4a85535f165367309410152cfe883e27e953fbe5a9ae813e22ab0e8dbf7cedea

Analysis

max time kernel
29s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
15-03-2023 10:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a85535f165367309410152cfe883e27e953fbe5a9ae813e22ab0e8dbf7cedea.exe
Size

23.9MB
MD5

3b02025002ceb06c4ce1c9c778232664
SHA1

2aeb8b0adb9cc4f198a9f4d907a28ffd2961caf5
SHA256

4a85535f165367309410152cfe883e27e953fbe5a9ae813e22ab0e8dbf7cedea
SHA512

c64361646ade95d4177ed95800a0c4ac94faf9d1193e7129b219cec01364ff58f48c010571c9983ef104cba70af804be3128c32e96d2a6371828949e452d0dc6
SSDEEP

393216:7g386T9Y2gJ2TfSKq2OVUXsv2hFvu/eETawOUNzi14igQMAzkck2fjdgQv/:k8I9cJ2rSKqNU8MGnTEKziDUyfqQv/

Score

8^/10

discovery evasion exploit persistence

Malware Config

Signatures

Possible privilege escalation attempt 16 IoCs

exploit

Processes:

icacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exe

pid	process
2036	icacls.exe
1768	icacls.exe
896	takeown.exe
768	takeown.exe
952	icacls.exe
1576	icacls.exe
1224	takeown.exe
1608	takeown.exe
1600	icacls.exe
1440	takeown.exe
340	icacls.exe
896	icacls.exe
1656	icacls.exe
1536	icacls.exe
768	takeown.exe
1876	icacls.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Executes dropped EXE 3 IoCs

Processes:

Adobe_Flash_Player_ActiveX_v34_0_0_282.exeAdobe_Flash_Player_NPAPI_v34_0_0_282.exeAdobe_Flash_Player_PPAPI_v34_0_0_282.exe

pid process

1424 Adobe_Flash_Player_ActiveX_v34_0_0_282.exe
292 Adobe_Flash_Player_NPAPI_v34_0_0_282.exe
932 Adobe_Flash_Player_PPAPI_v34_0_0_282.exe
Loads dropped DLL 2 IoCs

Processes:

regsvr32.exereg.exe

pid process

1804 regsvr32.exe
1812 reg.exe

pid	process
1804	regsvr32.exe
1812	reg.exe

Modifies file permissions 1 TTPs 16 IoCs

discovery

File Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exe

pid	process
952	icacls.exe
1656	icacls.exe
1600	icacls.exe
1536	icacls.exe
1608	takeown.exe
1224	takeown.exe
1876	icacls.exe
1440	takeown.exe
1768	icacls.exe
768	takeown.exe
2036	icacls.exe
1576	icacls.exe
768	takeown.exe
340	icacls.exe
896	icacls.exe
896	takeown.exe

Registers COM server for autorun 1 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32\ = "C:\\Windows\\System32\\Macromed\\Flash\\Flash.ocx"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32\ = "C:\\Windows\\System32\\Macromed\\Flash\\Flash.ocx"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Drops file in System32 directory 44 IoCs

Processes:

xcopy.exereg.exexcopy.exexcopy.exexcopy.exereg.execmd.exexcopy.exereg.exeregsvr32.exexcopy.execmd.exereg.exexcopy.exe

description	ioc	process
File opened for modification	C:\Windows\System32\Macromed\Flash	xcopy.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin.exe	reg.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\NPSWF.dll	reg.exe
File created	C:\Windows\System32\Macromed\Flash\pepflashplayer.dll	xcopy.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\manifest.json	xcopy.exe
File opened for modification	C:\Windows\System32\Macromed\Flash\pepflashplayer.dll	xcopy.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\Flash.ico	xcopy.exe
File opened for modification	C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl	xcopy.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash	reg.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\Flash.ocx	reg.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\NPSWF.dll	reg.exe
File opened for modification	C:\Windows\System32\Macromed\Flash	xcopy.exe
File opened for modification	C:\Windows\System32\Macromed\Flash\manifest.json	xcopy.exe
File created	C:\Windows\System32\Macromed\Flash\Cleaner_Flash_Player_PPAPI.bat	cmd.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\Flash.ocx	xcopy.exe
File created	C:\Windows\System32\Macromed\Flash\Cleaner_Flash_Player_AX.bat	reg.exe
File opened for modification	C:\Windows\System32\Macromed\Flash\Flash.ico	xcopy.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\manifest.json	xcopy.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\pepflashplayer.dll	xcopy.exe
File opened for modification	C:\Windows\SysWOW64\FlashPlayerApp.exe	xcopy.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\Flash.ocx	reg.exe
File opened for modification	C:\Windows\System32\Macromed\Flash\Flash.ocx	regsvr32.exe
File opened for modification	C:\Windows\System32\Macromed\Flash	xcopy.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin.exe	reg.exe
File created	C:\Windows\System32\Macromed\Flash\manifest.json	xcopy.exe
File opened for modification	C:\Windows\System32\Macromed\Flash\NPSWF.dll	xcopy.exe
File opened for modification	C:\Windows\System32\Macromed\Flash\Cleaner_Flash_Player_NPAPI.bat	cmd.exe
File created	C:\Windows\System32\Macromed\Flash\Flash.ico	xcopy.exe
File created	C:\Windows\System32\Macromed\Flash\Flash.ocx	xcopy.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\Flash.ico	xcopy.exe
File opened for modification	C:\Windows\System32\Macromed\Flash\Cleaner_Flash_Player_PPAPI.bat	cmd.exe
File created	C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl	xcopy.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\Flash.ocx	reg.exe
File opened for modification	C:\Windows\System32\Macromed\Flash\Cleaner_Flash_Player_AX.bat	reg.exe
File created	C:\Windows\System32\Macromed\Flash\NPSWF.dll	xcopy.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash	reg.exe
File created	C:\Windows\System32\Macromed\Flash\Cleaner_Flash_Player_NPAPI.bat	cmd.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\pepflashplayer.dll	xcopy.exe
File created	C:\Windows\SysWOW64\FlashPlayerApp.exe	xcopy.exe
File opened for modification	C:\Windows\System32\Macromed\Flash\Flash.ocx	xcopy.exe
File opened for modification	C:\Windows\System32\Macromed\Flash\Flash.ocx	xcopy.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\flashplayer.xpt	reg.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\flashplayer.xpt	reg.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash	xcopy.exe

Drops file in Windows directory 1 IoCs

Processes:

xcopy.exe

description ioc process

File opened for modification C:\Windows\SysWOW64 xcopy.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

1988 sc.exe
928 sc.exe
584 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

1608 timeout.exe
808 timeout.exe
1980 timeout.exe
Kills process with taskkill 6 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

2016 taskkill.exe
360 taskkill.exe
316 taskkill.exe
1980 taskkill.exe
1880 taskkill.exe
1860 taskkill.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64	xcopy.exe

pid	process
1988	sc.exe
928	sc.exe
584	sc.exe

pid	process
1608	timeout.exe
808	timeout.exe
1980	timeout.exe

pid	process
2016	taskkill.exe
360	taskkill.exe
316	taskkill.exe
1980	taskkill.exe
1880	taskkill.exe
1860	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

Processes:

reg.exeregsvr32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}\Compatibility Flags = "65536"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/futuresplash	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}\Compatibility Flags = "65536"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/x-shockwave-flash	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/futuresplash	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/x-shockwave-flash	reg.exe

Modifies registry class 64 IoCs

Processes:

reg.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories\{31CAF6E4-D6AA-4090-A050-A5AC8972E9EF}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.29\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-shockwave-flash	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.28\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.8\ = "Shockwave Flash Object"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory.1\CLSID\ = "{D27CDB70-AE6D-11cf-96B8-444553540000}"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.9\ = "Shockwave Flash Object"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3\ = "Shockwave Flash Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.14\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.21	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32\ = "C:\\Windows\\System32\\Macromed\\Flash\\Flash.ocx, 1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/futuresplash\Extension = ".spl"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.10\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.14	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.30\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0\win64\ = "C:\\Windows\\System32\\Macromed\\Flash\\Flash.ocx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.16\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.30\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/futuresplash\Extension = ".spl"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32\ = "C:\\Windows\\System32\\Macromed\\Flash\\Flash.ocx"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ = "IShockwaveFlash"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\ = "Macromedia Flash Factory Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.19\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11cf-96B8-444553540000}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11cf-96B8-444553540000}"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage\.mfp	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{57A0E746-3863-4D20-A811-950C84F1DB9B}\1.1\0\win64\ = "C:\\Windows\\System32\\Macromed\\Flash\\Flash.ocx\\2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.31\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID\ = "ShockwaveFlash.ShockwaveFlash"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\ = "IFlashObject"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.19\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.33\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ = "Macromedia Flash Factory Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.34\ = "Shockwave Flash Object"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.12\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.34\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage\.mfp	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.6\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.12\ = "Shockwave Flash Object"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID\ = "FlashFactory.FlashFactory"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Control	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.14\ = "Shockwave Flash Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.20\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\shell	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.13\ = "Shockwave Flash Object"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.13\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	reg.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 5 IoCs

Processes:

Adobe_Flash_Player_ActiveX_v34_0_0_282.exeregsvr32.exereg.exeAdobe_Flash_Player_NPAPI_v34_0_0_282.exeAdobe_Flash_Player_PPAPI_v34_0_0_282.exe

pid	process
1424	Adobe_Flash_Player_ActiveX_v34_0_0_282.exe
1804	regsvr32.exe
112	reg.exe
292	Adobe_Flash_Player_NPAPI_v34_0_0_282.exe
932	Adobe_Flash_Player_PPAPI_v34_0_0_282.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

taskkill.exeschtasks.exereg.exereg.exetaskkill.exereg.exe

description	pid	process
Token: SeDebugPrivilege	316	taskkill.exe
Token: SeDebugPrivilege	1980	schtasks.exe
Token: SeDebugPrivilege	1880	reg.exe
Token: SeDebugPrivilege	1860	reg.exe
Token: SeDebugPrivilege	2016	taskkill.exe
Token: SeDebugPrivilege	360	reg.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

regsvr32.exereg.exe

pid process

1804 regsvr32.exe
1812 reg.exe

pid	process
1804	regsvr32.exe
1812	reg.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4a85535f165367309410152cfe883e27e953fbe5a9ae813e22ab0e8dbf7cedea.execmd.exeAdobe_Flash_Player_ActiveX_v34_0_0_282.execmd.exe

description	pid	process	target process
PID 816 wrote to memory of 1716	816	4a85535f165367309410152cfe883e27e953fbe5a9ae813e22ab0e8dbf7cedea.exe	cmd.exe
PID 816 wrote to memory of 1716	816	4a85535f165367309410152cfe883e27e953fbe5a9ae813e22ab0e8dbf7cedea.exe	cmd.exe
PID 816 wrote to memory of 1716	816	4a85535f165367309410152cfe883e27e953fbe5a9ae813e22ab0e8dbf7cedea.exe	cmd.exe
PID 816 wrote to memory of 1716	816	4a85535f165367309410152cfe883e27e953fbe5a9ae813e22ab0e8dbf7cedea.exe	cmd.exe
PID 1716 wrote to memory of 1424	1716	cmd.exe	Adobe_Flash_Player_ActiveX_v34_0_0_282.exe
PID 1716 wrote to memory of 1424	1716	cmd.exe	Adobe_Flash_Player_ActiveX_v34_0_0_282.exe
PID 1716 wrote to memory of 1424	1716	cmd.exe	Adobe_Flash_Player_ActiveX_v34_0_0_282.exe
PID 1716 wrote to memory of 1424	1716	cmd.exe	Adobe_Flash_Player_ActiveX_v34_0_0_282.exe
PID 1424 wrote to memory of 1220	1424	Adobe_Flash_Player_ActiveX_v34_0_0_282.exe	cmd.exe
PID 1424 wrote to memory of 1220	1424	Adobe_Flash_Player_ActiveX_v34_0_0_282.exe	cmd.exe
PID 1424 wrote to memory of 1220	1424	Adobe_Flash_Player_ActiveX_v34_0_0_282.exe	cmd.exe
PID 1424 wrote to memory of 1220	1424	Adobe_Flash_Player_ActiveX_v34_0_0_282.exe	cmd.exe
PID 1220 wrote to memory of 920	1220	cmd.exe	reg.exe
PID 1220 wrote to memory of 920	1220	cmd.exe	reg.exe
PID 1220 wrote to memory of 920	1220	cmd.exe	reg.exe
PID 1220 wrote to memory of 584	1220	cmd.exe	sc.exe
PID 1220 wrote to memory of 584	1220	cmd.exe	sc.exe
PID 1220 wrote to memory of 584	1220	cmd.exe	sc.exe
PID 1220 wrote to memory of 316	1220	cmd.exe	taskkill.exe
PID 1220 wrote to memory of 316	1220	cmd.exe	taskkill.exe
PID 1220 wrote to memory of 316	1220	cmd.exe	taskkill.exe
PID 1220 wrote to memory of 1980	1220	cmd.exe	schtasks.exe
PID 1220 wrote to memory of 1980	1220	cmd.exe	schtasks.exe
PID 1220 wrote to memory of 1980	1220	cmd.exe	schtasks.exe
PID 1220 wrote to memory of 1452	1220	cmd.exe	reg.exe
PID 1220 wrote to memory of 1452	1220	cmd.exe	reg.exe
PID 1220 wrote to memory of 1452	1220	cmd.exe	reg.exe
PID 1220 wrote to memory of 328	1220	cmd.exe	schtasks.exe
PID 1220 wrote to memory of 328	1220	cmd.exe	schtasks.exe
PID 1220 wrote to memory of 328	1220	cmd.exe	schtasks.exe
PID 1220 wrote to memory of 1612	1220	cmd.exe	reg.exe
PID 1220 wrote to memory of 1612	1220	cmd.exe	reg.exe
PID 1220 wrote to memory of 1612	1220	cmd.exe	reg.exe
PID 1220 wrote to memory of 808	1220	cmd.exe	reg.exe
PID 1220 wrote to memory of 808	1220	cmd.exe	reg.exe
PID 1220 wrote to memory of 808	1220	cmd.exe	reg.exe
PID 1220 wrote to memory of 1676	1220	cmd.exe	reg.exe
PID 1220 wrote to memory of 1676	1220	cmd.exe	reg.exe
PID 1220 wrote to memory of 1676	1220	cmd.exe	reg.exe
PID 1220 wrote to memory of 1620	1220	cmd.exe	cmd.exe
PID 1220 wrote to memory of 1620	1220	cmd.exe	cmd.exe
PID 1220 wrote to memory of 1620	1220	cmd.exe	cmd.exe
PID 1220 wrote to memory of 1104	1220	cmd.exe	xcopy.exe
PID 1220 wrote to memory of 1104	1220	cmd.exe	xcopy.exe
PID 1220 wrote to memory of 1104	1220	cmd.exe	xcopy.exe
PID 1220 wrote to memory of 1488	1220	cmd.exe	reg.exe
PID 1220 wrote to memory of 1488	1220	cmd.exe	reg.exe
PID 1220 wrote to memory of 1488	1220	cmd.exe	reg.exe
PID 1220 wrote to memory of 1776	1220	cmd.exe	cmd.exe
PID 1220 wrote to memory of 1776	1220	cmd.exe	cmd.exe
PID 1220 wrote to memory of 1776	1220	cmd.exe	cmd.exe
PID 1220 wrote to memory of 1300	1220	cmd.exe	reg.exe
PID 1220 wrote to memory of 1300	1220	cmd.exe	reg.exe
PID 1220 wrote to memory of 1300	1220	cmd.exe	reg.exe
PID 1220 wrote to memory of 392	1220	cmd.exe	conhost.exe
PID 1220 wrote to memory of 392	1220	cmd.exe	conhost.exe
PID 1220 wrote to memory of 392	1220	cmd.exe	conhost.exe
PID 1220 wrote to memory of 1632	1220	cmd.exe	findstr.exe
PID 1220 wrote to memory of 1632	1220	cmd.exe	findstr.exe
PID 1220 wrote to memory of 1632	1220	cmd.exe	findstr.exe
PID 1220 wrote to memory of 1224	1220	cmd.exe	conhost.exe
PID 1220 wrote to memory of 1224	1220	cmd.exe	conhost.exe
PID 1220 wrote to memory of 1224	1220	cmd.exe	conhost.exe
PID 1220 wrote to memory of 768	1220	cmd.exe	conhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4a85535f165367309410152cfe883e27e953fbe5a9ae813e22ab0e8dbf7cedea.exe
"C:\Users\Admin\AppData\Local\Temp\4a85535f165367309410152cfe883e27e953fbe5a9ae813e22ab0e8dbf7cedea.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:816

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\InstFlash.cmd" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1716

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Adobe_Flash_Player_ActiveX_v34_0_0_282.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Adobe_Flash_Player_ActiveX_v34_0_0_282.exe /ai /gm2
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:1424

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c @pushd "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001" >nul 2>&1 & CALL "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\!)Install_Flash_Player_AX.bat"
4⤵
- Suspicious use of WriteProcessMemory
PID:1220

C:\Windows\system32\reg.exe
REG QUERY "HKU\S-1-5-19"
5⤵
PID:920

C:\Windows\system32\sc.exe
sc stop "Flash Helper Service"
5⤵
- Launches sc.exe
PID:584

C:\Windows\system32\taskkill.exe
taskkill /f /im FlashHelperService.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:316

C:\Windows\system32\taskkill.exe
taskkill /f /im FlashPlayerUpdateService.exe
5⤵
- Kills process with taskkill
PID:1980

C:\Windows\system32\schtasks.exe
schtasks /delete /tn "Adobe Flash Player Updater" /f
5⤵
PID:1452

C:\Windows\system32\schtasks.exe
schtasks /delete /tn "FlashHelper TaskMachineCore" /f
5⤵
PID:328

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Macromedia\FlashHelper" /f
5⤵
PID:1612

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashHelper" /f
5⤵
PID:808

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\services\Flash Helper Service" /f
5⤵
PID:1676

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\services\AdobeFlashPlayerUpdateSvc" /f
5⤵
PID:1620

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashHelperService.exe" /f
5⤵
PID:1104

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerUpdateService.exe" /f
5⤵
PID:1488

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION" /f /v "FlashHelperService.exe"
5⤵
PID:1776

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION" /f /v "FlashHelperService.exe"
5⤵
PID:1300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver"
5⤵
PID:392

C:\Windows\system32\findstr.exe
findstr "\<6\.[0-9]\.[0-9][0-9]*\> \<10\.[0-9]\.[0-9][0-9]*\>"
5⤵
PID:1632

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\Macromed\Flash\*" /a /r /d y
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1224

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\SysWOW64\Macromed\Flash\*" /a /r /d y
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:768

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\Macromed\*" /t /c /grant "Everyone:f"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
5⤵
PID:1872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
5⤵
PID:992

C:\Windows\system32\icacls.exe
icacls "C:\Windows\SysWOW64\Macromed\*" /t /c /grant "Everyone:f"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
5⤵
PID:1296

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\FlashPlayerApp.exe" /c /grant "Everyone:f"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
5⤵
PID:856

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\FlashPlayerCPLApp.cpl" /c /grant "Everyone:f"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:896

C:\Windows\system32\icacls.exe
icacls "C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl" /c /grant "Everyone:f"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
5⤵
PID:1604

C:\Windows\system32\icacls.exe
icacls "C:\Windows\SysWOW64\FlashPlayerApp.exe" /c /grant "Everyone:f"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
5⤵
PID:940

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Macromedia\FlashPlayer" /f
5⤵
PID:2004

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Macromedia\FlashPlayerActiveX" /f
5⤵
PID:1092

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Macromedia\FlashPlayerActiveXReleaseType" /f
5⤵
PID:1148

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayer" /f
5⤵
PID:1960

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerActiveX" /f
5⤵
PID:1728

C:\Windows\system32\reg.exe
REG QUERY "HKU\S-1-5-19"
6⤵
PID:1468

C:\Windows\system32\taskkill.exe
taskkill /f /im FlashHelperService.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\system32\taskkill.exe
taskkill /f /im FlashPlayerUpdateService.exe
6⤵
- Kills process with taskkill
PID:360

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Macromedia\FlashHelper" /f
6⤵
PID:1556

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\services\Flash Helper Service" /f
6⤵
PID:1880

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashHelperService.exe" /f
6⤵
PID:2032

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION" /f /v "FlashHelperService.exe"
6⤵
PID:1896

C:\Windows\system32\findstr.exe
findstr "\<6\.[0-9]\.[0-9][0-9]*\> \<10\.[0-9]\.[0-9][0-9]*\>"
6⤵
PID:1456

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\Macromed\Flash\*" /a /r /d y
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:768

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\SysWOW64\Macromed\Flash\*" /a /r /d y
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1440

C:\Windows\system32\xcopy.exe
xcopy /c/i/r/y "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\x64files\*" "C:\Windows\System32\Macromed\Flash\"
6⤵
- Drops file in System32 directory
PID:1232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" copy /y "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\Cleaner_Flash_Player_PPAPI.bat" "C:\Windows\System32\Macromed\Flash\" 1>NUL 2>NUL"
6⤵
- Drops file in System32 directory
PID:1732

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Macromedia\FlashPlayerPepper" /f /v "isESR" /t REG_DWORD /d "0"
6⤵
PID:872

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Macromedia\FlashPlayerPepper" /f /v "isMSI" /t REG_DWORD /d "0"
6⤵
PID:1468

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Macromedia\FlashPlayerPepper" /f /v "isPartner" /t REG_DWORD /d "1"
6⤵
PID:1516

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Macromedia\FlashPlayerPepper" /f /v "isScriptDebugger" /t REG_DWORD /d "0"
6⤵
PID:928

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerPepper" /f /v "isMSI" /t REG_DWORD /d "0"
6⤵
PID:844

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerPepper" /f /v "isPartner" /t REG_DWORD /d "1"
6⤵
PID:920

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerPepperReleaseType" /f /v "Release" /t REG_DWORD /d "1"
6⤵
PID:1888

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerPepper" /f /v "PlayerPath" /d "C:\Windows\SysWOW64\Macromed\Flash\pepflashplayer.dll"
6⤵
PID:1988

C:\Windows\system32\timeout.exe
TIMEOUT /t 2
6⤵
- Delays execution with timeout.exe
PID:1980

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerPepper" /f /v "isScriptDebugger" /t REG_DWORD /d "0"
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:360

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerPepper" /f /v "isESR" /t REG_DWORD /d "0"
6⤵
PID:108

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerPepper" /f /v "Version" /d "34.0.0.282"
6⤵
PID:804

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Macromedia\FlashPlayerPepper" /f /v "PlayerPath" /d "C:\Windows\System32\Macromed\Flash\pepflashplayer.dll"
6⤵
- Drops file in System32 directory
PID:1508

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Macromedia\FlashPlayerPepperReleaseType" /f /v "Release" /t REG_DWORD /d "1"
6⤵
- Drops file in System32 directory
PID:1240

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Macromedia\FlashPlayerPepper" /f /v "Version" /d "34.0.0.282"
6⤵
PID:2012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
6⤵
PID:784

C:\Windows\system32\xcopy.exe
xcopy /c/i/r/y "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\x32files\*" "C:\Windows\SysWOW64\Macromed\Flash\"
6⤵
- Drops file in System32 directory
PID:1424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
6⤵
PID:1536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
6⤵
PID:1776

C:\Windows\system32\icacls.exe
icacls "C:\Windows\SysWOW64\Macromed\Flash\*" /t /c /grant "Everyone:f"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
6⤵
PID:1928

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\Macromed\Flash\*" /t /c /grant "Everyone:f"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
6⤵
PID:1228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver"
6⤵
PID:648

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION" /f /v "FlashHelperService.exe"
6⤵
PID:808

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerUpdateService.exe" /f
6⤵
PID:1448

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\services\AdobeFlashPlayerUpdateSvc" /f
6⤵
PID:1676

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashHelper" /f
6⤵
PID:2000

C:\Windows\system32\schtasks.exe
schtasks /delete /tn "FlashHelper TaskMachineCore" /f
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Windows\system32\schtasks.exe
schtasks /delete /tn "Adobe Flash Player Updater" /f
6⤵
PID:316

C:\Windows\system32\sc.exe
sc stop "Flash Helper Service"
6⤵
- Launches sc.exe
PID:928

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerActiveXReleaseType" /f
5⤵
PID:2016

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerApp.exe" /f
5⤵
PID:2008

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil32_ActiveX.exe" /f
5⤵
PID:1096

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil64_ActiveX.exe" /f
5⤵
PID:292

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerUpdateService.exe" /f
5⤵
PID:1692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:1688

C:\Windows\system32\xcopy.exe
xcopy /c/i/r/y "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\app\*" "C:\Windows\SysWOW64\"
5⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:1468

C:\Windows\system32\xcopy.exe
xcopy /c/i/r/y "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\x64files\Flash.ocx" "C:\Windows\System32\Macromed\Flash\"
5⤵
- Drops file in System32 directory
PID:1800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:1516

C:\Windows\system32\xcopy.exe
xcopy /c/i/r/y "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\x32files\Flash.ocx" "C:\Windows\SysWOW64\Macromed\Flash\"
5⤵
PID:1240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver"
5⤵
PID:920

C:\Windows\system32\find.exe
find "6.0."
5⤵
PID:316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver"
5⤵
PID:648

C:\Windows\system32\find.exe
find "6.0."
5⤵
PID:1044

C:\Windows\system32\find.exe
find "6.1."
5⤵
PID:1556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver"
5⤵
PID:1880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver"
5⤵
PID:508

C:\Windows\system32\find.exe
find "5."
5⤵
PID:1040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver"
5⤵
PID:1936

C:\Windows\system32\xcopy.exe
xcopy /c/i/r/y "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\x64files\Flash7.ocx" "C:\Windows\System32\Macromed\Flash\Flash.ocx"
5⤵
- Drops file in System32 directory
PID:1064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:1452

C:\Windows\system32\find.exe
find "5."
5⤵
PID:1384

C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Windows\System32\Macromed\Flash\Flash.ocx"
5⤵
- Loads dropped DLL
- Registers COM server for autorun
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
PID:1804

C:\Windows\system32\xcopy.exe
xcopy /c/i/r/y "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\x32files\Flash7.ocx" "C:\Windows\SysWOW64\Macromed\Flash\Flash.ocx"
5⤵
- Drops file in System32 directory
PID:1104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:1620

C:\Windows\system32\find.exe
find "6.1."
5⤵
PID:1676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver"
5⤵
PID:808

C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Windows\SysWOW64\Macromed\Flash\Flash.ocx"
5⤵
PID:112

C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Windows\SysWOW64\Macromed\Flash\Flash.ocx"
6⤵
PID:1812

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerActiveX" /f /v "Version" /d "34.0.0.282"
5⤵
PID:340

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Macromedia\FlashPlayerActiveX" /f /v "PlayerPath" /d "C:\Windows\System32\Macromed\Flash\Flash.ocx"
5⤵
PID:856

C:\Windows\system32\timeout.exe
TIMEOUT /t 2
5⤵
- Delays execution with timeout.exe
PID:1608

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerActiveX" /f /v "PlayerPath" /d "C:\Windows\SysWOW64\Macromed\Flash\Flash.ocx"
5⤵
PID:1900

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Macromedia\FlashPlayerActiveX" /f /v "Version" /d "34.0.0.282"
5⤵
PID:1296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" copy /y "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Cleaner_Flash_Player_AX.bat" "C:\Windows\System32\Macromed\Flash\" 1>NUL 2>NUL"
5⤵
PID:1072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:1232

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX" /f /v "DisplayName" /d "Adobe Flash Player 34 ActiveX"
4⤵
PID:1892

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX" /f /v "UninstallString" /d "C:\Windows\System32\Macromed\Flash\Cleaner_Flash_Player_AX.bat"
4⤵
PID:2024

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX" /f /v "DisplayIcon" /d "C:\Windows\System32\Macromed\Flash\Flash.ocx"
4⤵
PID:1148

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX" /f /v "HelpLink" /d "https://www.423down.com/13691.html"
4⤵
PID:1604

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX" /f /v "DisplayVersion" /d "34.0.0.282"
4⤵
PID:1712

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Adobe_Flash_Player_NPAPI_v34_0_0_282.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Adobe_Flash_Player_NPAPI_v34_0_0_282.exe /ai /gm2
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:292

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c @pushd "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002" >nul 2>&1 & CALL "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002\!)Install_Flash_Player_NPAPI.bat"
4⤵
PID:1936

C:\Windows\system32\reg.exe
REG QUERY "HKU\S-1-5-19"
5⤵
PID:1888

C:\Windows\system32\taskkill.exe
taskkill /f /im FlashHelperService.exe
5⤵
- Kills process with taskkill
PID:1880

C:\Windows\system32\sc.exe
sc stop "Flash Helper Service"
5⤵
- Launches sc.exe
PID:1988

C:\Windows\system32\taskkill.exe
taskkill /f /im FlashPlayerUpdateService.exe
5⤵
- Kills process with taskkill
PID:1860

C:\Windows\system32\schtasks.exe
schtasks /delete /tn "Adobe Flash Player Updater" /f
5⤵
PID:1928

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Macromedia\FlashHelper" /f
5⤵
PID:1224

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\services\Flash Helper Service" /f
5⤵
PID:1812

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashHelperService.exe" /f
5⤵
PID:1248

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerUpdateService.exe" /f
5⤵
PID:1232

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION" /f /v "FlashHelperService.exe"
5⤵
PID:1296

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\Macromed\Flash\*" /a /r /d y
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:896

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\Macromed\Flash\*" /t /c /grant "Everyone:f"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2036

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Macromedia\FlashPlayerPlugin" /f
5⤵
PID:1280

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Security Center" /f /v "cval"
5⤵
PID:1604

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\MozillaPlugins\@adobe.com/FlashPlayer" /f
5⤵
PID:1724

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerPlugin" /f
5⤵
PID:940

C:\Windows\system32\xcopy.exe
xcopy /c/i/r/y "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002\x64files\*" "C:\Windows\System32\Macromed\Flash\"
5⤵
- Drops file in System32 directory
PID:1004

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Macromedia\FlashPlayerPlugin" /f /v "Version" /d "34.0.0.282"
5⤵
PID:108

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\MozillaPlugins\@adobe.com/FlashPlayer" /f /v "Path" /d "C:\Windows\System32\Macromed\Flash\NPSWF.dll"
5⤵
PID:1988

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerPlugin" /f /v "PlayerPath" /d "C:\Windows\SysWOW64\Macromed\Flash\NPSWF.dll"
5⤵
PID:1464

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@adobe.com/FlashPlayer" /f /v "Version" /d "34.0.0.282"
5⤵
PID:1704

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@adobe.com/FlashPlayer" /f /v "Path" /d "C:\Windows\SysWOW64\Macromed\Flash\NPSWF.dll"
5⤵
PID:840

C:\Windows\system32\timeout.exe
TIMEOUT /t 2
5⤵
- Delays execution with timeout.exe
PID:808

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@adobe.com/FlashPlayer" /f /v "XPTPath" /d "C:\Windows\SysWOW64\Macromed\Flash\flashplayer.xpt"
5⤵
PID:1484

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerPlugin" /f /v "Version" /d "34.0.0.282"
5⤵
PID:1452

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\MozillaPlugins\@adobe.com/FlashPlayer" /f /v "Version" /d "34.0.0.282"
5⤵
PID:1980

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Macromedia\FlashPlayerPlugin" /f /v "PlayerPath" /d "C:\Windows\System32\Macromed\Flash\NPSWF.dll"
5⤵
PID:1888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" copy /y "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002\Cleaner_Flash_Player_NPAPI.bat" "C:\Windows\System32\Macromed\Flash\" 1>NUL 2>NUL"
5⤵
- Drops file in System32 directory
PID:812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:664

C:\Windows\system32\xcopy.exe
xcopy /c/i/r/y "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002\x32files\*" "C:\Windows\SysWOW64\Macromed\Flash\"
5⤵
PID:1508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:2016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:1752

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerPluginReleaseType" /f
5⤵
PID:516

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@adobe.com/FlashPlayer" /f
5⤵
PID:1696

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Macromedia\FlashPlayerPluginReleaseType" /f
5⤵
PID:1892

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Security Center\Svc\Vol" /f
5⤵
PID:1960

C:\Windows\system32\icacls.exe
icacls "C:\Windows\SysWOW64\Macromed\Flash\*" /t /c /grant "Everyone:f"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
5⤵
PID:1660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
5⤵
PID:728

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\SysWOW64\Macromed\Flash\*" /a /r /d y
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1608

C:\Windows\system32\findstr.exe
findstr "\<6\.[0-9]\.[0-9][0-9]*\> \<10\.[0-9]\.[0-9][0-9]*\>"
5⤵
PID:1228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver"
5⤵
PID:340

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION" /f /v "FlashHelperService.exe"
5⤵
- Drops file in System32 directory
PID:1072

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\services\AdobeFlashPlayerUpdateSvc" /f
5⤵
PID:112

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashHelper" /f
5⤵
PID:1768

C:\Windows\system32\schtasks.exe
schtasks /delete /tn "FlashHelper TaskMachineCore" /f
5⤵
PID:952

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player NPAPI" /f /v "DisplayName" /d "Adobe Flash Player 34 NPAPI"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1860

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player NPAPI" /f /v "UninstallString" /d "C:\Windows\System32\Macromed\Flash\Cleaner_Flash_Player_NPAPI.bat"
4⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:112

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player NPAPI" /f /v "DisplayIcon" /d "C:\Windows\System32\Macromed\Flash\NPSWF.dll"
4⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1812

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player NPAPI" /f /v "HelpLink" /d "https://www.423down.com/13691.html"
4⤵
PID:952

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player NPAPI" /f /v "DisplayVersion" /d "34.0.0.282"
4⤵
PID:1776

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Adobe_Flash_Player_PPAPI_v34_0_0_282.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Adobe_Flash_Player_PPAPI_v34_0_0_282.exe /ai /gm2
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:932

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c @pushd "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003" >nul 2>&1 & CALL "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\!)Install_Flash_Player_PPAPI.bat"
4⤵
PID:1728

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player PPAPI" /f /v "UninstallString" /d "C:\Windows\System32\Macromed\Flash\Cleaner_Flash_Player_PPAPI.bat"
4⤵
PID:1936

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player PPAPI" /f /v "DisplayIcon" /d "C:\Windows\System32\Macromed\Flash\Flash.ico"
4⤵
PID:604

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player PPAPI" /f /v "HelpLink" /d "https://www.423down.com/13691.html"
4⤵
PID:1676

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player PPAPI" /f /v "DisplayVersion" /d "34.0.0.282"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1880

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player PPAPI" /f /v "DisplayName" /d "Adobe Flash Player 34 PPAPI"
4⤵
PID:1556

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "410546331-735755868-599596851-760364623489480158-1730929129-2089399768-712715297"
1⤵
PID:1092

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9138714351497632801-14310339861212516911-95214643-21156693615540844771866890121"
1⤵
PID:2004

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-630053284408757658-1723274112713308234-15657353651683986130-2551905971148726453"
1⤵
PID:1040

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-156352769214889753191779252292-1087893962313271701676537298-1242451030-371960305"
1⤵
PID:856

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-5914291221375390102-1436683135-1105854391946395668-1726886149235333370-936868776"
1⤵
PID:1768

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "18366571491890241641-867565484-8696045061750250333-380182850-81356803-1265883549"
1⤵
PID:1224

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12659205441869113026-2108340782008549788-10638760419175174411065966205-1167653859"
1⤵
PID:392

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1903260203-459921625903619215-134299082-116304021-1106457667-695883210166906412"
1⤵
PID:1752

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1972439322129048740-1294244023349440229-21067663710878120561236128119-863253553"
1⤵
PID:768

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9743559671182754280744301638843588321-7182508281972177409-872218446-1411302492"
1⤵
PID:1228

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1313320885-845538481557568593459132023-935370523-915031170400759221149446874"
1⤵
PID:1456

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1827762936410621645-1408469209-159266100-572611493-1205618830-75831643-1598436475"
1⤵
PID:2032

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2116494644-1957989874-933603952782947200-1381334054-1895162652-1838582557636416657"
1⤵
PID:2000

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

File Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Adobe_Flash_Player_ActiveX_v34_0_0_282.exe
Filesize
10.3MB

MD5
8a7ea031988376ac735096d48025adb2

SHA1
4e26177bd935caff1beb04b1fdf72b03f41f990a

SHA256
f6a97d21084c3f2c080a96ee87e9f972aaf94512b216982b1d56ebbe6f63d9a4

SHA512
b062c024377104db35dcbe4b1b52994260df76ede5887c0f2c036397a7eb9a97e4d3a6dc79340ce9d7160c732138081dac4e044521d422841980cd850e42e73d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Adobe_Flash_Player_ActiveX_v34_0_0_282.exe
Filesize
10.3MB

MD5
8a7ea031988376ac735096d48025adb2

SHA1
4e26177bd935caff1beb04b1fdf72b03f41f990a

SHA256
f6a97d21084c3f2c080a96ee87e9f972aaf94512b216982b1d56ebbe6f63d9a4

SHA512
b062c024377104db35dcbe4b1b52994260df76ede5887c0f2c036397a7eb9a97e4d3a6dc79340ce9d7160c732138081dac4e044521d422841980cd850e42e73d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Adobe_Flash_Player_NPAPI_v34_0_0_282.exe
Filesize
6.8MB

MD5
ab3e8073bd713bc839d1dd4ef7ace85b

SHA1
bc39d8e632eccec2998f7fd3eaeba2455ccd9325

SHA256
c36ed668908529659481d87d97e0e0a9d84a33dda06d1fff5c7978f4bfa2995a

SHA512
cb1af6bb7debfd1a6a4c50b7e8dc32f654c8cc38721f9e176c40917cea6c338a86de0c81a4f042040bd9ae13fb808a732c29e31ab0eedf6399f23e95bbc7cfb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Adobe_Flash_Player_NPAPI_v34_0_0_282.exe
Filesize
6.8MB

MD5
ab3e8073bd713bc839d1dd4ef7ace85b

SHA1
bc39d8e632eccec2998f7fd3eaeba2455ccd9325

SHA256
c36ed668908529659481d87d97e0e0a9d84a33dda06d1fff5c7978f4bfa2995a

SHA512
cb1af6bb7debfd1a6a4c50b7e8dc32f654c8cc38721f9e176c40917cea6c338a86de0c81a4f042040bd9ae13fb808a732c29e31ab0eedf6399f23e95bbc7cfb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Adobe_Flash_Player_PPAPI_v34_0_0_282.exe
Filesize
7.1MB

MD5
f89b055b8e491a09f6b16d61f82694ad

SHA1
cc62826e2c56a6e03e3152fae043fbee2bbcaa6c

SHA256
d6887b7ad156bd87eba1da70b2e839dd4f90abc19c409a2f848ba48831d29a15

SHA512
c509309aa1d9c1e883e2fbdc24addbc4a24f46d01ea71470521ee44e4ff5109ef53200f6bb82d5ee652c7ba36c47002d79c65b919b2599449f6eb21ce9c07817

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Adobe_Flash_Player_PPAPI_v34_0_0_282.exe
Filesize
7.1MB

MD5
f89b055b8e491a09f6b16d61f82694ad

SHA1
cc62826e2c56a6e03e3152fae043fbee2bbcaa6c

SHA256
d6887b7ad156bd87eba1da70b2e839dd4f90abc19c409a2f848ba48831d29a15

SHA512
c509309aa1d9c1e883e2fbdc24addbc4a24f46d01ea71470521ee44e4ff5109ef53200f6bb82d5ee652c7ba36c47002d79c65b919b2599449f6eb21ce9c07817

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\InstFlash.cmd
Filesize
101B

MD5
4775687903b0467498383b8fe5923733

SHA1
b0e57be3a2bda21e920c8d25443d9fdacfe766ea

SHA256
710d39c44bc741028cf507d656fe5cb9fbaed0661ec8a11af0d0cbd7a5b9fdbc

SHA512
eaca790b52a46f741b939e420145fedc93dead9ef9e27b139214cee13fa1f669c4b685ac26631e0db7433c858413d48bf0e1e094102167e226777f6292d1c24b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\InstFlash.cmd
Filesize
101B

MD5
4775687903b0467498383b8fe5923733

SHA1
b0e57be3a2bda21e920c8d25443d9fdacfe766ea

SHA256
710d39c44bc741028cf507d656fe5cb9fbaed0661ec8a11af0d0cbd7a5b9fdbc

SHA512
eaca790b52a46f741b939e420145fedc93dead9ef9e27b139214cee13fa1f669c4b685ac26631e0db7433c858413d48bf0e1e094102167e226777f6292d1c24b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\!)Install_Flash_Player_AX.bat
Filesize
8KB

MD5
cdb66b0622c30ea67419a39716d8aa15

SHA1
1f40ff028e4c41ce4bb749144fadb57d37d9eb67

SHA256
a72870d292981fd76be6b0256c52b26a5fa1ab6b9286dba144ce0822c046fc8c

SHA512
a718f96b779d0a680e5c2f3f9c736e531204a093885feabfa337d02b43fbb63680e95ce4aa2ecd3ba4885d45f20718a0124d81dece6776b91929f1e242025347

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\423Down.url
Filesize
209B

MD5
6d2178f6fbf26d009562415daf5a2cb7

SHA1
60804c9f71460d19cbf5a7b30f5d467c7547803c

SHA256
93585a844b68e62ad7aa69b013b7f10d8b949a7f35af0b9b6b823aa526f7af8f

SHA512
95a39fd75abd54dd017b229fdbccb522bd78113ec80586e5ddf81d9787e854853535f983b9bedbcad4ae0d54c792c97721ab93a454ee513622e52a81474b2fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Cleaner_Flash_Player_AX.bat
Filesize
9KB

MD5
b444d4d5d3979497975a98d61ae7ee6c

SHA1
0eac5ab65a1df52e7d5cdc3c6ddcfdd5e1195842

SHA256
cc22fd3b4156bfa88ecfa173841db14e379d9b9b72fa552f9a331aee161d36d9

SHA512
a7cad967b1ae1fdff5f0de1d0b399a91afc83d5eae3ccebdb131fba1bb332b959f969bb0dc317e652236ef127980ee5faa1dd7d0a2bda0b6b12105705189c48a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\app\FlashPlayerApp.exe
Filesize
829KB

MD5
0b6ff3fd68bba54f7fa65e9b986f7585

SHA1
483b470bf16d95ddfd41a81a81e740d7fa9814d2

SHA256
25dda07abdf448c954be43fdad70e0e7a5aa502f1c69f9c5796fd7032e347d70

SHA512
49ecf53c85e8f41171610b7b396c229649376cc5dff709c4048b29905289830b860d0eac1e32f92d6a64a97f9130f9a72d95916989001d96a9e9f186b2c77b5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\app\FlashPlayerCPLApp.cpl
Filesize
173KB

MD5
a5e956c7baae03b45585b021a6f66bab

SHA1
909ee123f9fd99c7bd67e11b1bf169640aab3bfc

SHA256
e2c76d674e5e8ad356115666bdbbeaa22f82b79bceb8c7f1656969d8f0fcb0e5

SHA512
96a8b960ce760bf7eb10b38bc83e14e9e0588691a1c3482c546ff3e49054d3cb15ebe9d78e7144ca14f7da970179574b9054ebbfc9838f60ddc7933c3ff7e6c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\x32files\Flash.ocx
Filesize
11.3MB

MD5
c9786ebdbce07756ef9057f83d26b97f

SHA1
95e9e3c8b62752b423263f873fdf1a51c7fc3052

SHA256
a4857b0a5baf1bc3d430456f4a5e4387ae4c8e03a32ce8ec08cb0814cb1c742b

SHA512
1d50e8165103bba77799b1a7d62a4ff0946a51f85cc8ad247f1da9c5231387b95f84013e20049943bb6ff4d5633dc01264172b90200999e28ad1c5743034e853

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\x32files\Flash7.ocx
Filesize
9.5MB

MD5
4af7210a2e23270a1041d6f33c743370

SHA1
0f8ac204120184f273d8c0156a85ae7e32a191fd

SHA256
a937d15d087c5c13bdb532cb5b2dcfc0df37e1fed8393344e5b7dea2f9235b83

SHA512
d8f9778307465c29a7b6d150e04184c989bd93d986d45b1bc7135bafacf57c03ce03388772501387ad0f2b0ad7b588011c835434b7ac6b3e39828d719bffea50

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\x64files\Flash.ocx
Filesize
13.2MB

MD5
a2d7c01eca3b652859b451dd050e9f59

SHA1
6e1e6410c4da6ad1ea2707e88c66fe4870235595

SHA256
4fd4141cc0bfd8fca9893955bcbdea2a502b46bd68da7a5aab6fac46c16bfd14

SHA512
01b74c849fe11e7781598d89b25e52e1804141bbc0c70dc72874d041ca780ee076cd819d704c50ce2943c8ad40999f3ebb6dc3d303862ba47930309ecf5405d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\x64files\Flash7.ocx
Filesize
12.0MB

MD5
4a85a3d15dba07d98e777306d0cca600

SHA1
4e04f1ac39119608aa04953efa78a01c8aeae636

SHA256
bd19093830fadc2fc41e73cbf4c0e9d5385b25cc8d53a513c020d182fd97f57b

SHA512
72c8c0b4afb4280fab980f7ea49288e72e9532ca3732272fd61236eca410df141216282cf0b74a74657650c9670a3f266f01da836615f23557a0f5d86a5984f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002\!)Install_Flash_Player_NPAPI.bat
Filesize
6KB

MD5
341a55f2b733879ef74d6c9de1b36de7

SHA1
23c24baf2f4153a787494c824a364a304d8e0f1c

SHA256
99906173ff5e9f06056200d5f658b7a9dec478c86cb4eba3f628791b7b351c20

SHA512
2c31cf5ef4dd1e5cbfcb6dfb0d1ce5239d8b30f57f8e80c55ef2f6af9c6e09b7a84f7f8750fc93f20c653ae463f24d9ee7c99a4bbeb2ba66bbefde6a0d913de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002\Cleaner_Flash_Player_NPAPI.bat
Filesize
4KB

MD5
960fa5690a75088fd25e50217cb6d6f8

SHA1
9ff3fb909835bda47d3ca7b45b69754dc3b79cf2

SHA256
256e1bc27ddd9d0f0197371ed5db4211cdfb704b41f89ddf72d07547551fa585

SHA512
19442c8590c9f7d592bdc8490ba8c72072472032b10b224a0ea790adbefd1bbb4d6637d7def34667aeea991d11a991fefe84377eb65b5b129e53d5726cd8075d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002\x32files\FlashPlayerPlugin.exe
Filesize
3.3MB

MD5
ba2c494e6db5b1836285a31205416678

SHA1
c096cb45202705bf5b52cf3740eb17e40f8b3979

SHA256
84009f530f6aa7aaa19e9bcaf87cbcd3c658a9fc270d056f5508a7f8e4a43f1f

SHA512
ae0cb3d7a39f63e53e2cef8cbb3bc815add68de0a13ca9d4e579cd129de0abfcab336cbe48d83b5f35867474d35f1d0c7d17038e78fca7471daed8e653cd0ae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002\x32files\NPSWF.dll
Filesize
9.4MB

MD5
7e494a4daff4ec78c57c7627d42b0243

SHA1
a8e6ae2caba755289779d0702d474a56fd8125b3

SHA256
c250df0410c7dbb9769a7511e044d38864efa255edec599ceecddd1ff9917f3a

SHA512
8045b1a78a26819244f837c516810b64c195875b48c71c59d4ae688498b6c430e2d5083f0716f8b9c87f8231b83c06ce2802c3b307ccfacda6cec70a17775905

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002\x32files\flashplayer.xpt
Filesize
856B

MD5
a81fd3b03b8c6d6e5a14298110718d3f

SHA1
2a5eedf714b4dc1e7281968d5e235737b26d7114

SHA256
946c2d7808b0f256e5f6b62655246dc9c247833fb2f578519e4354f91deb6e1b

SHA512
494146bb31cf0e115a6e1c632a8ed5608046f5a8b2bbc900832befb07b8f142581483c222067e4405fc2755b5acf722d576ac04b2b6d9f796e5a872fd5c7ddc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002\x64files\NPSWF.dll
Filesize
11.6MB

MD5
f2f32c33fc3b5a8d1727c0851f257362

SHA1
f903eb68a3468a2a429152f59a5c36f22054c505

SHA256
968046072b02e4807a4b37849655f13c45266e2e54e13205aa2c1c712b5c857c

SHA512
993daeb926245a708205bca296a62a4985b1bb502eab995081bb7302753d3d3e34d1aa26f92cf911fdd6b19e60660ecedeee8930e01eca4d558daabf088816a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\!)Install_Flash_Player_PPAPI.bat
Filesize
5KB

MD5
2c4383bafb0e6ed859cd3e353d0645d4

SHA1
c479bf24ad05dd852aeb3d6414c78504b4cf07fb

SHA256
00f6fdf2ce272ab71f399026000ea440069156af3b40955fb1b510e690ee6952

SHA512
f87c686fe56f81c836351038af7a517a42344498f06493bf59a07f164164d4322bd8a02ed3201230b443b4aa2c8ed97617163728d36597ac3d8deb8249ef1033

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\Cleaner_Flash_Player_PPAPI.bat
Filesize
4KB

MD5
1502e7531bf2ad953a7cc67736ba24da

SHA1
6fab2b539b233fb8f5ef000808b9387f45ca8f70

SHA256
ce2e51405fc9fb05037723e35e8d9c76cf5a9b11487a2c612c5f8c03cb278a53

SHA512
c946fb3a8d8b37b60c566baeae5364ab3896b6a63e415e991117471c891d88b1876aee419a7699c9fbf5295fb9fe6096a722212e87bd896c16f9eefbc6a23bda

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\x32files\Flash.ico
Filesize
281KB

MD5
0c2b1344d597a3423e8237a60644cc30

SHA1
9986ec34189f98a6efe483fda98359f82d2d936d

SHA256
3e88938769ed6f5b25f9c9a5e0c87bb7cdfd0a6f487ef2163cde5afb6f50a10a

SHA512
c75c5cc381729b199a8a02d26f55c93b3b7fd6df595269350864945c823ddddb9e5ddea211160ab5758cdee7d50eca8be5502aab484825833b8c6e49cf18c870

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\x32files\manifest.json
Filesize
2KB

MD5
6dd91df40a978355fcbd4465b237a9b8

SHA1
6caf51826eb498fdcd987da5a5743882dba50616

SHA256
74427bb46abd26cc852fa0dcc2ea8ce71133c26a3d91959f0aa3dfcf25ab5cc6

SHA512
f6904d1da39a82b60d5a8502a37eabbdcccc6e78e83af6ae439e4a9decc097c10633e350158d807796d6928f38c8549e468f1ee8b00bdb70400aa2e138fbcca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\x32files\pepflashplayer.dll
Filesize
8.6MB

MD5
53036614f8d73b2b08bc603fa5b7b7d0

SHA1
313ff8947464669244ea68d77eb79fb3ce594d91

SHA256
980f44d3ee0f1a3dab49363dc5d4d8e95a18d717bb704f3346020aa83ccd7832

SHA512
6f898b0c9b5a3aa359019b32cdfeb87beda7fb44f36983b243c2c7848961bb857e97f98918c7b89cb918b3a1849b57927aaf547ea17e416178d27db5e946388e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\x64files\Flash.ico
Filesize
281KB

MD5
0c2b1344d597a3423e8237a60644cc30

SHA1
9986ec34189f98a6efe483fda98359f82d2d936d

SHA256
3e88938769ed6f5b25f9c9a5e0c87bb7cdfd0a6f487ef2163cde5afb6f50a10a

SHA512
c75c5cc381729b199a8a02d26f55c93b3b7fd6df595269350864945c823ddddb9e5ddea211160ab5758cdee7d50eca8be5502aab484825833b8c6e49cf18c870

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\x64files\manifest.json
Filesize
2KB

MD5
ecb7095d6c04b7971c0eaf233c1e2580

SHA1
c215972bec6b119a4de8000b8135eca0749297a5

SHA256
a84b67a14617addae0213ab36ae69f57c1ce5f43fdeaa878ea39771d0d68312b

SHA512
6237262641b1b480ddfb18c35b72ef241bf7e4f8dc8c42e2a8ec2efb074e375ecec288807779d371bdff5593b77a490603d8e380f802b0371b0d21c83b6a961a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\x64files\pepflashplayer.dll
Filesize
15.3MB

MD5
c38a3e93484675b42b513313ff045162

SHA1
950ee6a00537b920830808c3157328cbd2e596ec

SHA256
29bf698dda2c616118f55d85bbc5665f12f2a440f48e5b871c6823b2d9b3107e

SHA512
b27dce7496baf7c89f6268ca7e40cd25e0d90aa394eb690429e61e4f669a5f825b78a250d28e5a052fbea10de4c71e767da98a6671de922dec5582409d6f4d63

Download Submit
C:\Windows\SysWOW64\FlashPlayerApp.exe
Filesize
829KB

MD5
0b6ff3fd68bba54f7fa65e9b986f7585

SHA1
483b470bf16d95ddfd41a81a81e740d7fa9814d2

SHA256
25dda07abdf448c954be43fdad70e0e7a5aa502f1c69f9c5796fd7032e347d70

SHA512
49ecf53c85e8f41171610b7b396c229649376cc5dff709c4048b29905289830b860d0eac1e32f92d6a64a97f9130f9a72d95916989001d96a9e9f186b2c77b5e

Download Submit
C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
Filesize
173KB

MD5
a5e956c7baae03b45585b021a6f66bab

SHA1
909ee123f9fd99c7bd67e11b1bf169640aab3bfc

SHA256
e2c76d674e5e8ad356115666bdbbeaa22f82b79bceb8c7f1656969d8f0fcb0e5

SHA512
96a8b960ce760bf7eb10b38bc83e14e9e0588691a1c3482c546ff3e49054d3cb15ebe9d78e7144ca14f7da970179574b9054ebbfc9838f60ddc7933c3ff7e6c3

Download Submit
C:\Windows\SysWOW64\Macromed\Flash\Flash.ocx
Filesize
9.5MB

MD5
200a616684282a40a15a488bad834b6d

SHA1
f2b2d1a8beb5e9dd17b3c81a140b8b2c91846532

SHA256
756783c6ed166b3a33ab2d6901962cfce51e05807249c91736403795adffaafd

SHA512
aa4c63fcbf83dbeb4a5187d27340c0b0bd2b7480eec2bbdb5b2be24713b877dd70ef116d074f7956f004d3f1c6e7943d0e925e5e010a07901da7cbeb5615280d

Download Submit
C:\Windows\SysWOW64\Macromed\Flash\Flash.ocx
Filesize
9.5MB

MD5
4af7210a2e23270a1041d6f33c743370

SHA1
0f8ac204120184f273d8c0156a85ae7e32a191fd

SHA256
a937d15d087c5c13bdb532cb5b2dcfc0df37e1fed8393344e5b7dea2f9235b83

SHA512
d8f9778307465c29a7b6d150e04184c989bd93d986d45b1bc7135bafacf57c03ce03388772501387ad0f2b0ad7b588011c835434b7ac6b3e39828d719bffea50

Download Submit
C:\Windows\SysWOW64\Macromed\Flash\Flash.ocx
Filesize
9.5MB

MD5
4af7210a2e23270a1041d6f33c743370

SHA1
0f8ac204120184f273d8c0156a85ae7e32a191fd

SHA256
a937d15d087c5c13bdb532cb5b2dcfc0df37e1fed8393344e5b7dea2f9235b83

SHA512
d8f9778307465c29a7b6d150e04184c989bd93d986d45b1bc7135bafacf57c03ce03388772501387ad0f2b0ad7b588011c835434b7ac6b3e39828d719bffea50

Download Submit
C:\Windows\SysWOW64\Macromed\Flash\Flash.ocx
Filesize
9.5MB

MD5
4af7210a2e23270a1041d6f33c743370

SHA1
0f8ac204120184f273d8c0156a85ae7e32a191fd

SHA256
a937d15d087c5c13bdb532cb5b2dcfc0df37e1fed8393344e5b7dea2f9235b83

SHA512
d8f9778307465c29a7b6d150e04184c989bd93d986d45b1bc7135bafacf57c03ce03388772501387ad0f2b0ad7b588011c835434b7ac6b3e39828d719bffea50

Download Submit
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin.exe
Filesize
3.3MB

MD5
ba2c494e6db5b1836285a31205416678

SHA1
c096cb45202705bf5b52cf3740eb17e40f8b3979

SHA256
84009f530f6aa7aaa19e9bcaf87cbcd3c658a9fc270d056f5508a7f8e4a43f1f

SHA512
ae0cb3d7a39f63e53e2cef8cbb3bc815add68de0a13ca9d4e579cd129de0abfcab336cbe48d83b5f35867474d35f1d0c7d17038e78fca7471daed8e653cd0ae6

Download Submit
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin.exe
Filesize
3.3MB

MD5
ba2c494e6db5b1836285a31205416678

SHA1
c096cb45202705bf5b52cf3740eb17e40f8b3979

SHA256
84009f530f6aa7aaa19e9bcaf87cbcd3c658a9fc270d056f5508a7f8e4a43f1f

SHA512
ae0cb3d7a39f63e53e2cef8cbb3bc815add68de0a13ca9d4e579cd129de0abfcab336cbe48d83b5f35867474d35f1d0c7d17038e78fca7471daed8e653cd0ae6

Download Submit
C:\Windows\SysWOW64\Macromed\Flash\NPSWF.dll
Filesize
9.4MB

MD5
7e494a4daff4ec78c57c7627d42b0243

SHA1
a8e6ae2caba755289779d0702d474a56fd8125b3

SHA256
c250df0410c7dbb9769a7511e044d38864efa255edec599ceecddd1ff9917f3a

SHA512
8045b1a78a26819244f837c516810b64c195875b48c71c59d4ae688498b6c430e2d5083f0716f8b9c87f8231b83c06ce2802c3b307ccfacda6cec70a17775905

Download Submit
C:\Windows\SysWOW64\Macromed\Flash\NPSWF.dll
Filesize
9.4MB

MD5
7e494a4daff4ec78c57c7627d42b0243

SHA1
a8e6ae2caba755289779d0702d474a56fd8125b3

SHA256
c250df0410c7dbb9769a7511e044d38864efa255edec599ceecddd1ff9917f3a

SHA512
8045b1a78a26819244f837c516810b64c195875b48c71c59d4ae688498b6c430e2d5083f0716f8b9c87f8231b83c06ce2802c3b307ccfacda6cec70a17775905

Download Submit
C:\Windows\SysWOW64\Macromed\Flash\flashplayer.xpt
Filesize
856B

MD5
a81fd3b03b8c6d6e5a14298110718d3f

SHA1
2a5eedf714b4dc1e7281968d5e235737b26d7114

SHA256
946c2d7808b0f256e5f6b62655246dc9c247833fb2f578519e4354f91deb6e1b

SHA512
494146bb31cf0e115a6e1c632a8ed5608046f5a8b2bbc900832befb07b8f142581483c222067e4405fc2755b5acf722d576ac04b2b6d9f796e5a872fd5c7ddc9

Download Submit
C:\Windows\SysWOW64\Macromed\Flash\flashplayer.xpt
Filesize
856B

MD5
a81fd3b03b8c6d6e5a14298110718d3f

SHA1
2a5eedf714b4dc1e7281968d5e235737b26d7114

SHA256
946c2d7808b0f256e5f6b62655246dc9c247833fb2f578519e4354f91deb6e1b

SHA512
494146bb31cf0e115a6e1c632a8ed5608046f5a8b2bbc900832befb07b8f142581483c222067e4405fc2755b5acf722d576ac04b2b6d9f796e5a872fd5c7ddc9

Download Submit
C:\Windows\SysWOW64\Macromed\Flash\manifest.json
Filesize
2KB

MD5
6dd91df40a978355fcbd4465b237a9b8

SHA1
6caf51826eb498fdcd987da5a5743882dba50616

SHA256
74427bb46abd26cc852fa0dcc2ea8ce71133c26a3d91959f0aa3dfcf25ab5cc6

SHA512
f6904d1da39a82b60d5a8502a37eabbdcccc6e78e83af6ae439e4a9decc097c10633e350158d807796d6928f38c8549e468f1ee8b00bdb70400aa2e138fbcca7

Download Submit
C:\Windows\SysWOW64\Macromed\Flash\pepflashplayer.dll
Filesize
8.6MB

MD5
53036614f8d73b2b08bc603fa5b7b7d0

SHA1
313ff8947464669244ea68d77eb79fb3ce594d91

SHA256
980f44d3ee0f1a3dab49363dc5d4d8e95a18d717bb704f3346020aa83ccd7832

SHA512
6f898b0c9b5a3aa359019b32cdfeb87beda7fb44f36983b243c2c7848961bb857e97f98918c7b89cb918b3a1849b57927aaf547ea17e416178d27db5e946388e

Download Submit
C:\Windows\System32\Macromed\Flash\Cleaner_Flash_Player_AX.bat
Filesize
9KB

MD5
b444d4d5d3979497975a98d61ae7ee6c

SHA1
0eac5ab65a1df52e7d5cdc3c6ddcfdd5e1195842

SHA256
cc22fd3b4156bfa88ecfa173841db14e379d9b9b72fa552f9a331aee161d36d9

SHA512
a7cad967b1ae1fdff5f0de1d0b399a91afc83d5eae3ccebdb131fba1bb332b959f969bb0dc317e652236ef127980ee5faa1dd7d0a2bda0b6b12105705189c48a

Download Submit
C:\Windows\System32\Macromed\Flash\Cleaner_Flash_Player_NPAPI.bat
Filesize
4KB

MD5
960fa5690a75088fd25e50217cb6d6f8

SHA1
9ff3fb909835bda47d3ca7b45b69754dc3b79cf2

SHA256
256e1bc27ddd9d0f0197371ed5db4211cdfb704b41f89ddf72d07547551fa585

SHA512
19442c8590c9f7d592bdc8490ba8c72072472032b10b224a0ea790adbefd1bbb4d6637d7def34667aeea991d11a991fefe84377eb65b5b129e53d5726cd8075d

Download Submit
C:\Windows\System32\Macromed\Flash\Flash.ico
Filesize
281KB

MD5
0c2b1344d597a3423e8237a60644cc30

SHA1
9986ec34189f98a6efe483fda98359f82d2d936d

SHA256
3e88938769ed6f5b25f9c9a5e0c87bb7cdfd0a6f487ef2163cde5afb6f50a10a

SHA512
c75c5cc381729b199a8a02d26f55c93b3b7fd6df595269350864945c823ddddb9e5ddea211160ab5758cdee7d50eca8be5502aab484825833b8c6e49cf18c870

Download Submit
C:\Windows\System32\Macromed\Flash\Flash.ocx
Filesize
12.0MB

MD5
280389c61c7abafd78c32510e910fa4a

SHA1
07f3fee039cd514407ea7707d57aa5f11fd8ae40

SHA256
99686eccfa73c2fe15913b97d3c64b315b9bb80c3471b5a7993af0d60d66e60c

SHA512
0a5513a1210b356ba99a67328c996ff308d427ef72108e15494061705ef07d39d3cea3a0c6aa69f2b15df91ed2f26e2c127272a50ac75823e2633b72373220ae

Download Submit
C:\Windows\System32\Macromed\Flash\Flash.ocx
Filesize
12.0MB

MD5
4a85a3d15dba07d98e777306d0cca600

SHA1
4e04f1ac39119608aa04953efa78a01c8aeae636

SHA256
bd19093830fadc2fc41e73cbf4c0e9d5385b25cc8d53a513c020d182fd97f57b

SHA512
72c8c0b4afb4280fab980f7ea49288e72e9532ca3732272fd61236eca410df141216282cf0b74a74657650c9670a3f266f01da836615f23557a0f5d86a5984f4

Download Submit
C:\Windows\System32\Macromed\Flash\Flash.ocx
Filesize
12.0MB

MD5
4a85a3d15dba07d98e777306d0cca600

SHA1
4e04f1ac39119608aa04953efa78a01c8aeae636

SHA256
bd19093830fadc2fc41e73cbf4c0e9d5385b25cc8d53a513c020d182fd97f57b

SHA512
72c8c0b4afb4280fab980f7ea49288e72e9532ca3732272fd61236eca410df141216282cf0b74a74657650c9670a3f266f01da836615f23557a0f5d86a5984f4

Download Submit
C:\Windows\System32\Macromed\Flash\Flash.ocx
Filesize
12.0MB

MD5
4a85a3d15dba07d98e777306d0cca600

SHA1
4e04f1ac39119608aa04953efa78a01c8aeae636

SHA256
bd19093830fadc2fc41e73cbf4c0e9d5385b25cc8d53a513c020d182fd97f57b

SHA512
72c8c0b4afb4280fab980f7ea49288e72e9532ca3732272fd61236eca410df141216282cf0b74a74657650c9670a3f266f01da836615f23557a0f5d86a5984f4

Download Submit
C:\Windows\System32\Macromed\Flash\NPSWF.dll
Filesize
11.6MB

MD5
f2f32c33fc3b5a8d1727c0851f257362

SHA1
f903eb68a3468a2a429152f59a5c36f22054c505

SHA256
968046072b02e4807a4b37849655f13c45266e2e54e13205aa2c1c712b5c857c

SHA512
993daeb926245a708205bca296a62a4985b1bb502eab995081bb7302753d3d3e34d1aa26f92cf911fdd6b19e60660ecedeee8930e01eca4d558daabf088816a3

Download Submit
C:\Windows\System32\Macromed\Flash\NPSWF.dll
Filesize
11.6MB

MD5
f2f32c33fc3b5a8d1727c0851f257362

SHA1
f903eb68a3468a2a429152f59a5c36f22054c505

SHA256
968046072b02e4807a4b37849655f13c45266e2e54e13205aa2c1c712b5c857c

SHA512
993daeb926245a708205bca296a62a4985b1bb502eab995081bb7302753d3d3e34d1aa26f92cf911fdd6b19e60660ecedeee8930e01eca4d558daabf088816a3

Download Submit
C:\Windows\System32\Macromed\Flash\manifest.json
Filesize
2KB

MD5
ecb7095d6c04b7971c0eaf233c1e2580

SHA1
c215972bec6b119a4de8000b8135eca0749297a5

SHA256
a84b67a14617addae0213ab36ae69f57c1ce5f43fdeaa878ea39771d0d68312b

SHA512
6237262641b1b480ddfb18c35b72ef241bf7e4f8dc8c42e2a8ec2efb074e375ecec288807779d371bdff5593b77a490603d8e380f802b0371b0d21c83b6a961a

Download Submit
C:\Windows\System32\Macromed\Flash\pepflashplayer.dll
Filesize
15.3MB

MD5
c38a3e93484675b42b513313ff045162

SHA1
950ee6a00537b920830808c3157328cbd2e596ec

SHA256
29bf698dda2c616118f55d85bbc5665f12f2a440f48e5b871c6823b2d9b3107e

SHA512
b27dce7496baf7c89f6268ca7e40cd25e0d90aa394eb690429e61e4f669a5f825b78a250d28e5a052fbea10de4c71e767da98a6671de922dec5582409d6f4d63

Download Submit
\Windows\SysWOW64\Macromed\Flash\Flash.ocx
Filesize
9.5MB

MD5
4af7210a2e23270a1041d6f33c743370

SHA1
0f8ac204120184f273d8c0156a85ae7e32a191fd

SHA256
a937d15d087c5c13bdb532cb5b2dcfc0df37e1fed8393344e5b7dea2f9235b83

SHA512
d8f9778307465c29a7b6d150e04184c989bd93d986d45b1bc7135bafacf57c03ce03388772501387ad0f2b0ad7b588011c835434b7ac6b3e39828d719bffea50

Download Submit
\Windows\System32\Macromed\Flash\Flash.ocx
Filesize
12.0MB

MD5
4a85a3d15dba07d98e777306d0cca600

SHA1
4e04f1ac39119608aa04953efa78a01c8aeae636

SHA256
bd19093830fadc2fc41e73cbf4c0e9d5385b25cc8d53a513c020d182fd97f57b

SHA512
72c8c0b4afb4280fab980f7ea49288e72e9532ca3732272fd61236eca410df141216282cf0b74a74657650c9670a3f266f01da836615f23557a0f5d86a5984f4

Download Submit
memory/816-147-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/816-54-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/816-226-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads