45b74a50c20e74c1b41f3f35d10725971d74fcdaf077c06cbe51f2784e741315

Analysis

max time kernel
84s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-11-2022 23:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45b74a50c20e74c1b41f3f35d10725971d74fcdaf077c06cbe51f2784e741315.exe
Size

25.1MB
MD5

b4775fcffd1877ffa155fffc0832cbd8
SHA1

c1e419c89fbd9aadcd1d436ec2c98f3be1db8dad
SHA256

45b74a50c20e74c1b41f3f35d10725971d74fcdaf077c06cbe51f2784e741315
SHA512

6c697f8df1d5e3395b3caa8bc89c1e74706c23cef21cbf7abb62efaebeb02c09228e4079d62a7e65f56a6232f9b85ba9fb1e174772313a574e03d91df3b4e8e0
SSDEEP

786432:d3GJ4ZidZLnUH8ANG3Yjonnb1f5VgXoPq:cqyLnKFgbx5VgYPq

Score

8^/10

discovery evasion exploit persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

Adobe_Flash_Player_ActiveX_v34_0_0_277.exeAdobe_Flash_Player_NPAPI_v34_0_0_277.exeAdobe_Flash_Player_PPAPI_v34_0_0_277.exe

pid process

4924 Adobe_Flash_Player_ActiveX_v34_0_0_277.exe
1828 Adobe_Flash_Player_NPAPI_v34_0_0_277.exe
4600 Adobe_Flash_Player_PPAPI_v34_0_0_277.exe

pid	process
4924	Adobe_Flash_Player_ActiveX_v34_0_0_277.exe
1828	Adobe_Flash_Player_NPAPI_v34_0_0_277.exe
4600	Adobe_Flash_Player_PPAPI_v34_0_0_277.exe

Possible privilege escalation attempt 16 IoCs

exploit

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exe

pid	process
1068	icacls.exe
1556	icacls.exe
2168	icacls.exe
2276	icacls.exe
1012	icacls.exe
3880	takeown.exe
3624	takeown.exe
4184	icacls.exe
2580	takeown.exe
3420	takeown.exe
4980	takeown.exe
4312	icacls.exe
4216	icacls.exe
3516	icacls.exe
4812	icacls.exe
4240	takeown.exe

Registers COM server for autorun 1 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32\ = "C:\\Windows\\System32\\Macromed\\Flash\\Flash.ocx"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32\ = "C:\\Windows\\System32\\Macromed\\Flash\\Flash.ocx"	regsvr32.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Adobe_Flash_Player_ActiveX_v34_0_0_277.exeAdobe_Flash_Player_NPAPI_v34_0_0_277.exeAdobe_Flash_Player_PPAPI_v34_0_0_277.exe45b74a50c20e74c1b41f3f35d10725971d74fcdaf077c06cbe51f2784e741315.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Adobe_Flash_Player_ActiveX_v34_0_0_277.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Adobe_Flash_Player_NPAPI_v34_0_0_277.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Adobe_Flash_Player_PPAPI_v34_0_0_277.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	45b74a50c20e74c1b41f3f35d10725971d74fcdaf077c06cbe51f2784e741315.exe

Loads dropped DLL 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

528 regsvr32.exe
2548 regsvr32.exe

pid	process
528	regsvr32.exe
2548	regsvr32.exe

Modifies file permissions 1 TTPs 16 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
4240	takeown.exe
2168	icacls.exe
3880	takeown.exe
3516	icacls.exe
4812	icacls.exe
3624	takeown.exe
1556	icacls.exe
4312	icacls.exe
2580	takeown.exe
4980	takeown.exe
1068	icacls.exe
3420	takeown.exe
1012	icacls.exe
4184	icacls.exe
4216	icacls.exe
2276	icacls.exe

Drops file in System32 directory 42 IoCs

Processes:

xcopy.exexcopy.exexcopy.execmd.exeregsvr32.exexcopy.exexcopy.exexcopy.execmd.exexcopy.execmd.exeregsvr32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\Flash.ocx	xcopy.exe
File opened for modification	C:\Windows\System32\Macromed\Flash	xcopy.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin.exe	xcopy.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\NPSWF.dll	xcopy.exe
File opened for modification	C:\Windows\System32\Macromed\Flash\Cleaner_Flash_Player_PPAPI.bat	cmd.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\Flash.ocx	xcopy.exe
File opened for modification	C:\Windows\System32\Macromed\Flash\Flash.ocx	regsvr32.exe
File opened for modification	C:\Windows\System32\Macromed\Flash\NPSWF.dll	xcopy.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash	xcopy.exe
File opened for modification	C:\Windows\System32\Macromed\Flash\manifest.json	xcopy.exe
File created	C:\Windows\SysWOW64\FlashPlayerApp.exe	xcopy.exe
File opened for modification	C:\Windows\System32\Macromed\Flash\pepflashplayer.dll	xcopy.exe
File opened for modification	C:\Windows\SysWOW64\FlashPlayerApp.exe	xcopy.exe
File opened for modification	C:\Windows\System32\Macromed\Flash	xcopy.exe
File created	C:\Windows\System32\Macromed\Flash\Flash.ocx	xcopy.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\NPSWF.dll	xcopy.exe
File opened for modification	C:\Windows\System32\Macromed\Flash\Cleaner_Flash_Player_NPAPI.bat	cmd.exe
File opened for modification	C:\Windows\System32\Macromed\Flash	xcopy.exe
File created	C:\Windows\System32\Macromed\Flash\NPSWF.dll	xcopy.exe
File created	C:\Windows\System32\Macromed\Flash\Flash.ico	xcopy.exe
File created	C:\Windows\System32\Macromed\Flash\pepflashplayer.dll	xcopy.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash	xcopy.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\manifest.json	xcopy.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\pepflashplayer.dll	xcopy.exe
File created	C:\Windows\System32\Macromed\Flash\Cleaner_Flash_Player_PPAPI.bat	cmd.exe
File opened for modification	C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl	xcopy.exe
File opened for modification	C:\Windows\System32\Macromed\Flash\Flash.ocx	xcopy.exe
File opened for modification	C:\Windows\System32\Macromed\Flash\Cleaner_Flash_Player_AX.bat	cmd.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\flashplayer.xpt	xcopy.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\Flash.ico	xcopy.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\manifest.json	xcopy.exe
File created	C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl	xcopy.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin.exe	xcopy.exe
File opened for modification	C:\Windows\System32\Macromed\Flash\Flash.ico	xcopy.exe
File created	C:\Windows\System32\Macromed\Flash\manifest.json	xcopy.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\Flash.ico	xcopy.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\pepflashplayer.dll	xcopy.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash	xcopy.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\Flash.ocx	regsvr32.exe
File created	C:\Windows\System32\Macromed\Flash\Cleaner_Flash_Player_AX.bat	cmd.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\flashplayer.xpt	xcopy.exe
File created	C:\Windows\System32\Macromed\Flash\Cleaner_Flash_Player_NPAPI.bat	cmd.exe

Drops file in Windows directory 1 IoCs

Processes:

xcopy.exe

description ioc process

File opened for modification C:\Windows\SysWOW64 xcopy.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

4204 sc.exe
3880 sc.exe
1716 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

4416 timeout.exe
3228 timeout.exe
3164 timeout.exe
Kills process with taskkill 6 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

2008 taskkill.exe
3304 taskkill.exe
3924 taskkill.exe
4252 taskkill.exe
1712 taskkill.exe
1712 taskkill.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64	xcopy.exe

pid	process
4204	sc.exe
3880	sc.exe
1716	sc.exe

pid	process
4416	timeout.exe
3228	timeout.exe
3164	timeout.exe

pid	process
2008	taskkill.exe
3304	taskkill.exe
3924	taskkill.exe
4252	taskkill.exe
1712	taskkill.exe
1712	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

Processes:

regsvr32.exeregsvr32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}\Compatibility Flags = "65536"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}\Compatibility Flags = "65536"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\NAVIGATORPLUGINSLIST\SHOCKWAVE FLASH	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/futuresplash	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/x-shockwave-flash	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\NAVIGATORPLUGINSLIST\SHOCKWAVE FLASH	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/futuresplash	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/x-shockwave-flash	regsvr32.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0\win64\ = "C:\\Windows\\System32\\Macromed\\Flash\\Flash.ocx"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ = "IShockwaveFlash"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.15\ = "Shockwave Flash Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.11\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.14\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID\ = "ShockwaveFlash.ShockwaveFlash"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mfp\Content Type = "application/x-shockwave-flash"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.15\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CLSID\ = "{D27CDB70-AE6D-11cf-96B8-444553540000}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.9	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID\ = "FlashFactory.FlashFactory.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.12\ = "Shockwave Flash Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.32\ = "Shockwave Flash Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.9\ = "Shockwave Flash Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32\ = "C:\\Windows\\System32\\Macromed\\Flash\\Flash.ocx, 1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.29\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{307F64C0-621D-4D56-BBC6-91EFC13CE40D}\TypeLib\Version = "1.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage\.spl	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ = "Macromedia Flash Factory Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\Macromed\\Flash\\Flash.ocx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.10\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.11\ = "Shockwave Flash Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.21\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage\.swf	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Control	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sor\Content Type = "text/plain"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3\ = "Shockwave Flash Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.13\ = "Shockwave Flash Object"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus\1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory.1\CLSID\ = "{D27CDB70-AE6D-11cf-96B8-444553540000}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.25\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.15\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.17	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.10\ = "Shockwave Flash Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.19\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5\ = "Shockwave Flash Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.17\ = "Shockwave Flash Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID\ = "ShockwaveFlash.ShockwaveFlash"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.19\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\TypeLib\Version = "1.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Control	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.13\ = "Shockwave Flash Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.17\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{57A0E746-3863-4D20-A811-950C84F1DB9B}\1.1\HELPDIR\ = "C:\\Windows\\System32\\Macromed\\Flash"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4\ = "Shockwave Flash Object"	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1712	taskkill.exe
Token: SeDebugPrivilege	2008	taskkill.exe
Token: SeDebugPrivilege	3304	taskkill.exe
Token: SeDebugPrivilege	3924	taskkill.exe
Token: SeDebugPrivilege	4252	taskkill.exe
Token: SeDebugPrivilege	1712	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

528 regsvr32.exe
2548 regsvr32.exe

pid	process
528	regsvr32.exe
2548	regsvr32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

45b74a50c20e74c1b41f3f35d10725971d74fcdaf077c06cbe51f2784e741315.execmd.execmd.exeAdobe_Flash_Player_ActiveX_v34_0_0_277.execmd.exe

description	pid	process	target process
PID 4656 wrote to memory of 3080	4656	45b74a50c20e74c1b41f3f35d10725971d74fcdaf077c06cbe51f2784e741315.exe	cmd.exe
PID 4656 wrote to memory of 3080	4656	45b74a50c20e74c1b41f3f35d10725971d74fcdaf077c06cbe51f2784e741315.exe	cmd.exe
PID 3080 wrote to memory of 2976	3080	cmd.exe	attrib.exe
PID 3080 wrote to memory of 2976	3080	cmd.exe	attrib.exe
PID 4656 wrote to memory of 1480	4656	45b74a50c20e74c1b41f3f35d10725971d74fcdaf077c06cbe51f2784e741315.exe	cmd.exe
PID 4656 wrote to memory of 1480	4656	45b74a50c20e74c1b41f3f35d10725971d74fcdaf077c06cbe51f2784e741315.exe	cmd.exe
PID 1480 wrote to memory of 4924	1480	cmd.exe	Adobe_Flash_Player_ActiveX_v34_0_0_277.exe
PID 1480 wrote to memory of 4924	1480	cmd.exe	Adobe_Flash_Player_ActiveX_v34_0_0_277.exe
PID 1480 wrote to memory of 4924	1480	cmd.exe	Adobe_Flash_Player_ActiveX_v34_0_0_277.exe
PID 4924 wrote to memory of 4024	4924	Adobe_Flash_Player_ActiveX_v34_0_0_277.exe	cmd.exe
PID 4924 wrote to memory of 4024	4924	Adobe_Flash_Player_ActiveX_v34_0_0_277.exe	cmd.exe
PID 4024 wrote to memory of 5112	4024	cmd.exe	reg.exe
PID 4024 wrote to memory of 5112	4024	cmd.exe	reg.exe
PID 4024 wrote to memory of 4204	4024	cmd.exe	sc.exe
PID 4024 wrote to memory of 4204	4024	cmd.exe	sc.exe
PID 4024 wrote to memory of 1712	4024	cmd.exe	taskkill.exe
PID 4024 wrote to memory of 1712	4024	cmd.exe	taskkill.exe
PID 4024 wrote to memory of 2008	4024	cmd.exe	taskkill.exe
PID 4024 wrote to memory of 2008	4024	cmd.exe	taskkill.exe
PID 4024 wrote to memory of 2688	4024	cmd.exe	schtasks.exe
PID 4024 wrote to memory of 2688	4024	cmd.exe	schtasks.exe
PID 4024 wrote to memory of 4032	4024	cmd.exe	schtasks.exe
PID 4024 wrote to memory of 4032	4024	cmd.exe	schtasks.exe
PID 4024 wrote to memory of 224	4024	cmd.exe	reg.exe
PID 4024 wrote to memory of 224	4024	cmd.exe	reg.exe
PID 4024 wrote to memory of 3560	4024	cmd.exe	reg.exe
PID 4024 wrote to memory of 3560	4024	cmd.exe	reg.exe
PID 4024 wrote to memory of 4360	4024	cmd.exe	reg.exe
PID 4024 wrote to memory of 4360	4024	cmd.exe	reg.exe
PID 4024 wrote to memory of 2240	4024	cmd.exe	reg.exe
PID 4024 wrote to memory of 2240	4024	cmd.exe	reg.exe
PID 4024 wrote to memory of 4972	4024	cmd.exe	reg.exe
PID 4024 wrote to memory of 4972	4024	cmd.exe	reg.exe
PID 4024 wrote to memory of 3816	4024	cmd.exe	reg.exe
PID 4024 wrote to memory of 3816	4024	cmd.exe	reg.exe
PID 4024 wrote to memory of 3628	4024	cmd.exe	reg.exe
PID 4024 wrote to memory of 3628	4024	cmd.exe	reg.exe
PID 4024 wrote to memory of 3492	4024	cmd.exe	reg.exe
PID 4024 wrote to memory of 3492	4024	cmd.exe	reg.exe
PID 4024 wrote to memory of 3464	4024	cmd.exe	cmd.exe
PID 4024 wrote to memory of 3464	4024	cmd.exe	cmd.exe
PID 4024 wrote to memory of 3872	4024	cmd.exe	findstr.exe
PID 4024 wrote to memory of 3872	4024	cmd.exe	findstr.exe
PID 4024 wrote to memory of 3624	4024	cmd.exe	takeown.exe
PID 4024 wrote to memory of 3624	4024	cmd.exe	takeown.exe
PID 4024 wrote to memory of 4240	4024	cmd.exe	takeown.exe
PID 4024 wrote to memory of 4240	4024	cmd.exe	takeown.exe
PID 4024 wrote to memory of 1916	4024	cmd.exe	cmd.exe
PID 4024 wrote to memory of 1916	4024	cmd.exe	cmd.exe
PID 4024 wrote to memory of 1556	4024	cmd.exe	icacls.exe
PID 4024 wrote to memory of 1556	4024	cmd.exe	icacls.exe
PID 4024 wrote to memory of 5104	4024	cmd.exe	cmd.exe
PID 4024 wrote to memory of 5104	4024	cmd.exe	cmd.exe
PID 4024 wrote to memory of 4312	4024	cmd.exe	icacls.exe
PID 4024 wrote to memory of 4312	4024	cmd.exe	icacls.exe
PID 4024 wrote to memory of 4960	4024	cmd.exe	cmd.exe
PID 4024 wrote to memory of 4960	4024	cmd.exe	cmd.exe
PID 4024 wrote to memory of 1068	4024	cmd.exe	icacls.exe
PID 4024 wrote to memory of 1068	4024	cmd.exe	icacls.exe
PID 4024 wrote to memory of 4852	4024	cmd.exe	cmd.exe
PID 4024 wrote to memory of 4852	4024	cmd.exe	cmd.exe
PID 4024 wrote to memory of 4184	4024	cmd.exe	icacls.exe
PID 4024 wrote to memory of 4184	4024	cmd.exe	icacls.exe
PID 4024 wrote to memory of 2508	4024	cmd.exe	cmd.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

2976 attrib.exe

pid	process
2976	attrib.exe

C:\Users\Admin\AppData\Local\Temp\45b74a50c20e74c1b41f3f35d10725971d74fcdaf077c06cbe51f2784e741315.exe
"C:\Users\Admin\AppData\Local\Temp\45b74a50c20e74c1b41f3f35d10725971d74fcdaf077c06cbe51f2784e741315.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4656

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000"
2⤵
- Suspicious use of WriteProcessMemory
PID:3080

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000"
3⤵
- Views/modifies file attributes
PID:2976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\InstFlash.cmd" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1480

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Adobe_Flash_Player_ActiveX_v34_0_0_277.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Adobe_Flash_Player_ActiveX_v34_0_0_277.exe /ai /gm2
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4924

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c @pushd "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001" >nul 2>&1 & CALL "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\!)Install_Flash_Player_AX.bat"
4⤵
- Suspicious use of WriteProcessMemory
PID:4024

C:\Windows\system32\reg.exe
REG QUERY "HKU\S-1-5-19"
5⤵
PID:5112

C:\Windows\system32\sc.exe
sc stop "Flash Helper Service"
5⤵
- Launches sc.exe
PID:4204

C:\Windows\system32\taskkill.exe
taskkill /f /im FlashHelperService.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\system32\taskkill.exe
taskkill /f /im FlashPlayerUpdateService.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\system32\schtasks.exe
schtasks /delete /tn "Adobe Flash Player Updater" /f
5⤵
PID:2688

C:\Windows\system32\schtasks.exe
schtasks /delete /tn "FlashHelper TaskMachineCore" /f
5⤵
PID:4032

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Macromedia\FlashHelper" /f
5⤵
PID:224

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashHelper" /f
5⤵
PID:3560

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\services\Flash Helper Service" /f
5⤵
PID:4360

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\services\AdobeFlashPlayerUpdateSvc" /f
5⤵
PID:2240

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashHelperService.exe" /f
5⤵
PID:4972

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerUpdateService.exe" /f
5⤵
PID:3816

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION" /f /v "FlashHelperService.exe"
5⤵
PID:3628

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION" /f /v "FlashHelperService.exe"
5⤵
PID:3492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver"
5⤵
PID:3464

C:\Windows\system32\findstr.exe
findstr "\<6\.[0-9]\.[0-9][0-9]*\> \<10\.[0-9]\.[0-9][0-9]*\>"
5⤵
PID:3872

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\Macromed\Flash\*" /a /r /d y
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3624

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\SysWOW64\Macromed\Flash\*" /a /r /d y
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
5⤵
PID:1916

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\Macromed\*" /t /c /grant "Everyone:f"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
5⤵
PID:5104

C:\Windows\system32\icacls.exe
icacls "C:\Windows\SysWOW64\Macromed\*" /t /c /grant "Everyone:f"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
5⤵
PID:4960

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\FlashPlayerApp.exe" /c /grant "Everyone:f"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
5⤵
PID:4852

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\FlashPlayerCPLApp.cpl" /c /grant "Everyone:f"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
5⤵
PID:2508

C:\Windows\system32\icacls.exe
icacls "C:\Windows\SysWOW64\FlashPlayerApp.exe" /c /grant "Everyone:f"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
5⤵
PID:5040

C:\Windows\system32\icacls.exe
icacls "C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl" /c /grant "Everyone:f"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4216

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Macromedia\FlashPlayer" /f
5⤵
PID:3444

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Macromedia\FlashPlayerActiveX" /f
5⤵
PID:1676

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Macromedia\FlashPlayerActiveXReleaseType" /f
5⤵
PID:3300

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayer" /f
5⤵
PID:868

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerActiveX" /f
5⤵
PID:884

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerActiveXReleaseType" /f
5⤵
PID:3820

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerApp.exe" /f
5⤵
PID:1056

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil32_ActiveX.exe" /f
5⤵
PID:1332

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil64_ActiveX.exe" /f
5⤵
PID:3244

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerUpdateService.exe" /f
5⤵
PID:4232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:5084

C:\Windows\system32\xcopy.exe
xcopy /c/i/r/y "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\app\*" "C:\Windows\SysWOW64\"
5⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:4076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:448

C:\Windows\system32\xcopy.exe
xcopy /c/i/r/y "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\x64files\Flash.ocx" "C:\Windows\System32\Macromed\Flash\"
5⤵
- Drops file in System32 directory
PID:3780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:4996

C:\Windows\system32\xcopy.exe
xcopy /c/i/r/y "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\x32files\Flash.ocx" "C:\Windows\SysWOW64\Macromed\Flash\"
5⤵
- Drops file in System32 directory
PID:1960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver"
5⤵
PID:3204

C:\Windows\system32\find.exe
find "5."
5⤵
PID:4580

C:\Windows\system32\find.exe
find "5."
5⤵
PID:2656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver"
5⤵
PID:4712

C:\Windows\system32\find.exe
find "6.0."
5⤵
PID:4148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver"
5⤵
PID:3364

C:\Windows\system32\find.exe
find "6.0."
5⤵
PID:1864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver"
5⤵
PID:3536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver"
5⤵
PID:832

C:\Windows\system32\find.exe
find "6.1."
5⤵
PID:1496

C:\Windows\system32\find.exe
find "6.1."
5⤵
PID:3976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver"
5⤵
PID:1336

C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Windows\System32\Macromed\Flash\Flash.ocx"
5⤵
- Registers COM server for autorun
- Loads dropped DLL
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:528

C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Windows\SysWOW64\Macromed\Flash\Flash.ocx"
5⤵
PID:2012

C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Windows\SysWOW64\Macromed\Flash\Flash.ocx"
6⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:5056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" copy /y "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Cleaner_Flash_Player_AX.bat" "C:\Windows\System32\Macromed\Flash\" 1>NUL 2>NUL"
5⤵
- Drops file in System32 directory
PID:1444

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Macromedia\FlashPlayerActiveX" /f /v "Version" /d "34.0.0.277"
5⤵
PID:724

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerActiveX" /f /v "Version" /d "34.0.0.277"
5⤵
PID:2888

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Macromedia\FlashPlayerActiveX" /f /v "PlayerPath" /d "C:\Windows\System32\Macromed\Flash\Flash.ocx"
5⤵
PID:3180

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerActiveX" /f /v "PlayerPath" /d "C:\Windows\SysWOW64\Macromed\Flash\Flash.ocx"
5⤵
PID:4060

C:\Windows\system32\timeout.exe
TIMEOUT /t 2
5⤵
- Delays execution with timeout.exe
PID:4416

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX" /f /v "DisplayName" /d "Adobe Flash Player 34 ActiveX"
4⤵
PID:636

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX" /f /v "DisplayVersion" /d "34.0.0.277"
4⤵
PID:1716

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX" /f /v "HelpLink" /d "https://www.423down.com/2082.html"
4⤵
PID:2032

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX" /f /v "DisplayIcon" /d "C:\Windows\System32\Macromed\Flash\Flash.ocx"
4⤵
PID:4252

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX" /f /v "UninstallString" /d "C:\Windows\System32\Macromed\Flash\Cleaner_Flash_Player_AX.bat"
4⤵
PID:1088

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Adobe_Flash_Player_NPAPI_v34_0_0_277.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Adobe_Flash_Player_NPAPI_v34_0_0_277.exe /ai /gm2
3⤵
- Executes dropped EXE
- Checks computer location settings
PID:1828

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c @pushd "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002" >nul 2>&1 & CALL "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002\!)Install_Flash_Player_NPAPI.bat"
4⤵
PID:3596

C:\Windows\system32\reg.exe
REG QUERY "HKU\S-1-5-19"
5⤵
PID:4052

C:\Windows\system32\sc.exe
sc stop "Flash Helper Service"
5⤵
- Launches sc.exe
PID:3880

C:\Windows\system32\taskkill.exe
taskkill /f /im FlashHelperService.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3304

C:\Windows\system32\taskkill.exe
taskkill /f /im FlashPlayerUpdateService.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3924

C:\Windows\system32\schtasks.exe
schtasks /delete /tn "Adobe Flash Player Updater" /f
5⤵
PID:5104

C:\Windows\system32\schtasks.exe
schtasks /delete /tn "FlashHelper TaskMachineCore" /f
5⤵
PID:4312

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Macromedia\FlashHelper" /f
5⤵
PID:4840

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashHelper" /f
5⤵
PID:3676

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\services\Flash Helper Service" /f
5⤵
PID:1244

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\services\AdobeFlashPlayerUpdateSvc" /f
5⤵
PID:1588

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashHelperService.exe" /f
5⤵
PID:3940

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerUpdateService.exe" /f
5⤵
PID:2508

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION" /f /v "FlashHelperService.exe"
5⤵
PID:2168

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION" /f /v "FlashHelperService.exe"
5⤵
PID:1524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver"
5⤵
PID:960

C:\Windows\system32\findstr.exe
findstr "\<6\.[0-9]\.[0-9][0-9]*\> \<10\.[0-9]\.[0-9][0-9]*\>"
5⤵
PID:4832

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\Macromed\Flash\*" /a /r /d y
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2580

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\SysWOW64\Macromed\Flash\*" /a /r /d y
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
5⤵
PID:3856

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\Macromed\Flash\*" /t /c /grant "Everyone:f"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
5⤵
PID:1796

C:\Windows\system32\icacls.exe
icacls "C:\Windows\SysWOW64\Macromed\Flash\*" /t /c /grant "Everyone:f"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1012

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Macromedia\FlashPlayerPlugin" /f
5⤵
PID:3892

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Security Center\Svc\Vol" /f
5⤵
PID:3416

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Security Center" /f /v "cval"
5⤵
PID:752

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\MozillaPlugins\@adobe.com/FlashPlayer" /f
5⤵
PID:3244

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Macromedia\FlashPlayerPluginReleaseType" /f
5⤵
PID:3908

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerPlugin" /f
5⤵
PID:4072

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@adobe.com/FlashPlayer" /f
5⤵
PID:4504

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerPluginReleaseType" /f
5⤵
PID:3112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:1484

C:\Windows\system32\xcopy.exe
xcopy /c/i/r/y "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002\x64files\*" "C:\Windows\System32\Macromed\Flash\"
5⤵
- Drops file in System32 directory
PID:1224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:1236

C:\Windows\system32\xcopy.exe
xcopy /c/i/r/y "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002\x32files\*" "C:\Windows\SysWOW64\Macromed\Flash\"
5⤵
- Drops file in System32 directory
PID:880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" copy /y "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002\Cleaner_Flash_Player_NPAPI.bat" "C:\Windows\System32\Macromed\Flash\" 1>NUL 2>NUL"
5⤵
- Drops file in System32 directory
PID:2388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:3932

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Macromedia\FlashPlayerPlugin" /f /v "Version" /d "34.0.0.277"
5⤵
PID:2252

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Macromedia\FlashPlayerPlugin" /f /v "PlayerPath" /d "C:\Windows\System32\Macromed\Flash\NPSWF.dll"
5⤵
PID:4668

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\MozillaPlugins\@adobe.com/FlashPlayer" /f /v "Version" /d "34.0.0.277"
5⤵
PID:4148

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\MozillaPlugins\@adobe.com/FlashPlayer" /f /v "Path" /d "C:\Windows\System32\Macromed\Flash\NPSWF.dll"
5⤵
PID:1864

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerPlugin" /f /v "Version" /d "34.0.0.277"
5⤵
PID:1344

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerPlugin" /f /v "PlayerPath" /d "C:\Windows\SysWOW64\Macromed\Flash\NPSWF.dll"
5⤵
PID:1496

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@adobe.com/FlashPlayer" /f /v "Version" /d "34.0.0.277"
5⤵
PID:1592

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@adobe.com/FlashPlayer" /f /v "Path" /d "C:\Windows\SysWOW64\Macromed\Flash\NPSWF.dll"
5⤵
PID:4084

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@adobe.com/FlashPlayer" /f /v "XPTPath" /d "C:\Windows\SysWOW64\Macromed\Flash\flashplayer.xpt"
5⤵
PID:4088

C:\Windows\system32\timeout.exe
TIMEOUT /t 2
5⤵
- Delays execution with timeout.exe
PID:3228

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player NPAPI" /f /v "DisplayName" /d "Adobe Flash Player 34 NPAPI"
4⤵
PID:932

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player NPAPI" /f /v "DisplayVersion" /d "34.0.0.277"
4⤵
PID:1132

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player NPAPI" /f /v "HelpLink" /d "https://www.423down.com/2082.html"
4⤵
PID:2976

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player NPAPI" /f /v "DisplayIcon" /d "C:\Windows\System32\Macromed\Flash\NPSWF.dll"
4⤵
PID:3060

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player NPAPI" /f /v "UninstallString" /d "C:\Windows\System32\Macromed\Flash\Cleaner_Flash_Player_NPAPI.bat"
4⤵
PID:724

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Adobe_Flash_Player_PPAPI_v34_0_0_277.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Adobe_Flash_Player_PPAPI_v34_0_0_277.exe /ai /gm2
3⤵
- Executes dropped EXE
- Checks computer location settings
PID:4600

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c @pushd "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003" >nul 2>&1 & CALL "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\!)Install_Flash_Player_PPAPI.bat"
4⤵
PID:1976

C:\Windows\system32\reg.exe
REG QUERY "HKU\S-1-5-19"
5⤵
PID:4596

C:\Windows\system32\sc.exe
sc stop "Flash Helper Service"
5⤵
- Launches sc.exe
PID:1716

C:\Windows\system32\taskkill.exe
taskkill /f /im FlashHelperService.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4252

C:\Windows\system32\taskkill.exe
taskkill /f /im FlashPlayerUpdateService.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\system32\schtasks.exe
schtasks /delete /tn "Adobe Flash Player Updater" /f
5⤵
PID:1288

C:\Windows\system32\schtasks.exe
schtasks /delete /tn "FlashHelper TaskMachineCore" /f
5⤵
PID:4880

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Macromedia\FlashHelper" /f
5⤵
PID:2244

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashHelper" /f
5⤵
PID:3948

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\services\Flash Helper Service" /f
5⤵
PID:4104

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\services\AdobeFlashPlayerUpdateSvc" /f
5⤵
PID:3652

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashHelperService.exe" /f
5⤵
PID:4900

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerUpdateService.exe" /f
5⤵
PID:1064

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION" /f /v "FlashHelperService.exe"
5⤵
PID:4896

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION" /f /v "FlashHelperService.exe"
5⤵
PID:5032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver"
5⤵
PID:1968

C:\Windows\system32\findstr.exe
findstr "\<6\.[0-9]\.[0-9][0-9]*\> \<10\.[0-9]\.[0-9][0-9]*\>"
5⤵
PID:3872

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\Macromed\Flash\*" /a /r /d y
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3880

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\SysWOW64\Macromed\Flash\*" /a /r /d y
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4980

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\Macromed\Flash\*" /t /c /grant "Everyone:f"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
5⤵
PID:1556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
5⤵
PID:5104

C:\Windows\system32\icacls.exe
icacls "C:\Windows\SysWOW64\Macromed\Flash\*" /t /c /grant "Everyone:f"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4812

C:\Windows\system32\xcopy.exe
xcopy /c/i/r/y "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\x64files\*" "C:\Windows\System32\Macromed\Flash\"
5⤵
- Drops file in System32 directory
PID:4840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:5068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:1492

C:\Windows\system32\xcopy.exe
xcopy /c/i/r/y "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\x32files\*" "C:\Windows\SysWOW64\Macromed\Flash\"
5⤵
- Drops file in System32 directory
PID:1868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:5040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" copy /y "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\Cleaner_Flash_Player_PPAPI.bat" "C:\Windows\System32\Macromed\Flash\" 1>NUL 2>NUL"
5⤵
- Drops file in System32 directory
PID:3140

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Macromedia\FlashPlayerPepper" /f /v "isScriptDebugger" /t REG_DWORD /d "0"
5⤵
PID:3856

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Macromedia\FlashPlayerPepper" /f /v "isPartner" /t REG_DWORD /d "1"
5⤵
PID:4740

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Macromedia\FlashPlayerPepper" /f /v "isMSI" /t REG_DWORD /d "0"
5⤵
PID:3300

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Macromedia\FlashPlayerPepper" /f /v "isESR" /t REG_DWORD /d "0"
5⤵
PID:2580

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Macromedia\FlashPlayerPepper" /f /v "Version" /d "34.0.0.277"
5⤵
PID:3444

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Macromedia\FlashPlayerPepperReleaseType" /f /v "Release" /t REG_DWORD /d "1"
5⤵
PID:1800

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Macromedia\FlashPlayerPepper" /f /v "PlayerPath" /d "C:\Windows\System32\Macromed\Flash\pepflashplayer.dll"
5⤵
PID:1796

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerPepper" /f /v "Version" /d "34.0.0.277"
5⤵
PID:5096

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerPepper" /f /v "isMSI" /t REG_DWORD /d "0"
5⤵
PID:1332

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerPepper" /f /v "isESR" /t REG_DWORD /d "0"
5⤵
PID:1056

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerPepper" /f /v "isPartner" /t REG_DWORD /d "1"
5⤵
PID:3416

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerPepper" /f /v "isScriptDebugger" /t REG_DWORD /d "0"
5⤵
PID:4172

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerPepperReleaseType" /f /v "Release" /t REG_DWORD /d "1"
5⤵
PID:5080

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerPepper" /f /v "PlayerPath" /d "C:\Windows\SysWOW64\Macromed\Flash\pepflashplayer.dll"
5⤵
PID:4448

C:\Windows\system32\timeout.exe
TIMEOUT /t 2
5⤵
- Delays execution with timeout.exe
PID:3164

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player PPAPI" /f /v "DisplayName" /d "Adobe Flash Player 34 PPAPI"
4⤵
PID:2648

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player PPAPI" /f /v "DisplayVersion" /d "34.0.0.277"
4⤵
PID:2608

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player PPAPI" /f /v "HelpLink" /d "https://www.423down.com/2082.html"
4⤵
PID:2276

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player PPAPI" /f /v "DisplayIcon" /d "C:\Windows\System32\Macromed\Flash\Flash.ico"
4⤵
PID:3780

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player PPAPI" /f /v "UninstallString" /d "C:\Windows\System32\Macromed\Flash\Cleaner_Flash_Player_PPAPI.bat"
4⤵
PID:3204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Adobe_Flash_Player_ActiveX_v34_0_0_277.exe
Filesize
11.0MB

MD5
91157209ad82927373b6974bb6a1f70a

SHA1
2110f85d2637343e45a167e36903e7534c7bbfa4

SHA256
6ef1dc9dd7a71e3588c86e9f51059413bb5ba8cc7ededae06d57150e9f31f0ee

SHA512
1950e756f1f706ad41b9eef857ee30c2ccbf77fce35330a69a3d4e0825bedb1ba178560958aaa7c1f11e218250ff39178c775371998dac52d09d49e277ff8888

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Adobe_Flash_Player_ActiveX_v34_0_0_277.exe
Filesize
11.0MB

MD5
91157209ad82927373b6974bb6a1f70a

SHA1
2110f85d2637343e45a167e36903e7534c7bbfa4

SHA256
6ef1dc9dd7a71e3588c86e9f51059413bb5ba8cc7ededae06d57150e9f31f0ee

SHA512
1950e756f1f706ad41b9eef857ee30c2ccbf77fce35330a69a3d4e0825bedb1ba178560958aaa7c1f11e218250ff39178c775371998dac52d09d49e277ff8888

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Adobe_Flash_Player_NPAPI_v34_0_0_277.exe
Filesize
7.1MB

MD5
16c2d235426707e6ff27ece528ece779

SHA1
915cd908e6892ba6bc1c687ee91c7c31f06cfb38

SHA256
34e94d0ac538f8aa62107f487f59c10435f4bac1d45b07c128504183b8d203ea

SHA512
2ccb59b7925b300ca3c98af02e20117e0c7dbe2ab3062805da27661f67c8a7e2838c1d663930baa5c86c22714400a32308105a93e6123727963e670dd575dec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Adobe_Flash_Player_NPAPI_v34_0_0_277.exe
Filesize
7.1MB

MD5
16c2d235426707e6ff27ece528ece779

SHA1
915cd908e6892ba6bc1c687ee91c7c31f06cfb38

SHA256
34e94d0ac538f8aa62107f487f59c10435f4bac1d45b07c128504183b8d203ea

SHA512
2ccb59b7925b300ca3c98af02e20117e0c7dbe2ab3062805da27661f67c8a7e2838c1d663930baa5c86c22714400a32308105a93e6123727963e670dd575dec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Adobe_Flash_Player_PPAPI_v34_0_0_277.exe
Filesize
7.3MB

MD5
b07a97dfbd98584c270578d4dabad54c

SHA1
187079dfaec6764c865ad8762528298379747829

SHA256
e9696e6e988e8dcd463476047c1d44bb4c803973ecc76135ba8e5a6fa1b9a7d6

SHA512
482cf2568cd20a3846be378df38154dbe0c505524b0a97b08b063f0355a88a34fffb532d5238306be18316debcaad923282155dc5ddbf5ac50e41219f9629605

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Adobe_Flash_Player_PPAPI_v34_0_0_277.exe
Filesize
7.3MB

MD5
b07a97dfbd98584c270578d4dabad54c

SHA1
187079dfaec6764c865ad8762528298379747829

SHA256
e9696e6e988e8dcd463476047c1d44bb4c803973ecc76135ba8e5a6fa1b9a7d6

SHA512
482cf2568cd20a3846be378df38154dbe0c505524b0a97b08b063f0355a88a34fffb532d5238306be18316debcaad923282155dc5ddbf5ac50e41219f9629605

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\InstFlash.cmd
Filesize
101B

MD5
4775687903b0467498383b8fe5923733

SHA1
b0e57be3a2bda21e920c8d25443d9fdacfe766ea

SHA256
710d39c44bc741028cf507d656fe5cb9fbaed0661ec8a11af0d0cbd7a5b9fdbc

SHA512
eaca790b52a46f741b939e420145fedc93dead9ef9e27b139214cee13fa1f669c4b685ac26631e0db7433c858413d48bf0e1e094102167e226777f6292d1c24b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\!)Install_Flash_Player_AX.bat
Filesize
8KB

MD5
d7d3c8b6e522c393a1e396a4f006f0f8

SHA1
639931bd892da0f024b66009d775df0da9ad08e0

SHA256
0f6be3f76a4c823ca0e93c87aeb69e6eecb13a3602f263e5501cb69f0e565572

SHA512
c4cc9d38ce64838c3ac4a3db3735316b43a1941c59b3514b7d6371108b12e16311ce11d9ce6d6972ebb1faee4899c3db0738a3d3c84bc676e9a4b60ad6b1b5f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Cleaner_Flash_Player_AX.bat
Filesize
9KB

MD5
b444d4d5d3979497975a98d61ae7ee6c

SHA1
0eac5ab65a1df52e7d5cdc3c6ddcfdd5e1195842

SHA256
cc22fd3b4156bfa88ecfa173841db14e379d9b9b72fa552f9a331aee161d36d9

SHA512
a7cad967b1ae1fdff5f0de1d0b399a91afc83d5eae3ccebdb131fba1bb332b959f969bb0dc317e652236ef127980ee5faa1dd7d0a2bda0b6b12105705189c48a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\app\FlashPlayerApp.exe
Filesize
829KB

MD5
2f84b70e58afa393d775da3e1ac5e490

SHA1
04a52192cfa64ea48dab130dfbf02e80068253cd

SHA256
f0326b0f458ee8283df11d7ec6b82e7e8567d5ac7cb7c8aa84cda063540e3acf

SHA512
bdb980322b9775f55d2be8300904dbb5d09281e3fbd1a2aa5044c09acb20c09bef7707266283bb8aa6929d38dc40bfff6c382237b13468ec57d680314f362c2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\app\FlashPlayerCPLApp.cpl
Filesize
173KB

MD5
d2ba7ac6e21f68d8dfdf99e1eb809104

SHA1
861dab538560bd2c73ac4fc5bf4cecf8a9d1753c

SHA256
c0e9aacc6fd0b880ca4a5b8ff277ead96a7c82a1b532d083b91ac0f8a06ad684

SHA512
eb9b3c3e4ebfb5e1ae11754fa3e24dd44de544b1fe5cecb1f296ff75833d4e90dd1083d400d39d0f9d5d4d086bf04390d8559e1fff1635fd4a694f87929fb449

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\x32files\Flash.ocx
Filesize
11.3MB

MD5
43f59d21a2ce8ea54b3cccdedc813c87

SHA1
34837e86e8f11b57c07e6544ffa49e99e699f1ad

SHA256
e8241731c036122f09b57c556eace451b4a8a4fa2fa2e63a6b4318b25e49e7e3

SHA512
5a9cb9a48c66ba183d28e2a15ac9a2c49d2a947ec4516025a5d54bf401b307c9cc94c28a435da2e1de4dfdef95923b3cc12ca33a76e8e47473908f59ab765847

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\x64files\Flash.ocx
Filesize
13.2MB

MD5
1b47e0e2e0beaa44d727c364ac83fc3f

SHA1
166f981c43da2ca3bc31ffcfe827ebee6e8e755d

SHA256
7199672c4864c83bf315958d7d34c394b913c89a7a2829b61a38cbebf09c739f

SHA512
12f9439a71ae0ee20d5aff0cfc13368f6268ffd88dcd05ba55021c806d78adda8dd117c315eab6e1da08c9fd3375c3310744881a223f6cc269b72ecf6633c671

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002\!)Install_Flash_Player_NPAPI.bat
Filesize
6KB

MD5
664e07acb9cf003016b04fe803994431

SHA1
97ee7bfae883a4a1ad9635c311638a3013c78238

SHA256
cd22bf72c8a4c3ac14910213d8aca3af2392f63b0859de5d550c4b59fdadaf6e

SHA512
a4e0fe3cb3950b7236886062851bf0e87c53dc63ad71035032c10cf7fff88a5ac488b450d6409f8d5e3c018b1a8640cdbe5132e6a1936292d2628576c4960529

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002\Cleaner_Flash_Player_NPAPI.bat
Filesize
4KB

MD5
960fa5690a75088fd25e50217cb6d6f8

SHA1
9ff3fb909835bda47d3ca7b45b69754dc3b79cf2

SHA256
256e1bc27ddd9d0f0197371ed5db4211cdfb704b41f89ddf72d07547551fa585

SHA512
19442c8590c9f7d592bdc8490ba8c72072472032b10b224a0ea790adbefd1bbb4d6637d7def34667aeea991d11a991fefe84377eb65b5b129e53d5726cd8075d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002\x32files\FlashPlayerPlugin.exe
Filesize
3.3MB

MD5
2a093572d365b6d6094e600f1cc66486

SHA1
4552a0c5af272e4cb9a56f2f755b99a11bf360af

SHA256
aa19ba2e7bb476f879e05a16c5d844ac2d9e25221f0b47d7307be2d99c54173b

SHA512
c1f0945bd84cbf3b1ad0cf24762259f4bb6d6a73c20658d1b5070585f9f96a9f884050e106149ef7ac45f39f14ef3c43100309ddb6f6b028a5a2895c0ae17027

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002\x32files\NPSWF.dll
Filesize
9.4MB

MD5
9fb7d3a9a438d1d64c59d7f7b341573c

SHA1
25c63ddc242f767082c01d43296c9ab64b9a603a

SHA256
8d25bca3a4ec907a5addabaeb5f4244c88eb111f1c0b531a616533aa9f2e7a11

SHA512
6fb8b2fc1f53ad3411643dee523cd0c408cec99921e88895e1501d2caa700fde39d287bc58d28245ba6e053b565bd11481e830732ecf1ee1e2ec95080b0d089f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002\x32files\flashplayer.xpt
Filesize
856B

MD5
a81fd3b03b8c6d6e5a14298110718d3f

SHA1
2a5eedf714b4dc1e7281968d5e235737b26d7114

SHA256
946c2d7808b0f256e5f6b62655246dc9c247833fb2f578519e4354f91deb6e1b

SHA512
494146bb31cf0e115a6e1c632a8ed5608046f5a8b2bbc900832befb07b8f142581483c222067e4405fc2755b5acf722d576ac04b2b6d9f796e5a872fd5c7ddc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002\x64files\NPSWF.dll
Filesize
11.6MB

MD5
ea70fce7aa51895032e2351198222300

SHA1
800144719de1abffecfaee057d5c37dcdcc62b20

SHA256
35a7fa0af957f5cd78f6cc32cc283924583475d46d3b7285c5622b18833cb775

SHA512
90adda663c405e56933f7f54f541812478598c8dd703028226dad5a4993bb47011c033e869a21748b0944cb2c4ce8faec9473ec6faee228e9436bf22545ab1e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\!)Install_Flash_Player_PPAPI.bat
Filesize
5KB

MD5
68153953000575396382e9dc97e364f8

SHA1
83e436333affb52a1d6368c32d8788df95f5b1bd

SHA256
39902f011e4b0a630a7712a4e780bb28cee9e12c781616b922f7bbb212893590

SHA512
94f4a5df38819a4ac11665ba70f75bbf1dc900f6c82548fde75b2bd79f2c54904bf46e2c509e5d7e3fec43699693d1c4888842b19323d3ee72b1d76f269915a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\Cleaner_Flash_Player_PPAPI.bat
Filesize
4KB

MD5
1502e7531bf2ad953a7cc67736ba24da

SHA1
6fab2b539b233fb8f5ef000808b9387f45ca8f70

SHA256
ce2e51405fc9fb05037723e35e8d9c76cf5a9b11487a2c612c5f8c03cb278a53

SHA512
c946fb3a8d8b37b60c566baeae5364ab3896b6a63e415e991117471c891d88b1876aee419a7699c9fbf5295fb9fe6096a722212e87bd896c16f9eefbc6a23bda

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\x32files\Flash.ico
Filesize
281KB

MD5
0c2b1344d597a3423e8237a60644cc30

SHA1
9986ec34189f98a6efe483fda98359f82d2d936d

SHA256
3e88938769ed6f5b25f9c9a5e0c87bb7cdfd0a6f487ef2163cde5afb6f50a10a

SHA512
c75c5cc381729b199a8a02d26f55c93b3b7fd6df595269350864945c823ddddb9e5ddea211160ab5758cdee7d50eca8be5502aab484825833b8c6e49cf18c870

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\x32files\manifest.json
Filesize
2KB

MD5
3b97e9f041903efe19d9d661f0798f86

SHA1
9346dd832fde4acad2aa79a943954a3681e42d2a

SHA256
83e5d98145096e0aaa29387fce21dfdc15849479881a4a060cb1bdab34b0d6f8

SHA512
abc0b6c49ccb5d7b1ab37499a9f8060af184951a0ea01fab79742474452f5206cce84de7737dd7a36742f53acc32f7ed460531784e2ebf55cd76f7f69e08519b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\x32files\pepflashplayer.dll
Filesize
8.6MB

MD5
4d3ed246f300b65241694d22f7e326a0

SHA1
b8221af340a571e53e9df827c7070ec162ffa56c

SHA256
e50474b500bd1fdbb9efd3b5dc25338204080ceea988eb7a390d1b47dadd5b1c

SHA512
0f2330b75f8c4031d27e7025b7c8767aed4254115a311183a9ac45c680409af2aec83208af686c619a22eb7ef2f0ac5f2cb1352097e1d277815389e0338968e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\x64files\Flash.ico
Filesize
281KB

MD5
0c2b1344d597a3423e8237a60644cc30

SHA1
9986ec34189f98a6efe483fda98359f82d2d936d

SHA256
3e88938769ed6f5b25f9c9a5e0c87bb7cdfd0a6f487ef2163cde5afb6f50a10a

SHA512
c75c5cc381729b199a8a02d26f55c93b3b7fd6df595269350864945c823ddddb9e5ddea211160ab5758cdee7d50eca8be5502aab484825833b8c6e49cf18c870

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\x64files\manifest.json
Filesize
2KB

MD5
64f056c1324cd1a0d7ba0605ac5e8335

SHA1
4d13f840ef44ec32e98b91ffd50201cc96f86cf9

SHA256
826f431570c49ac51a39bd772ac8ada5fe05253361e05ef60db22a234b8fbc59

SHA512
0886d881356d8d670fec7ae90e43287e0203b05d6e46e12784c0c3630ae815e7f3ca285743a95693a370d7d3171bf71a73e6cdd2df067636dfe237d07d9d8655

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\x64files\pepflashplayer.dll
Filesize
15.3MB

MD5
97c3a6be6f000e0681c58b78419e2c19

SHA1
8483463cbb1a708f8d19413c146091a37b8dbcc2

SHA256
c650eed91f12c5d202cb4d291b4c68f656a24d0a9783fd84d72e00cf6b21c3a7

SHA512
2b2c271b7da44adab4f111851f455219659e19574ba89aa1cea46a89d74e9beebebdf69d6cc2b0f3f31cd99793eb3f53d1402aa5a0cbee8944e8e8551459d432

Download Submit
C:\Windows\SysWOW64\Macromed\Flash\Flash.ocx
Filesize
11.3MB

MD5
43f59d21a2ce8ea54b3cccdedc813c87

SHA1
34837e86e8f11b57c07e6544ffa49e99e699f1ad

SHA256
e8241731c036122f09b57c556eace451b4a8a4fa2fa2e63a6b4318b25e49e7e3

SHA512
5a9cb9a48c66ba183d28e2a15ac9a2c49d2a947ec4516025a5d54bf401b307c9cc94c28a435da2e1de4dfdef95923b3cc12ca33a76e8e47473908f59ab765847

Download Submit
C:\Windows\SysWOW64\Macromed\Flash\Flash.ocx
Filesize
11.3MB

MD5
43f59d21a2ce8ea54b3cccdedc813c87

SHA1
34837e86e8f11b57c07e6544ffa49e99e699f1ad

SHA256
e8241731c036122f09b57c556eace451b4a8a4fa2fa2e63a6b4318b25e49e7e3

SHA512
5a9cb9a48c66ba183d28e2a15ac9a2c49d2a947ec4516025a5d54bf401b307c9cc94c28a435da2e1de4dfdef95923b3cc12ca33a76e8e47473908f59ab765847

Download Submit
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin.exe
Filesize
3.3MB

MD5
2a093572d365b6d6094e600f1cc66486

SHA1
4552a0c5af272e4cb9a56f2f755b99a11bf360af

SHA256
aa19ba2e7bb476f879e05a16c5d844ac2d9e25221f0b47d7307be2d99c54173b

SHA512
c1f0945bd84cbf3b1ad0cf24762259f4bb6d6a73c20658d1b5070585f9f96a9f884050e106149ef7ac45f39f14ef3c43100309ddb6f6b028a5a2895c0ae17027

Download Submit
C:\Windows\SysWOW64\Macromed\Flash\NPSWF.dll
Filesize
9.4MB

MD5
9fb7d3a9a438d1d64c59d7f7b341573c

SHA1
25c63ddc242f767082c01d43296c9ab64b9a603a

SHA256
8d25bca3a4ec907a5addabaeb5f4244c88eb111f1c0b531a616533aa9f2e7a11

SHA512
6fb8b2fc1f53ad3411643dee523cd0c408cec99921e88895e1501d2caa700fde39d287bc58d28245ba6e053b565bd11481e830732ecf1ee1e2ec95080b0d089f

Download Submit
C:\Windows\SysWOW64\Macromed\Flash\flashplayer.xpt
Filesize
856B

MD5
a81fd3b03b8c6d6e5a14298110718d3f

SHA1
2a5eedf714b4dc1e7281968d5e235737b26d7114

SHA256
946c2d7808b0f256e5f6b62655246dc9c247833fb2f578519e4354f91deb6e1b

SHA512
494146bb31cf0e115a6e1c632a8ed5608046f5a8b2bbc900832befb07b8f142581483c222067e4405fc2755b5acf722d576ac04b2b6d9f796e5a872fd5c7ddc9

Download Submit
C:\Windows\System32\Macromed\Flash\Cleaner_Flash_Player_AX.bat
Filesize
9KB

MD5
b444d4d5d3979497975a98d61ae7ee6c

SHA1
0eac5ab65a1df52e7d5cdc3c6ddcfdd5e1195842

SHA256
cc22fd3b4156bfa88ecfa173841db14e379d9b9b72fa552f9a331aee161d36d9

SHA512
a7cad967b1ae1fdff5f0de1d0b399a91afc83d5eae3ccebdb131fba1bb332b959f969bb0dc317e652236ef127980ee5faa1dd7d0a2bda0b6b12105705189c48a

Download Submit
C:\Windows\System32\Macromed\Flash\Cleaner_Flash_Player_NPAPI.bat
Filesize
4KB

MD5
960fa5690a75088fd25e50217cb6d6f8

SHA1
9ff3fb909835bda47d3ca7b45b69754dc3b79cf2

SHA256
256e1bc27ddd9d0f0197371ed5db4211cdfb704b41f89ddf72d07547551fa585

SHA512
19442c8590c9f7d592bdc8490ba8c72072472032b10b224a0ea790adbefd1bbb4d6637d7def34667aeea991d11a991fefe84377eb65b5b129e53d5726cd8075d

Download Submit
C:\Windows\System32\Macromed\Flash\Flash.ocx
Filesize
13.2MB

MD5
1b47e0e2e0beaa44d727c364ac83fc3f

SHA1
166f981c43da2ca3bc31ffcfe827ebee6e8e755d

SHA256
7199672c4864c83bf315958d7d34c394b913c89a7a2829b61a38cbebf09c739f

SHA512
12f9439a71ae0ee20d5aff0cfc13368f6268ffd88dcd05ba55021c806d78adda8dd117c315eab6e1da08c9fd3375c3310744881a223f6cc269b72ecf6633c671

Download Submit
C:\Windows\System32\Macromed\Flash\Flash.ocx
Filesize
13.2MB

MD5
1b47e0e2e0beaa44d727c364ac83fc3f

SHA1
166f981c43da2ca3bc31ffcfe827ebee6e8e755d

SHA256
7199672c4864c83bf315958d7d34c394b913c89a7a2829b61a38cbebf09c739f

SHA512
12f9439a71ae0ee20d5aff0cfc13368f6268ffd88dcd05ba55021c806d78adda8dd117c315eab6e1da08c9fd3375c3310744881a223f6cc269b72ecf6633c671

Download Submit
C:\Windows\System32\Macromed\Flash\NPSWF.dll
Filesize
11.6MB

MD5
ea70fce7aa51895032e2351198222300

SHA1
800144719de1abffecfaee057d5c37dcdcc62b20

SHA256
35a7fa0af957f5cd78f6cc32cc283924583475d46d3b7285c5622b18833cb775

SHA512
90adda663c405e56933f7f54f541812478598c8dd703028226dad5a4993bb47011c033e869a21748b0944cb2c4ce8faec9473ec6faee228e9436bf22545ab1e8

Download Submit
memory/224-148-0x0000000000000000-mapping.dmp

Download
memory/448-186-0x0000000000000000-mapping.dmp

Download
memory/528-204-0x0000000000000000-mapping.dmp

Download
memory/832-200-0x0000000000000000-mapping.dmp

Download
memory/868-175-0x0000000000000000-mapping.dmp

Download
memory/884-176-0x0000000000000000-mapping.dmp

Download
memory/1056-178-0x0000000000000000-mapping.dmp

Download
memory/1068-165-0x0000000000000000-mapping.dmp

Download
memory/1332-179-0x0000000000000000-mapping.dmp

Download
memory/1336-202-0x0000000000000000-mapping.dmp

Download
memory/1480-135-0x0000000000000000-mapping.dmp

Download
memory/1496-201-0x0000000000000000-mapping.dmp

Download
memory/1556-161-0x0000000000000000-mapping.dmp

Download
memory/1676-173-0x0000000000000000-mapping.dmp

Download
memory/1712-144-0x0000000000000000-mapping.dmp

Download
memory/1864-199-0x0000000000000000-mapping.dmp

Download
memory/1916-160-0x0000000000000000-mapping.dmp

Download
memory/1960-190-0x0000000000000000-mapping.dmp

Download
memory/2008-145-0x0000000000000000-mapping.dmp

Download
memory/2168-169-0x0000000000000000-mapping.dmp

Download
memory/2240-151-0x0000000000000000-mapping.dmp

Download
memory/2508-168-0x0000000000000000-mapping.dmp

Download
memory/2656-195-0x0000000000000000-mapping.dmp

Download
memory/2688-146-0x0000000000000000-mapping.dmp

Download
memory/2976-134-0x0000000000000000-mapping.dmp

Download
memory/3080-133-0x0000000000000000-mapping.dmp

Download
memory/3204-192-0x0000000000000000-mapping.dmp

Download
memory/3244-180-0x0000000000000000-mapping.dmp

Download
memory/3300-174-0x0000000000000000-mapping.dmp

Download
memory/3364-196-0x0000000000000000-mapping.dmp

Download
memory/3444-172-0x0000000000000000-mapping.dmp

Download
memory/3464-156-0x0000000000000000-mapping.dmp

Download
memory/3492-155-0x0000000000000000-mapping.dmp

Download
memory/3536-198-0x0000000000000000-mapping.dmp

Download
memory/3560-149-0x0000000000000000-mapping.dmp

Download
memory/3624-158-0x0000000000000000-mapping.dmp

Download
memory/3628-154-0x0000000000000000-mapping.dmp

Download
memory/3780-187-0x0000000000000000-mapping.dmp

Download
memory/3816-153-0x0000000000000000-mapping.dmp

Download
memory/3820-177-0x0000000000000000-mapping.dmp

Download
memory/3872-157-0x0000000000000000-mapping.dmp

Download
memory/3976-203-0x0000000000000000-mapping.dmp

Download
memory/4024-140-0x0000000000000000-mapping.dmp

Download
memory/4032-147-0x0000000000000000-mapping.dmp

Download
memory/4076-183-0x0000000000000000-mapping.dmp

Download
memory/4148-197-0x0000000000000000-mapping.dmp

Download
memory/4184-167-0x0000000000000000-mapping.dmp

Download
memory/4204-143-0x0000000000000000-mapping.dmp

Download
memory/4216-171-0x0000000000000000-mapping.dmp

Download
memory/4232-181-0x0000000000000000-mapping.dmp

Download
memory/4240-159-0x0000000000000000-mapping.dmp

Download
memory/4312-163-0x0000000000000000-mapping.dmp

Download
memory/4360-150-0x0000000000000000-mapping.dmp

Download
memory/4580-193-0x0000000000000000-mapping.dmp

Download
memory/4656-132-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4656-235-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4656-210-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4712-194-0x0000000000000000-mapping.dmp

Download
memory/4852-166-0x0000000000000000-mapping.dmp

Download
memory/4924-137-0x0000000000000000-mapping.dmp

Download
memory/4960-164-0x0000000000000000-mapping.dmp

Download
memory/4972-152-0x0000000000000000-mapping.dmp

Download
memory/4996-189-0x0000000000000000-mapping.dmp

Download
memory/5040-170-0x0000000000000000-mapping.dmp

Download
memory/5084-182-0x0000000000000000-mapping.dmp

Download
memory/5104-162-0x0000000000000000-mapping.dmp

Download
memory/5112-142-0x0000000000000000-mapping.dmp

Download