤵
PID:1972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver"
5⤵
PID:1984

C:\Windows\system32\find.exe
find "5."
5⤵
PID:880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver"
5⤵
PID:1956

C:\Windows\system32\find.exe
find "6.0."
5⤵
PID:812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver"
5⤵
PID:1792

C:\Windows\system32\find.exe
find "6.0."
5⤵
PID:548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver"
5⤵
PID:1800

C:\Windows\system32\find.exe
find "6.1."
5⤵
PID:1656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:1704

C:\Windows\system32\xcopy.exe
xcopy /c/i/r/y "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\x64files\Flash7.ocx" "C:\Windows\System32\Macromed\Flash\Flash.ocx"
5⤵
- Drops file in System32 directory
PID:1484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver"
5⤵
PID:1308

C:\Windows\system32\find.exe
find "6.1."
5⤵
PID:1808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:1516

C:\Windows\system32\xcopy.exe
xcopy /c/i/r/y "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\x32files\Flash7.ocx" "C:\Windows\SysWOW64\Macromed\Flash\Flash.ocx"
5⤵
- Drops file in System32 directory
PID:1396

C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Windows\System32\Macromed\Flash\Flash.ocx"
5⤵
- Registers COM server for autorun
- Loads dropped DLL
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
PID:980

C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Windows\SysWOW64\Macromed\Flash\Flash.ocx"
5⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1252

C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Windows\SysWOW64\Macromed\Flash\Flash.ocx"
6⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:1316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" copy /y "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Cleaner_Flash_Player_AX.bat" "C:\Windows\System32\Macromed\Flash\" 1>NUL 2>NUL"
5⤵
- Drops file in System32 directory
PID:1616

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Macromedia\FlashPlayerActiveX" /f /v "Version" /d "34.0.0.277"
5⤵
PID:1092

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerActiveX" /f /v "Version" /d "34.0.0.277"
5⤵
PID:1668

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Macromedia\FlashPlayerActiveX" /f /v "PlayerPath" /d "C:\Windows\System32\Macromed\Flash\Flash.ocx"
5⤵
PID:1284

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerActiveX" /f /v "PlayerPath" /d "C:\Windows\SysWOW64\Macromed\Flash\Flash.ocx"
5⤵
PID:1144

C:\Windows\system32\timeout.exe
TIMEOUT /t 2
5⤵
- Delays execution with timeout.exe
PID:740

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX" /f /v "DisplayName" /d "Adobe Flash Player 34 ActiveX"
4⤵
PID:664

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX" /f /v "DisplayVersion" /d "34.0.0.277"
4⤵
PID:1108

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX" /f /v "HelpLink" /d "https://www.423down.com/2082.html"
4⤵
PID:1936

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX" /f /v "DisplayIcon" /d "C:\Windows\System32\Macromed\Flash\Flash.ocx"
4⤵
PID:1688

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX" /f /v "UninstallString" /d "C:\Windows\System32\Macromed\Flash\Cleaner_Flash_Player_AX.bat"
4⤵
PID:1772

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Adobe_Flash_Player_NPAPI_v34_0_0_277.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Adobe_Flash_Player_NPAPI_v34_0_0_277.exe /ai /gm2
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:568

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c @pushd "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002" >nul 2>&1 & CALL "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002\!)Install_Flash_Player_NPAPI.bat"
4⤵
PID:2012

C:\Windows\system32\reg.exe
REG QUERY "HKU\S-1-5-19"
5⤵
PID:2000

C:\Windows\system32\sc.exe
sc stop "Flash Helper Service"
5⤵
- Launches sc.exe
PID:1968

C:\Windows\system32\taskkill.exe
taskkill /f /im FlashHelperService.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1892

C:\Windows\system32\taskkill.exe
taskkill /f /im FlashPlayerUpdateService.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:600

C:\Windows\system32\schtasks.exe
schtasks /delete /tn "Adobe Flash Player Updater" /f
5⤵
PID:1792

C:\Windows\system32\schtasks.exe
schtasks /delete /tn "FlashHelper TaskMachineCore" /f
5⤵
PID:1372

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Macromedia\FlashHelper" /f
5⤵
PID:1800

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashHelper" /f
5⤵
PID:1656

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\services\Flash Helper Service" /f
5⤵
PID:1944

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\services\AdobeFlashPlayerUpdateSvc" /f
5⤵
PID:1704

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashHelperService.exe" /f
5⤵
PID:1484

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerUpdateService.exe" /f
5⤵
PID:1020

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION" /f /v "FlashHelperService.exe"
5⤵
PID:1832

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION" /f /v "FlashHelperService.exe"
5⤵
PID:1820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver"
5⤵
PID:1848

C:\Windows\system32\findstr.exe
findstr "\<6\.[0-9]\.[0-9][0-9]*\> \<10\.[0-9]\.[0-9][0-9]*\>"
5⤵
PID:896

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\Macromed\Flash\*" /a /r /d y
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:888

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\SysWOW64\Macromed\Flash\*" /a /r /d y
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
5⤵
PID:2004

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\Macromed\Flash\*" /t /c /grant "Everyone:f"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
5⤵
PID:1628

C:\Windows\system32\icacls.exe
icacls "C:\Windows\SysWOW64\Macromed\Flash\*" /t /c /grant "Everyone:f"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1200

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Macromedia\FlashPlayerPlugin" /f
5⤵
PID:1608

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Security Center\Svc\Vol" /f
5⤵
PID:1252

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Security Center" /f /v "cval"
5⤵
PID:112

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\MozillaPlugins\@adobe.com/FlashPlayer" /f
5⤵
PID:1812

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Macromedia\FlashPlayerPluginReleaseType" /f
5⤵
PID:1328

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerPlugin" /f
5⤵
PID:1268

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@adobe.com/FlashPlayer" /f
5⤵
PID:968

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerPluginReleaseType" /f
5⤵
PID:1196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:1400

C:\Windows\system32\xcopy.exe
xcopy /c/i/r/y "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002\x64files\*" "C:\Windows\System32\Macromed\Flash\"
5⤵
- Drops file in System32 directory
PID:1064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:1576

C:\Windows\system32\xcopy.exe
xcopy /c/i/r/y "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002\x32files\*" "C:\Windows\SysWOW64\Macromed\Flash\"
5⤵
- Drops file in System32 directory
PID:1932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" copy /y "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002\Cleaner_Flash_Player_NPAPI.bat" "C:\Windows\System32\Macromed\Flash\" 1>NUL 2>NUL"
5⤵
- Drops file in System32 directory
PID:516

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Macromedia\FlashPlayerPlugin" /f /v "Version" /d "34.0.0.277"
5⤵
PID:520

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Macromedia\FlashPlayerPlugin" /f /v "PlayerPath" /d "C:\Windows\System32\Macromed\Flash\NPSWF.dll"
5⤵
PID:1428

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\MozillaPlugins\@adobe.com/FlashPlayer" /f /v "Version" /d "34.0.0.277"
5⤵
PID:664

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\MozillaPlugins\@adobe.com/FlashPlayer" /f /v "Path" /d "C:\Windows\System32\Macromed\Flash\NPSWF.dll"
5⤵
PID:572

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerPlugin" /f /v "Version" /d "34.0.0.277"
5⤵
PID:1644

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerPlugin" /f /v "PlayerPath" /d "C:\Windows\SysWOW64\Macromed\Flash\NPSWF.dll"
5⤵
PID:1716

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@adobe.com/FlashPlayer" /f /v "Version" /d "34.0.0.277"
5⤵
PID:1152

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@adobe.com/FlashPlayer" /f /v "Path" /d "C:\Windows\SysWOW64\Macromed\Flash\NPSWF.dll"
5⤵
PID:1880

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@adobe.com/FlashPlayer" /f /v "XPTPath" /d "C:\Windows\SysWOW64\Macromed\Flash\flashplayer.xpt"
5⤵
PID:1688

C:\Windows\system32\timeout.exe
TIMEOUT /t 2
5⤵
- Delays execution with timeout.exe
PID:1260

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player NPAPI" /f /v "DisplayName" /d "Adobe Flash Player 34 NPAPI"
4⤵
PID:560

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player NPAPI" /f /v "DisplayVersion" /d "34.0.0.277"
4⤵
PID:432

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player NPAPI" /f /v "HelpLink" /d "https://www.423down.com/2082.html"
4⤵
PID:1748

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player NPAPI" /f /v "DisplayIcon" /d "C:\Windows\System32\Macromed\Flash\NPSWF.dll"
4⤵
PID:380

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player NPAPI" /f /v "UninstallString" /d "C:\Windows\System32\Macromed\Flash\Cleaner_Flash_Player_NPAPI.bat"
4⤵
PID:820

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Adobe_Flash_Player_PPAPI_v34_0_0_277.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Adobe_Flash_Player_PPAPI_v34_0_0_277.exe /ai /gm2
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:580

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c @pushd "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003" >nul 2>&1 & CALL "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\!)Install_Flash_Player_PPAPI.bat"
4⤵
PID:1988

C:\Windows\system32\reg.exe
REG QUERY "HKU\S-1-5-19"
5⤵
PID:1348

C:\Windows\system32\sc.exe
sc stop "Flash Helper Service"
5⤵
- Launches sc.exe
PID:1000

C:\Windows\system32\taskkill.exe
taskkill /f /im FlashHelperService.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Windows\system32\taskkill.exe
taskkill /f /im FlashPlayerUpdateService.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1396

C:\Windows\system32\schtasks.exe
schtasks /delete /tn "Adobe Flash Player Updater" /f
5⤵
PID:1156

C:\Windows\system32\schtasks.exe
schtasks /delete /tn "FlashHelper TaskMachineCore" /f
5⤵
PID:1544

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Macromedia\FlashHelper" /f
5⤵
PID:1728

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashHelper" /f
5⤵
PID:1628

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\services\Flash Helper Service" /f
5⤵
PID:2008

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\services\AdobeFlashPlayerUpdateSvc" /f
5⤵
PID:1296

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashHelperService.exe" /f
5⤵
PID:1316

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerUpdateService.exe" /f
5⤵
PID:1616

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION" /f /v "FlashHelperService.exe"
5⤵
PID:1092

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION" /f /v "FlashHelperService.exe"
5⤵
PID:1668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver"
5⤵
PID:1284

C:\Windows\system32\findstr.exe
findstr "\<6\.[0-9]\.[0-9][0-9]*\> \<10\.[0-9]\.[0-9][0-9]*\>"
5⤵
PID:1144

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\Macromed\Flash\*" /a /r /d y
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1512

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\SysWOW64\Macromed\Flash\*" /a /r /d y
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
5⤵
PID:1732

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\Macromed\Flash\*" /t /c /grant "Everyone:f"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
5⤵
PID:884

C:\Windows\system32\icacls.exe
icacls "C:\Windows\SysWOW64\Macromed\Flash\*" /t /c /grant "Everyone:f"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:520

C:\Windows\system32\xcopy.exe
xcopy /c/i/r/y "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\x64files\*" "C:\Windows\System32\Macromed\Flash\"
5⤵
- Drops file in System32 directory
PID:1428

C:\Windows\system32\xcopy.exe
xcopy /c/i/r/y "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\x32files\*" "C:\Windows\SysWOW64\Macromed\Flash\"
5⤵
- Drops file in System32 directory
PID:1772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" copy /y "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\Cleaner_Flash_Player_PPAPI.bat" "C:\Windows\System32\Macromed\Flash\" 1>NUL 2>NUL"
5⤵
- Drops file in System32 directory
PID:1688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:1880

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Macromedia\FlashPlayerPepper" /f /v "Version" /d "34.0.0.277"
5⤵
PID:2044

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Macromedia\FlashPlayerPepper" /f /v "isESR" /t REG_DWORD /d "0"
5⤵
PID:2012

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Macromedia\FlashPlayerPepper" /f /v "isMSI" /t REG_DWORD /d "0"
5⤵
PID:1660

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Macromedia\FlashPlayerPepper" /f /v "isPartner" /t REG_DWORD /d "1"
5⤵
PID:1976

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Macromedia\FlashPlayerPepper" /f /v "isScriptDebugger" /t REG_DWORD /d "0"
5⤵
PID:1128

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Macromedia\FlashPlayerPepperReleaseType" /f /v "Release" /t REG_DWORD /d "1"
5⤵
PID:1088

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Macromedia\FlashPlayerPepper" /f /v "PlayerPath" /d "C:\Windows\System32\Macromed\Flash\pepflashplayer.dll"
5⤵
PID:2000

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerPepper" /f /v "Version" /d "34.0.0.277"
5⤵
PID:1964

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerPepper" /f /v "isESR" /t REG_DWORD /d "0"
5⤵
PID:848

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerPepper" /f /v "isMSI" /t REG_DWORD /d "0"
5⤵
PID:1600

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerPepper" /f /v "isPartner" /t REG_DWORD /d "1"
5⤵
PID:960

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerPepper" /f /v "isScriptDebugger" /t REG_DWORD /d "0"
5⤵
PID:1992

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerPepperReleaseType" /f /v "Release" /t REG_DWORD /d "1"
5⤵
PID:1680

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerPepper" /f /v "PlayerPath" /d "C:\Windows\SysWOW64\Macromed\Flash\pepflashplayer.dll"
5⤵
PID:528

C:\Windows\system32\timeout.exe
TIMEOUT /t 2
5⤵
- Delays execution with timeout.exe
PID:1968

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player PPAPI" /f /v "DisplayName" /d "Adobe Flash Player 34 PPAPI"
4⤵
PID:812

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player PPAPI" /f /v "DisplayVersion" /d "34.0.0.277"
4⤵
PID:600

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player PPAPI" /f /v "HelpLink" /d "https://www.423down.com/2082.html"
4⤵
PID:1108

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player PPAPI" /f /v "DisplayIcon" /d "C:\Windows\System32\Macromed\Flash\Flash.ico"
4⤵
PID:1748

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player PPAPI" /f /v "UninstallString" /d "C:\Windows\System32\Macromed\Flash\Cleaner_Flash_Player_PPAPI.bat"
4⤵
PID:820

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Adobe_Flash_Player_ActiveX_v34_0_0_277.exe
Filesize
11.0MB

MD5
91157209ad82927373b6974bb6a1f70a

SHA1
2110f85d2637343e45a167e36903e7534c7bbfa4

SHA256
6ef1dc9dd7a71e3588c86e9f51059413bb5ba8cc7ededae06d57150e9f31f0ee

SHA512
1950e756f1f706ad41b9eef857ee30c2ccbf77fce35330a69a3d4e0825bedb1ba178560958aaa7c1f11e218250ff39178c775371998dac52d09d49e277ff8888

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Adobe_Flash_Player_ActiveX_v34_0_0_277.exe
Filesize
11.0MB

MD5
91157209ad82927373b6974bb6a1f70a

SHA1
2110f85d2637343e45a167e36903e7534c7bbfa4

SHA256
6ef1dc9dd7a71e3588c86e9f51059413bb5ba8cc7ededae06d57150e9f31f0ee

SHA512
1950e756f1f706ad41b9eef857ee30c2ccbf77fce35330a69a3d4e0825bedb1ba178560958aaa7c1f11e218250ff39178c775371998dac52d09d49e277ff8888

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Adobe_Flash_Player_NPAPI_v34_0_0_277.exe
Filesize
7.1MB

MD5
16c2d235426707e6ff27ece528ece779

SHA1
915cd908e6892ba6bc1c687ee91c7c31f06cfb38

SHA256
34e94d0ac538f8aa62107f487f59c10435f4bac1d45b07c128504183b8d203ea

SHA512
2ccb59b7925b300ca3c98af02e20117e0c7dbe2ab3062805da27661f67c8a7e2838c1d663930baa5c86c22714400a32308105a93e6123727963e670dd575dec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Adobe_Flash_Player_NPAPI_v34_0_0_277.exe
Filesize
7.1MB

MD5
16c2d235426707e6ff27ece528ece779

SHA1
915cd908e6892ba6bc1c687ee91c7c31f06cfb38

SHA256
34e94d0ac538f8aa62107f487f59c10435f4bac1d45b07c128504183b8d203ea

SHA512
2ccb59b7925b300ca3c98af02e20117e0c7dbe2ab3062805da27661f67c8a7e2838c1d663930baa5c86c22714400a32308105a93e6123727963e670dd575dec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Adobe_Flash_Player_PPAPI_v34_0_0_277.exe
Filesize
7.3MB

MD5
b07a97dfbd98584c270578d4dabad54c

SHA1
187079dfaec6764c865ad8762528298379747829

SHA256
e9696e6e988e8dcd463476047c1d44bb4c803973ecc76135ba8e5a6fa1b9a7d6

SHA512
482cf2568cd20a3846be378df38154dbe0c505524b0a97b08b063f0355a88a34fffb532d5238306be18316debcaad923282155dc5ddbf5ac50e41219f9629605

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Adobe_Flash_Player_PPAPI_v34_0_0_277.exe
Filesize
7.3MB

MD5
b07a97dfbd98584c270578d4dabad54c

SHA1
187079dfaec6764c865ad8762528298379747829

SHA256
e9696e6e988e8dcd463476047c1d44bb4c803973ecc76135ba8e5a6fa1b9a7d6

SHA512
482cf2568cd20a3846be378df38154dbe0c505524b0a97b08b063f0355a88a34fffb532d5238306be18316debcaad923282155dc5ddbf5ac50e41219f9629605

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\InstFlash.cmd
Filesize
101B

MD5
4775687903b0467498383b8fe5923733

SHA1
b0e57be3a2bda21e920c8d25443d9fdacfe766ea

SHA256
710d39c44bc741028cf507d656fe5cb9fbaed0661ec8a11af0d0cbd7a5b9fdbc

SHA512
eaca790b52a46f741b939e420145fedc93dead9ef9e27b139214cee13fa1f669c4b685ac26631e0db7433c858413d48bf0e1e094102167e226777f6292d1c24b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\!)Install_Flash_Player_AX.bat
Filesize
8KB

MD5
d7d3c8b6e522c393a1e396a4f006f0f8

SHA1
639931bd892da0f024b66009d775df0da9ad08e0

SHA256
0f6be3f76a4c823ca0e93c87aeb69e6eecb13a3602f263e5501cb69f0e565572

SHA512
c4cc9d38ce64838c3ac4a3db3735316b43a1941c59b3514b7d6371108b12e16311ce11d9ce6d6972ebb1faee4899c3db0738a3d3c84bc676e9a4b60ad6b1b5f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Cleaner_Flash_Player_AX.bat
Filesize
9KB

MD5
b444d4d5d3979497975a98d61ae7ee6c

SHA1
0eac5ab65a1df52e7d5cdc3c6ddcfdd5e1195842

SHA256
cc22fd3b4156bfa88ecfa173841db14e379d9b9b72fa552f9a331aee161d36d9

SHA512
a7cad967b1ae1fdff5f0de1d0b399a91afc83d5eae3ccebdb131fba1bb332b959f969bb0dc317e652236ef127980ee5faa1dd7d0a2bda0b6b12105705189c48a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\app\FlashPlayerApp.exe
Filesize
829KB

MD5
2f84b70e58afa393d775da3e1ac5e490

SHA1
04a52192cfa64ea48dab130dfbf02e80068253cd

SHA256
f0326b0f458ee8283df11d7ec6b82e7e8567d5ac7cb7c8aa84cda063540e3acf

SHA512
bdb980322b9775f55d2be8300904dbb5d09281e3fbd1a2aa5044c09acb20c09bef7707266283bb8aa6929d38dc40bfff6c382237b13468ec57d680314f362c2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\app\FlashPlayerCPLApp.cpl
Filesize
173KB

MD5
d2ba7ac6e21f68d8dfdf99e1eb809104

SHA1
861dab538560bd2c73ac4fc5bf4cecf8a9d1753c

SHA256
c0e9aacc6fd0b880ca4a5b8ff277ead96a7c82a1b532d083b91ac0f8a06ad684

SHA512
eb9b3c3e4ebfb5e1ae11754fa3e24dd44de544b1fe5cecb1f296ff75833d4e90dd1083d400d39d0f9d5d4d086bf04390d8559e1fff1635fd4a694f87929fb449

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\x32files\Flash.ocx
Filesize
11.3MB

MD5
43f59d21a2ce8ea54b3cccdedc813c87

SHA1
34837e86e8f11b57c07e6544ffa49e99e699f1ad

SHA256
e8241731c036122f09b57c556eace451b4a8a4fa2fa2e63a6b4318b25e49e7e3

SHA512
5a9cb9a48c66ba183d28e2a15ac9a2c49d2a947ec4516025a5d54bf401b307c9cc94c28a435da2e1de4dfdef95923b3cc12ca33a76e8e47473908f59ab765847

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\x32files\Flash7.ocx
Filesize
9.5MB

MD5
c71da4ec3176aa4ff48f3e957b9fa344

SHA1
864acd2973ca8feb6bf6c0762eec735742360faa

SHA256
7659f35e9457fa3c1674e3ac278907bc3b4571299ee4afc2aa0b9d5e3e7c5eed

SHA512
4c0a74fe3b8525fa79d69c234ccdab822e3642f6050454261cfade01c0f644bf4572b00a3382f423a16b0ed093b5bf0f399ab09218d925a7b680880e91393c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\x64files\Flash.ocx
Filesize
13.2MB

MD5
1b47e0e2e0beaa44d727c364ac83fc3f

SHA1
166f981c43da2ca3bc31ffcfe827ebee6e8e755d

SHA256
7199672c4864c83bf315958d7d34c394b913c89a7a2829b61a38cbebf09c739f

SHA512
12f9439a71ae0ee20d5aff0cfc13368f6268ffd88dcd05ba55021c806d78adda8dd117c315eab6e1da08c9fd3375c3310744881a223f6cc269b72ecf6633c671

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\x64files\Flash7.ocx
Filesize
12.0MB

MD5
af050e271bf827c1508b315f5abaf233

SHA1
c0013f3e01cea71d7a17724dd38d7838fd5bb419

SHA256
ccd558c0f4e431f26ba4d695e70ef333c3d88bd08572e4ae33e1ef02c4a9a147

SHA512
51d25e92e66519acf049f1beba82218fc24634314153ddfa257cffbe17227f311472b24831acb74a909b271971e490583515c4ae48ac51725d6596c6c64a382c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002\!)Install_Flash_Player_NPAPI.bat
Filesize
6KB

MD5
664e07acb9cf003016b04fe803994431

SHA1
97ee7bfae883a4a1ad9635c311638a3013c78238

SHA256
cd22bf72c8a4c3ac14910213d8aca3af2392f63b0859de5d550c4b59fdadaf6e

SHA512
a4e0fe3cb3950b7236886062851bf0e87c53dc63ad71035032c10cf7fff88a5ac488b450d6409f8d5e3c018b1a8640cdbe5132e6a1936292d2628576c4960529

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002\Cleaner_Flash_Player_NPAPI.bat
Filesize
4KB

MD5
960fa5690a75088fd25e50217cb6d6f8

SHA1
9ff3fb909835bda47d3ca7b45b69754dc3b79cf2

SHA256
256e1bc27ddd9d0f0197371ed5db4211cdfb704b41f89ddf72d07547551fa585

SHA512
19442c8590c9f7d592bdc8490ba8c72072472032b10b224a0ea790adbefd1bbb4d6637d7def34667aeea991d11a991fefe84377eb65b5b129e53d5726cd8075d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002\x32files\FlashPlayerPlugin.exe
Filesize
3.3MB

MD5
2a093572d365b6d6094e600f1cc66486

SHA1
4552a0c5af272e4cb9a56f2f755b99a11bf360af

SHA256
aa19ba2e7bb476f879e05a16c5d844ac2d9e25221f0b47d7307be2d99c54173b

SHA512
c1f0945bd84cbf3b1ad0cf24762259f4bb6d6a73c20658d1b5070585f9f96a9f884050e106149ef7ac45f39f14ef3c43100309ddb6f6b028a5a2895c0ae17027

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002\x32files\NPSWF.dll
Filesize
9.4MB

MD5
9fb7d3a9a438d1d64c59d7f7b341573c

SHA1
25c63ddc242f767082c01d43296c9ab64b9a603a

SHA256
8d25bca3a4ec907a5addabaeb5f4244c88eb111f1c0b531a616533aa9f2e7a11

SHA512
6fb8b2fc1f53ad3411643dee523cd0c408cec99921e88895e1501d2caa700fde39d287bc58d28245ba6e053b565bd11481e830732ecf1ee1e2ec95080b0d089f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002\x32files\flashplayer.xpt
Filesize
856B

MD5
a81fd3b03b8c6d6e5a14298110718d3f

SHA1
2a5eedf714b4dc1e7281968d5e235737b26d7114

SHA256
946c2d7808b0f256e5f6b62655246dc9c247833fb2f578519e4354f91deb6e1b

SHA512
494146bb31cf0e115a6e1c632a8ed5608046f5a8b2bbc900832befb07b8f142581483c222067e4405fc2755b5acf722d576ac04b2b6d9f796e5a872fd5c7ddc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002\x64files\NPSWF.dll
Filesize
11.6MB

MD5
ea70fce7aa51895032e2351198222300

SHA1
800144719de1abffecfaee057d5c37dcdcc62b20

SHA256
35a7fa0af957f5cd78f6cc32cc283924583475d46d3b7285c5622b18833cb775

SHA512
90adda663c405e56933f7f54f541812478598c8dd703028226dad5a4993bb47011c033e869a21748b0944cb2c4ce8faec9473ec6faee228e9436bf22545ab1e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\!)Install_Flash_Player_PPAPI.bat
Filesize
5KB

MD5
68153953000575396382e9dc97e364f8

SHA1
83e436333affb52a1d6368c32d8788df95f5b1bd

SHA256
39902f011e4b0a630a7712a4e780bb28cee9e12c781616b922f7bbb212893590

SHA512
94f4a5df38819a4ac11665ba70f75bbf1dc900f6c82548fde75b2bd79f2c54904bf46e2c509e5d7e3fec43699693d1c4888842b19323d3ee72b1d76f269915a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\Cleaner_Flash_Player_PPAPI.bat
Filesize
4KB

MD5
1502e7531bf2ad953a7cc67736ba24da

SHA1
6fab2b539b233fb8f5ef000808b9387f45ca8f70

SHA256
ce2e51405fc9fb05037723e35e8d9c76cf5a9b11487a2c612c5f8c03cb278a53

SHA512
c946fb3a8d8b37b60c566baeae5364ab3896b6a63e415e991117471c891d88b1876aee419a7699c9fbf5295fb9fe6096a722212e87bd896c16f9eefbc6a23bda

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\x32files\Flash.ico
Filesize
281KB

MD5
0c2b1344d597a3423e8237a60644cc30

SHA1
9986ec34189f98a6efe483fda98359f82d2d936d

SHA256
3e88938769ed6f5b25f9c9a5e0c87bb7cdfd0a6f487ef2163cde5afb6f50a10a

SHA512
c75c5cc381729b199a8a02d26f55c93b3b7fd6df595269350864945c823ddddb9e5ddea211160ab5758cdee7d50eca8be5502aab484825833b8c6e49cf18c870

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\x32files\manifest.json
Filesize
2KB

MD5
3b97e9f041903efe19d9d661f0798f86

SHA1
9346dd832fde4acad2aa79a943954a3681e42d2a

SHA256
83e5d98145096e0aaa29387fce21dfdc15849479881a4a060cb1bdab34b0d6f8

SHA512
abc0b6c49ccb5d7b1ab37499a9f8060af184951a0ea01fab79742474452f5206cce84de7737dd7a36742f53acc32f7ed460531784e2ebf55cd76f7f69e08519b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\x32files\pepflashplayer.dll
Filesize
8.6MB

MD5
4d3ed246f300b65241694d22f7e326a0

SHA1
b8221af340a571e53e9df827c7070ec162ffa56c

SHA256
e50474b500bd1fdbb9efd3b5dc25338204080ceea988eb7a390d1b47dadd5b1c

SHA512
0f2330b75f8c4031d27e7025b7c8767aed4254115a311183a9ac45c680409af2aec83208af686c619a22eb7ef2f0ac5f2cb1352097e1d277815389e0338968e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\x64files\Flash.ico
Filesize
281KB

MD5
0c2b1344d597a3423e8237a60644cc30

SHA1
9986ec34189f98a6efe483fda98359f82d2d936d

SHA256
3e88938769ed6f5b25f9c9a5e0c87bb7cdfd0a6f487ef2163cde5afb6f50a10a

SHA512
c75c5cc381729b199a8a02d26f55c93b3b7fd6df595269350864945c823ddddb9e5ddea211160ab5758cdee7d50eca8be5502aab484825833b8c6e49cf18c870

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\x64files\manifest.json
Filesize
2KB

MD5
64f056c1324cd1a0d7ba0605ac5e8335

SHA1
4d13f840ef44ec32e98b91ffd50201cc96f86cf9

SHA256
826f431570c49ac51a39bd772ac8ada5fe05253361e05ef60db22a234b8fbc59

SHA512
0886d881356d8d670fec7ae90e43287e0203b05d6e46e12784c0c3630ae815e7f3ca285743a95693a370d7d3171bf71a73e6cdd2df067636dfe237d07d9d8655

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\x64files\pepflashplayer.dll
Filesize
15.3MB

MD5
97c3a6be6f000e0681c58b78419e2c19

SHA1
8483463cbb1a708f8d19413c146091a37b8dbcc2

SHA256
c650eed91f12c5d202cb4d291b4c68f656a24d0a9783fd84d72e00cf6b21c3a7

SHA512
2b2c271b7da44adab4f111851f455219659e19574ba89aa1cea46a89d74e9beebebdf69d6cc2b0f3f31cd99793eb3f53d1402aa5a0cbee8944e8e8551459d432

Download Submit
C:\Windows\SysWOW64\Macromed\Flash\Flash.ocx
Filesize
9.5MB

MD5
c71da4ec3176aa4ff48f3e957b9fa344

SHA1
864acd2973ca8feb6bf6c0762eec735742360faa

SHA256
7659f35e9457fa3c1674e3ac278907bc3b4571299ee4afc2aa0b9d5e3e7c5eed

SHA512
4c0a74fe3b8525fa79d69c234ccdab822e3642f6050454261cfade01c0f644bf4572b00a3382f423a16b0ed093b5bf0f399ab09218d925a7b680880e91393c3b

Download Submit
C:\Windows\SysWOW64\Macromed\Flash\Flash.ocx
Filesize
9.5MB

MD5
c71da4ec3176aa4ff48f3e957b9fa344

SHA1
864acd2973ca8feb6bf6c0762eec735742360faa

SHA256
7659f35e9457fa3c1674e3ac278907bc3b4571299ee4afc2aa0b9d5e3e7c5eed

SHA512
4c0a74fe3b8525fa79d69c234ccdab822e3642f6050454261cfade01c0f644bf4572b00a3382f423a16b0ed093b5bf0f399ab09218d925a7b680880e91393c3b

Download Submit
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin.exe
Filesize
3.3MB

MD5
2a093572d365b6d6094e600f1cc66486

SHA1
4552a0c5af272e4cb9a56f2f755b99a11bf360af

SHA256
aa19ba2e7bb476f879e05a16c5d844ac2d9e25221f0b47d7307be2d99c54173b

SHA512
c1f0945bd84cbf3b1ad0cf24762259f4bb6d6a73c20658d1b5070585f9f96a9f884050e106149ef7ac45f39f14ef3c43100309ddb6f6b028a5a2895c0ae17027

Download Submit
C:\Windows\SysWOW64\Macromed\Flash\NPSWF.dll
Filesize
9.4MB

MD5
9fb7d3a9a438d1d64c59d7f7b341573c

SHA1
25c63ddc242f767082c01d43296c9ab64b9a603a

SHA256
8d25bca3a4ec907a5addabaeb5f4244c88eb111f1c0b531a616533aa9f2e7a11

SHA512
6fb8b2fc1f53ad3411643dee523cd0c408cec99921e88895e1501d2caa700fde39d287bc58d28245ba6e053b565bd11481e830732ecf1ee1e2ec95080b0d089f

Download Submit
C:\Windows\SysWOW64\Macromed\Flash\flashplayer.xpt
Filesize
856B

MD5
a81fd3b03b8c6d6e5a14298110718d3f

SHA1
2a5eedf714b4dc1e7281968d5e235737b26d7114

SHA256
946c2d7808b0f256e5f6b62655246dc9c247833fb2f578519e4354f91deb6e1b

SHA512
494146bb31cf0e115a6e1c632a8ed5608046f5a8b2bbc900832befb07b8f142581483c222067e4405fc2755b5acf722d576ac04b2b6d9f796e5a872fd5c7ddc9

Download Submit
C:\Windows\System32\Macromed\Flash\Cleaner_Flash_Player_AX.bat
Filesize
9KB

MD5
b444d4d5d3979497975a98d61ae7ee6c

SHA1
0eac5ab65a1df52e7d5cdc3c6ddcfdd5e1195842

SHA256
cc22fd3b4156bfa88ecfa173841db14e379d9b9b72fa552f9a331aee161d36d9

SHA512
a7cad967b1ae1fdff5f0de1d0b399a91afc83d5eae3ccebdb131fba1bb332b959f969bb0dc317e652236ef127980ee5faa1dd7d0a2bda0b6b12105705189c48a

Download Submit
C:\Windows\System32\Macromed\Flash\Cleaner_Flash_Player_NPAPI.bat
Filesize
4KB

MD5
960fa5690a75088fd25e50217cb6d6f8

SHA1
9ff3fb909835bda47d3ca7b45b69754dc3b79cf2

SHA256
256e1bc27ddd9d0f0197371ed5db4211cdfb704b41f89ddf72d07547551fa585

SHA512
19442c8590c9f7d592bdc8490ba8c72072472032b10b224a0ea790adbefd1bbb4d6637d7def34667aeea991d11a991fefe84377eb65b5b129e53d5726cd8075d

Download Submit
C:\Windows\System32\Macromed\Flash\Flash.ocx
Filesize
12.0MB

MD5
af050e271bf827c1508b315f5abaf233

SHA1
c0013f3e01cea71d7a17724dd38d7838fd5bb419

SHA256
ccd558c0f4e431f26ba4d695e70ef333c3d88bd08572e4ae33e1ef02c4a9a147

SHA512
51d25e92e66519acf049f1beba82218fc24634314153ddfa257cffbe17227f311472b24831acb74a909b271971e490583515c4ae48ac51725d6596c6c64a382c

Download Submit
C:\Windows\System32\Macromed\Flash\Flash.ocx
Filesize
12.0MB

MD5
af050e271bf827c1508b315f5abaf233

SHA1
c0013f3e01cea71d7a17724dd38d7838fd5bb419

SHA256
ccd558c0f4e431f26ba4d695e70ef333c3d88bd08572e4ae33e1ef02c4a9a147

SHA512
51d25e92e66519acf049f1beba82218fc24634314153ddfa257cffbe17227f311472b24831acb74a909b271971e490583515c4ae48ac51725d6596c6c64a382c

Download Submit
C:\Windows\System32\Macromed\Flash\NPSWF.dll
Filesize
11.6MB

MD5
ea70fce7aa51895032e2351198222300

SHA1
800144719de1abffecfaee057d5c37dcdcc62b20

SHA256
35a7fa0af957f5cd78f6cc32cc283924583475d46d3b7285c5622b18833cb775

SHA512
90adda663c405e56933f7f54f541812478598c8dd703028226dad5a4993bb47011c033e869a21748b0944cb2c4ce8faec9473ec6faee228e9436bf22545ab1e8

Download Submit
\Windows\SysWOW64\Macromed\Flash\Flash.ocx
Filesize
9.5MB

MD5
c71da4ec3176aa4ff48f3e957b9fa344

SHA1
864acd2973ca8feb6bf6c0762eec735742360faa

SHA256
7659f35e9457fa3c1674e3ac278907bc3b4571299ee4afc2aa0b9d5e3e7c5eed

SHA512
4c0a74fe3b8525fa79d69c234ccdab822e3642f6050454261cfade01c0f644bf4572b00a3382f423a16b0ed093b5bf0f399ab09218d925a7b680880e91393c3b

Download Submit
\Windows\System32\Macromed\Flash\Flash.ocx
Filesize
12.0MB

MD5
af050e271bf827c1508b315f5abaf233

SHA1
c0013f3e01cea71d7a17724dd38d7838fd5bb419

SHA256
ccd558c0f4e431f26ba4d695e70ef333c3d88bd08572e4ae33e1ef02c4a9a147

SHA512
51d25e92e66519acf049f1beba82218fc24634314153ddfa257cffbe17227f311472b24831acb74a909b271971e490583515c4ae48ac51725d6596c6c64a382c

Download Submit
memory/548-123-0x0000000000000000-mapping.dmp

Download
memory/556-61-0x0000000000000000-mapping.dmp

Download
memory/600-77-0x0000000000000000-mapping.dmp

Download
memory/768-84-0x0000000000000000-mapping.dmp

Download
memory/772-111-0x0000000000000000-mapping.dmp

Download
memory/812-121-0x0000000000000000-mapping.dmp

Download
memory/820-70-0x0000000000000000-mapping.dmp

Download
memory/860-81-0x0000000000000000-mapping.dmp

Download
memory/880-119-0x0000000000000000-mapping.dmp

Download
memory/920-106-0x0000000000000000-mapping.dmp

Download
memory/960-80-0x0000000000000000-mapping.dmp

Download
memory/972-67-0x0000000000000000-mapping.dmp

Download
memory/972-104-0x0000000000000000-mapping.dmp

Download
memory/980-133-0x000007FEFB621000-0x000007FEFB623000-memory.dmp

Filesize
8KB

Download
memory/980-88-0x0000000000000000-mapping.dmp

Download
memory/1044-91-0x0000000000000000-mapping.dmp

Download
memory/1064-97-0x0000000000000000-mapping.dmp

Download
memory/1108-98-0x0000000000000000-mapping.dmp

Download
memory/1128-110-0x0000000000000000-mapping.dmp

Download
memory/1144-56-0x0000000000000000-mapping.dmp

Download
memory/1148-58-0x0000000000000000-mapping.dmp

Download
memory/1152-68-0x0000000000000000-mapping.dmp

Download
memory/1156-89-0x0000000000000000-mapping.dmp

Download
memory/1196-96-0x0000000000000000-mapping.dmp

Download
memory/1236-57-0x0000000000000000-mapping.dmp

Download
memory/1260-69-0x0000000000000000-mapping.dmp

Download
memory/1284-95-0x0000000000000000-mapping.dmp

Download
memory/1308-85-0x0000000000000000-mapping.dmp

Download
memory/1308-130-0x0000000000000000-mapping.dmp

Download
memory/1328-94-0x0000000000000000-mapping.dmp

Download
memory/1384-99-0x0000000000000000-mapping.dmp

Download
memory/1396-87-0x0000000000000000-mapping.dmp

Download
memory/1412-76-0x0000000000000000-mapping.dmp

Download
memory/1484-127-0x0000000000000000-mapping.dmp

Download
memory/1492-107-0x0000000000000000-mapping.dmp

Download
memory/1572-64-0x0000000000000000-mapping.dmp

Download
memory/1616-93-0x0000000000000000-mapping.dmp

Download
memory/1644-66-0x0000000000000000-mapping.dmp

Download
memory/1656-125-0x0000000000000000-mapping.dmp

Download
memory/1660-113-0x0000000000000000-mapping.dmp

Download
memory/1680-105-0x0000000000000000-mapping.dmp

Download
memory/1688-100-0x0000000000000000-mapping.dmp

Download
memory/1704-126-0x0000000000000000-mapping.dmp

Download
memory/1716-101-0x0000000000000000-mapping.dmp

Download
memory/1728-92-0x0000000000000000-mapping.dmp

Download
memory/1748-103-0x0000000000000000-mapping.dmp

Download
memory/1760-168-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1760-141-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1760-55-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1760-54-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1776-82-0x0000000000000000-mapping.dmp

Download
memory/1792-122-0x0000000000000000-mapping.dmp

Download
memory/1800-124-0x0000000000000000-mapping.dmp

Download
memory/1820-86-0x0000000000000000-mapping.dmp

Download
memory/1880-102-0x0000000000000000-mapping.dmp

Download
memory/1944-83-0x0000000000000000-mapping.dmp

Download
memory/1956-120-0x0000000000000000-mapping.dmp

Download
memory/1960-78-0x0000000000000000-mapping.dmp

Download
memory/1964-79-0x0000000000000000-mapping.dmp

Download
memory/1972-117-0x0000000000000000-mapping.dmp

Download
memory/1984-118-0x0000000000000000-mapping.dmp

Download
memory/1992-75-0x0000000000000000-mapping.dmp

Download
memory/2000-74-0x0000000000000000-mapping.dmp

Download
memory/2008-90-0x0000000000000000-mapping.dmp

Download
memory/2016-72-0x0000000000000000-mapping.dmp

Download
memory/2020-116-0x0000000000000000-mapping.dmp

Download
memory/2024-71-0x0000000000000000-mapping.dmp

Download
memory/2024-114-0x0000000000000000-mapping.dmp

Download
memory/2044-73-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads