Analysis Overview
SHA256
d2d7d15568fbfac8356140cc1a2e985a73b174ab0f2cd644976b632405f03030
Threat Level: Likely malicious
The file FISHAO installer.exe was found to be: Likely malicious.
Malicious Activity Summary
Possible privilege escalation attempt
Stops running service(s)
Loads dropped DLL
Registers COM server for autorun
Executes dropped EXE
Modifies file permissions
Checks installed software on the system
Drops file in System32 directory
Drops file in Windows directory
Launches sc.exe
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Kills process with taskkill
Uses Task Scheduler COM API
Views/modifies file attributes
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
Suspicious use of FindShellTrayWindow
Modifies registry class
Modifies Internet Explorer settings
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-16 22:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-16 22:04
Reported
2024-06-16 22:07
Platform
win11-20240508-en
Max time kernel
150s
Max time network
99s
Command Line
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\GamoVation\FISHAO\Requirements\Flash Player.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Adobe_Flash_Player_ActiveX_v34_0_0_242.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Adobe_Flash_Player_NPAPI_v34_0_0_242.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Adobe_Flash_Player_PPAPI_v34_0_0_242.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\GamoVation\FISHAO\FISHAO.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32\ = "C:\\Windows\\System32\\Macromed\\Flash\\Flash.ocx" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32\ = "C:\\Windows\\System32\\Macromed\\Flash\\Flash.ocx" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
Checks installed software on the system
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\Macromed\Flash\Flash.ocx | C:\Windows\system32\xcopy.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Macromed\Flash\Flash.ocx | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Windows\System32\Macromed\Flash\Cleaner_Flash_Player_AX.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\Macromed\Flash\NPSWF.dll | C:\Windows\system32\xcopy.exe | N/A |
| File created | C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin.exe | C:\Windows\system32\xcopy.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Macromed\Flash\NPSWF.dll | C:\Windows\system32\xcopy.exe | N/A |
| File opened for modification | C:\Windows\System32\Macromed\Flash | C:\Windows\system32\xcopy.exe | N/A |
| File opened for modification | C:\Windows\System32\Macromed\Flash\manifest.json | C:\Windows\system32\xcopy.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Macromed\Flash\manifest.json | C:\Windows\system32\xcopy.exe | N/A |
| File created | C:\Windows\SysWOW64\Macromed\Flash\pepflashplayer.dll | C:\Windows\system32\xcopy.exe | N/A |
| File created | C:\Windows\SysWOW64\FlashPlayerApp.exe | C:\Windows\system32\xcopy.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Macromed\Flash | C:\Windows\system32\xcopy.exe | N/A |
| File created | C:\Windows\System32\Macromed\Flash\NPSWF.dll | C:\Windows\system32\xcopy.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Macromed\Flash | C:\Windows\system32\xcopy.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Macromed\Flash\flashplayer.xpt | C:\Windows\system32\xcopy.exe | N/A |
| File opened for modification | C:\Windows\System32\Macromed\Flash\Cleaner_Flash_Player_NPAPI.bat | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\System32\Macromed\Flash\Cleaner_Flash_Player_PPAPI.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\FlashPlayerApp.exe | C:\Windows\system32\xcopy.exe | N/A |
| File created | C:\Windows\System32\Macromed\Flash\Flash.ocx | C:\Windows\system32\xcopy.exe | N/A |
| File created | C:\Windows\SysWOW64\Macromed\Flash\flashplayer.xpt | C:\Windows\system32\xcopy.exe | N/A |
| File created | C:\Windows\System32\Macromed\Flash\pepflashplayer.dll | C:\Windows\system32\xcopy.exe | N/A |
| File created | C:\Windows\SysWOW64\Macromed\Flash\Flash.ico | C:\Windows\system32\xcopy.exe | N/A |
| File opened for modification | C:\Windows\System32\Macromed\Flash\Cleaner_Flash_Player_PPAPI.bat | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl | C:\Windows\system32\xcopy.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl | C:\Windows\system32\xcopy.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Macromed\Flash\Flash.ocx | C:\Windows\system32\xcopy.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin.exe | C:\Windows\system32\xcopy.exe | N/A |
| File created | C:\Windows\System32\Macromed\Flash\Cleaner_Flash_Player_NPAPI.bat | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\System32\Macromed\Flash\Flash.ico | C:\Windows\system32\xcopy.exe | N/A |
| File opened for modification | C:\Windows\System32\Macromed\Flash\Flash.ico | C:\Windows\system32\xcopy.exe | N/A |
| File opened for modification | C:\Windows\System32\Macromed\Flash | C:\Windows\system32\xcopy.exe | N/A |
| File opened for modification | C:\Windows\System32\Macromed\Flash\Flash.ocx | C:\Windows\system32\regsvr32.exe | N/A |
| File created | C:\Windows\SysWOW64\Macromed\Flash\NPSWF.dll | C:\Windows\system32\xcopy.exe | N/A |
| File opened for modification | C:\Windows\System32\Macromed\Flash\pepflashplayer.dll | C:\Windows\system32\xcopy.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Macromed\Flash\Flash.ico | C:\Windows\system32\xcopy.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Macromed\Flash\pepflashplayer.dll | C:\Windows\system32\xcopy.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Macromed\Flash | C:\Windows\system32\xcopy.exe | N/A |
| File created | C:\Windows\SysWOW64\Macromed\Flash\Flash.ocx | C:\Windows\system32\xcopy.exe | N/A |
| File created | C:\Windows\System32\Macromed\Flash\Cleaner_Flash_Player_AX.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\Macromed\Flash | C:\Windows\system32\xcopy.exe | N/A |
| File created | C:\Windows\System32\Macromed\Flash\manifest.json | C:\Windows\system32\xcopy.exe | N/A |
| File created | C:\Windows\SysWOW64\Macromed\Flash\manifest.json | C:\Windows\system32\xcopy.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\GamoVation\FISHAO\Uninstall FISHAO_lang.ifl | C:\Users\Admin\AppData\Local\Temp\FISHAO installer.exe | N/A |
| File created | C:\Program Files (x86)\GamoVation\FISHAO\Uninstall FISHAO.dat | C:\Users\Admin\AppData\Local\Temp\FISHAO installer.exe | N/A |
| File created | C:\Program Files (x86)\GamoVation\FISHAO\FISHAO.exe | C:\Users\Admin\AppData\Local\Temp\FISHAO installer.exe | N/A |
| File created | C:\Program Files (x86)\GamoVation\FISHAO\FISHAO.exe.config | C:\Users\Admin\AppData\Local\Temp\FISHAO installer.exe | N/A |
| File created | C:\Program Files (x86)\GamoVation\FISHAO\readme.txt | C:\Users\Admin\AppData\Local\Temp\FISHAO installer.exe | N/A |
| File created | C:\Program Files (x86)\GamoVation\FISHAO\Requirements\Flash Player.exe | C:\Users\Admin\AppData\Local\Temp\FISHAO installer.exe | N/A |
| File created | C:\Program Files (x86)\GamoVation\FISHAO\Uninstall FISHAO.exe | C:\Users\Admin\AppData\Local\Temp\FISHAO installer.exe | N/A |
| File created | C:\Program Files (x86)\GamoVation\FISHAO\System.Net.Http.dll | C:\Users\Admin\AppData\Local\Temp\FISHAO installer.exe | N/A |
| File created | C:\Program Files (x86)\GamoVation\FISHAO\Requirements\ndp48-web.exe | C:\Users\Admin\AppData\Local\Temp\FISHAO installer.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GamoVation\FISHAO\Uninstall FISHAO_lang.ifl | C:\Users\Admin\AppData\Local\Temp\FISHAO installer.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64 | C:\Windows\system32\xcopy.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}\Compatibility Flags = "65536" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}\Compatibility Flags = "65536" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\NAVIGATORPLUGINSLIST\SHOCKWAVE FLASH | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/futuresplash | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/x-shockwave-flash | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\NAVIGATORPLUGINSLIST\SHOCKWAVE FLASH | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/futuresplash | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/x-shockwave-flash | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\ = "Macromedia Flash Paper" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.6\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.16\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\ = "IFlashObject" | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.34\ = "Shockwave Flash Object" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version\ = "1.0" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.9\ = "Shockwave Flash Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.23\ = "Shockwave Flash Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.spl\ = "ShockwaveFlash.ShockwaveFlash" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.25\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.31\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CurVer | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.13\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.21 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Programmable | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{307F64C0-621D-4D56-BBC6-91EFC13CE40D} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.26\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.swf\ = "ShockwaveFlash.ShockwaveFlash" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{57A0E746-3863-4D20-A811-950C84F1DB9B}\1.1 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.22\ = "Shockwave Flash Object" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.17\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.28\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.15\ = "Shockwave Flash Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ = "Macromedia Flash Factory Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.6\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.28 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory.1\ = "Macromedia Flash Factory Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.26\ = "Shockwave Flash Object" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CLSID\ = "{D27CDB70-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.21\ = "Shockwave Flash Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.6 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.29\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.9 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{307F64C0-621D-4D56-BBC6-91EFC13CE40D}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.31\ = "Shockwave Flash Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.33\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\ = "Shockwave Flash Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7\ = "Shockwave Flash Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.19\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32\ = "C:\\Windows\\System32\\Macromed\\Flash\\Flash.ocx, 1" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.18\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.32\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\Macromed\\Flash\\Flash.ocx, 1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.8 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.27\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FISHAO installer.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\GamoVation\FISHAO\FISHAO.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\GamoVation\FISHAO\FISHAO.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\FISHAO installer.exe
"C:\Users\Admin\AppData\Local\Temp\FISHAO installer.exe"
C:\Program Files (x86)\GamoVation\FISHAO\Requirements\Flash Player.exe
"C:\Program Files (x86)\GamoVation\FISHAO\Requirements\Flash Player.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000"
C:\Windows\system32\attrib.exe
attrib +h "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\InstFlash.cmd" "
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Adobe_Flash_Player_ActiveX_v34_0_0_242.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Adobe_Flash_Player_ActiveX_v34_0_0_242.exe /ai /gm2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c @pushd "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001" >nul 2>&1 & CALL "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\!)Install_Flash_Player_AX.bat"
C:\Windows\system32\reg.exe
REG QUERY "HKU\S-1-5-19"
C:\Windows\system32\sc.exe
sc stop "Flash Helper Service"
C:\Windows\system32\taskkill.exe
taskkill /f /im FlashHelperService.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im FlashPlayerUpdateService.exe
C:\Windows\system32\schtasks.exe
schtasks /delete /tn "Adobe Flash Player Updater" /f
C:\Windows\system32\schtasks.exe
schtasks /delete /tn "FlashHelper TaskMachineCore" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Macromedia\FlashHelper" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashHelper" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\services\Flash Helper Service" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\services\AdobeFlashPlayerUpdateSvc" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashHelperService.exe" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerUpdateService.exe" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION" /f /v "FlashHelperService.exe"
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION" /f /v "FlashHelperService.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver"
C:\Windows\system32\findstr.exe
findstr "\<6\.[0-9]\.[0-9][0-9]*\> \<10\.[0-9]\.[0-9][0-9]*\>"
C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\Macromed\Flash\*" /a /r /d y
C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\SysWOW64\Macromed\Flash\*" /a /r /d y
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\Macromed\*" /t /c /grant "Everyone:f"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\SysWOW64\Macromed\*" /t /c /grant "Everyone:f"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\FlashPlayerApp.exe" /c /grant "Everyone:f"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\FlashPlayerCPLApp.cpl" /c /grant "Everyone:f"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\SysWOW64\FlashPlayerApp.exe" /c /grant "Everyone:f"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl" /c /grant "Everyone:f"
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Macromedia\FlashPlayer" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Macromedia\FlashPlayerActiveX" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Macromedia\FlashPlayerActiveXReleaseType" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayer" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerActiveX" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerActiveXReleaseType" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerApp.exe" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil32_ActiveX.exe" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil64_ActiveX.exe" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerUpdateService.exe" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
C:\Windows\system32\xcopy.exe
xcopy /c/i/r/y "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\app\*" "C:\Windows\SysWOW64\"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
C:\Windows\system32\xcopy.exe
xcopy /c/i/r/y "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\x64files\Flash.ocx" "C:\Windows\System32\Macromed\Flash\"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
C:\Windows\system32\xcopy.exe
xcopy /c/i/r/y "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\x32files\Flash.ocx" "C:\Windows\SysWOW64\Macromed\Flash\"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver"
C:\Windows\system32\find.exe
find "5."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver"
C:\Windows\system32\find.exe
find "5."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver"
C:\Windows\system32\find.exe
find "6.0."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver"
C:\Windows\system32\find.exe
find "6.0."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver"
C:\Windows\system32\find.exe
find "6.1."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver"
C:\Windows\system32\find.exe
find "6.1."
C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Windows\System32\Macromed\Flash\Flash.ocx"
C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Windows\SysWOW64\Macromed\Flash\Flash.ocx"
C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Windows\SysWOW64\Macromed\Flash\Flash.ocx"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" copy /y "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Cleaner_Flash_Player_AX.bat" "C:\Windows\System32\Macromed\Flash\" 1>NUL 2>NUL"
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Macromedia\FlashPlayerActiveX" /f /v "Version" /d "34.0.0.242"
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerActiveX" /f /v "Version" /d "34.0.0.242"
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Macromedia\FlashPlayerActiveX" /f /v "PlayerPath" /d "C:\Windows\System32\Macromed\Flash\Flash.ocx"
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerActiveX" /f /v "PlayerPath" /d "C:\Windows\SysWOW64\Macromed\Flash\Flash.ocx"
C:\Windows\system32\timeout.exe
TIMEOUT /t 2
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX" /f /v "DisplayName" /d "Adobe Flash Player 34 ActiveX"
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX" /f /v "DisplayVersion" /d "34.0.0.242"
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX" /f /v "HelpLink" /d "https://www.423down.com/2082.html"
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX" /f /v "DisplayIcon" /d "C:\Windows\System32\Macromed\Flash\Flash.ocx"
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX" /f /v "UninstallString" /d "C:\Windows\System32\Macromed\Flash\Cleaner_Flash_Player_AX.bat"
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Adobe_Flash_Player_NPAPI_v34_0_0_242.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Adobe_Flash_Player_NPAPI_v34_0_0_242.exe /ai /gm2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c @pushd "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002" >nul 2>&1 & CALL "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002\!)Install_Flash_Player_NPAPI.bat"
C:\Windows\system32\reg.exe
REG QUERY "HKU\S-1-5-19"
C:\Windows\system32\sc.exe
sc stop "Flash Helper Service"
C:\Windows\system32\taskkill.exe
taskkill /f /im FlashHelperService.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im FlashPlayerUpdateService.exe
C:\Windows\system32\schtasks.exe
schtasks /delete /tn "Adobe Flash Player Updater" /f
C:\Windows\system32\schtasks.exe
schtasks /delete /tn "FlashHelper TaskMachineCore" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Macromedia\FlashHelper" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashHelper" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\services\Flash Helper Service" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\services\AdobeFlashPlayerUpdateSvc" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashHelperService.exe" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerUpdateService.exe" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION" /f /v "FlashHelperService.exe"
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION" /f /v "FlashHelperService.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver"
C:\Windows\system32\findstr.exe
findstr "\<6\.[0-9]\.[0-9][0-9]*\> \<10\.[0-9]\.[0-9][0-9]*\>"
C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\Macromed\Flash\*" /a /r /d y
C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\SysWOW64\Macromed\Flash\*" /a /r /d y
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\Macromed\Flash\*" /t /c /grant "Everyone:f"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\SysWOW64\Macromed\Flash\*" /t /c /grant "Everyone:f"
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Macromedia\FlashPlayerPlugin" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Security Center\Svc\Vol" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Security Center" /f /v "cval"
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\MozillaPlugins\@adobe.com/FlashPlayer" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Macromedia\FlashPlayerPluginReleaseType" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerPlugin" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@adobe.com/FlashPlayer" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerPluginReleaseType" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
C:\Windows\system32\xcopy.exe
xcopy /c/i/r/y "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002\x64files\*" "C:\Windows\System32\Macromed\Flash\"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
C:\Windows\system32\xcopy.exe
xcopy /c/i/r/y "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002\x32files\*" "C:\Windows\SysWOW64\Macromed\Flash\"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" copy /y "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002\Cleaner_Flash_Player_NPAPI.bat" "C:\Windows\System32\Macromed\Flash\" 1>NUL 2>NUL"
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Macromedia\FlashPlayerPlugin" /f /v "Version" /d "34.0.0.242"
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Macromedia\FlashPlayerPlugin" /f /v "PlayerPath" /d "C:\Windows\System32\Macromed\Flash\NPSWF.dll"
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\MozillaPlugins\@adobe.com/FlashPlayer" /f /v "Version" /d "34.0.0.242"
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\MozillaPlugins\@adobe.com/FlashPlayer" /f /v "Path" /d "C:\Windows\System32\Macromed\Flash\NPSWF.dll"
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerPlugin" /f /v "Version" /d "34.0.0.242"
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerPlugin" /f /v "PlayerPath" /d "C:\Windows\SysWOW64\Macromed\Flash\NPSWF.dll"
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@adobe.com/FlashPlayer" /f /v "Version" /d "34.0.0.242"
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@adobe.com/FlashPlayer" /f /v "Path" /d "C:\Windows\SysWOW64\Macromed\Flash\NPSWF.dll"
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@adobe.com/FlashPlayer" /f /v "XPTPath" /d "C:\Windows\SysWOW64\Macromed\Flash\flashplayer.xpt"
C:\Windows\system32\timeout.exe
TIMEOUT /t 2
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player NPAPI" /f /v "DisplayName" /d "Adobe Flash Player 34 NPAPI"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player NPAPI" /f /v "DisplayVersion" /d "34.0.0.242"
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player NPAPI" /f /v "HelpLink" /d "https://www.423down.com/2082.html"
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player NPAPI" /f /v "DisplayIcon" /d "C:\Windows\System32\Macromed\Flash\NPSWF.dll"
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player NPAPI" /f /v "UninstallString" /d "C:\Windows\System32\Macromed\Flash\Cleaner_Flash_Player_NPAPI.bat"
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Adobe_Flash_Player_PPAPI_v34_0_0_242.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Adobe_Flash_Player_PPAPI_v34_0_0_242.exe /ai /gm2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c @pushd "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003" >nul 2>&1 & CALL "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\!)Install_Flash_Player_PPAPI.bat"
C:\Windows\system32\reg.exe
REG QUERY "HKU\S-1-5-19"
C:\Windows\system32\sc.exe
sc stop "Flash Helper Service"
C:\Windows\system32\taskkill.exe
taskkill /f /im FlashHelperService.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im FlashPlayerUpdateService.exe
C:\Windows\system32\schtasks.exe
schtasks /delete /tn "Adobe Flash Player Updater" /f
C:\Windows\system32\schtasks.exe
schtasks /delete /tn "FlashHelper TaskMachineCore" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Macromedia\FlashHelper" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashHelper" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\services\Flash Helper Service" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\services\AdobeFlashPlayerUpdateSvc" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashHelperService.exe" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerUpdateService.exe" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION" /f /v "FlashHelperService.exe"
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION" /f /v "FlashHelperService.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver"
C:\Windows\system32\findstr.exe
findstr "\<6\.[0-9]\.[0-9][0-9]*\> \<10\.[0-9]\.[0-9][0-9]*\>"
C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\Macromed\Flash\*" /a /r /d y
C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\SysWOW64\Macromed\Flash\*" /a /r /d y
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\Macromed\Flash\*" /t /c /grant "Everyone:f"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\SysWOW64\Macromed\Flash\*" /t /c /grant "Everyone:f"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
C:\Windows\system32\xcopy.exe
xcopy /c/i/r/y "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\x64files\*" "C:\Windows\System32\Macromed\Flash\"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
C:\Windows\system32\xcopy.exe
xcopy /c/i/r/y "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\x32files\*" "C:\Windows\SysWOW64\Macromed\Flash\"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" copy /y "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\Cleaner_Flash_Player_PPAPI.bat" "C:\Windows\System32\Macromed\Flash\" 1>NUL 2>NUL"
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Macromedia\FlashPlayerPepper" /f /v "Version" /d "34.0.0.242"
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Macromedia\FlashPlayerPepper" /f /v "isESR" /t REG_DWORD /d "0"
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Macromedia\FlashPlayerPepper" /f /v "isMSI" /t REG_DWORD /d "0"
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Macromedia\FlashPlayerPepper" /f /v "isPartner" /t REG_DWORD /d "1"
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Macromedia\FlashPlayerPepper" /f /v "isScriptDebugger" /t REG_DWORD /d "0"
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Macromedia\FlashPlayerPepperReleaseType" /f /v "Release" /t REG_DWORD /d "1"
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Macromedia\FlashPlayerPepper" /f /v "PlayerPath" /d "C:\Windows\System32\Macromed\Flash\pepflashplayer.dll"
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerPepper" /f /v "Version" /d "34.0.0.242"
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerPepper" /f /v "isESR" /t REG_DWORD /d "0"
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerPepper" /f /v "isMSI" /t REG_DWORD /d "0"
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerPepper" /f /v "isPartner" /t REG_DWORD /d "1"
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerPepper" /f /v "isScriptDebugger" /t REG_DWORD /d "0"
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerPepperReleaseType" /f /v "Release" /t REG_DWORD /d "1"
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerPepper" /f /v "PlayerPath" /d "C:\Windows\SysWOW64\Macromed\Flash\pepflashplayer.dll"
C:\Windows\system32\timeout.exe
TIMEOUT /t 2
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player PPAPI" /f /v "DisplayName" /d "Adobe Flash Player 34 PPAPI"
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player PPAPI" /f /v "DisplayVersion" /d "34.0.0.242"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player PPAPI" /f /v "HelpLink" /d "https://www.423down.com/2082.html"
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player PPAPI" /f /v "DisplayIcon" /d "C:\Windows\System32\Macromed\Flash\Flash.ico"
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player PPAPI" /f /v "UninstallString" /d "C:\Windows\System32\Macromed\Flash\Cleaner_Flash_Player_PPAPI.bat"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Program Files (x86)\GamoVation\FISHAO\FISHAO.exe
"C:\Program Files (x86)\GamoVation\FISHAO\FISHAO.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.fishao.com | udp |
| US | 52.111.227.14:443 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IF{D536A6E3-C153-42FC-8FCA-CC97750BF43F}\default.ifl
| MD5 | 2922d0c758d9c3c10cbdc59f91979d0c |
| SHA1 | feb69bdf58d06cca776db63036811af0764ca013 |
| SHA256 | 20f6d12eac29bd6ddc6a99dd276c5e200fac25c976ab4293195b58ec164c253f |
| SHA512 | d15e888bae4e23ce5d61becc3c47d9b5f61fbbe4612cf90677314570fe1df1f4fde6c519b789ad46cc50d19c2b3701bc9bd968e85bb618fb7127950d4ae92695 |
C:\Program Files (x86)\GamoVation\FISHAO\Requirements\Flash Player.exe
| MD5 | 39641808c0509db4d35bf8e87ba68ee5 |
| SHA1 | c4b8700ded671d5017b10c1c9d1ae90182c13748 |
| SHA256 | 000a8eea720cc641515e9f8cc648fa61cabfc3a3970804c26d80a42c0e9a185d |
| SHA512 | b4239d4a8ab2b3a73eee2b8e74878299d3bcaa349e0a235f5c1bcf0e06fa4d03321512909297c3b4280af0628d5f68e84526d52a6787475292b8c84df6678b32 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\InstFlash.cmd
| MD5 | 4775687903b0467498383b8fe5923733 |
| SHA1 | b0e57be3a2bda21e920c8d25443d9fdacfe766ea |
| SHA256 | 710d39c44bc741028cf507d656fe5cb9fbaed0661ec8a11af0d0cbd7a5b9fdbc |
| SHA512 | eaca790b52a46f741b939e420145fedc93dead9ef9e27b139214cee13fa1f669c4b685ac26631e0db7433c858413d48bf0e1e094102167e226777f6292d1c24b |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Adobe_Flash_Player_ActiveX_v34_0_0_242.exe
| MD5 | e152263335c27fa78b0b53d323fd8094 |
| SHA1 | 108c83cf141f73e239f5cc6bebaedd2d99cf1347 |
| SHA256 | 11b4cd6dfc7bdc0cef40e765dfc270addcbf639bdeffcd2d31ee2db940437030 |
| SHA512 | 4077ea10df6c65a659f323ecd0f94117f9283d12cc5f8d70ae04ca02b95d12e4b79ebd744f00969df66af463ddf1aaaff9e13d706e994eba8f8f880af347c22a |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\!)Install_Flash_Player_AX.bat
| MD5 | e8047949e3861369f5b5f309efcec804 |
| SHA1 | 65b9d6d07336017a557295958c1f4887615fb65c |
| SHA256 | 9134035a1d10ea6df86b03db79b02e75de4f746e6242cebf33fb1c2b7bd952c1 |
| SHA512 | 310a520bc8d1f52223e9f7bad6825a4b608593ded3286f636768c3c74329f555da6f535f7ecbad2868f7b84900a1e5517984bc57b1635c00f4bbf65e9e7ebcde |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\app\FlashPlayerApp.exe
| MD5 | 629e11ef4ec098072810f58dee1001b6 |
| SHA1 | 4522932565c1c50ba0828b7b038b1a177d146725 |
| SHA256 | 0ea26c57712907b7cd436472b57b3076605ce89af2e28435738c3c8a6c494a24 |
| SHA512 | 3c81f8f150d3d65379f5c9bef8ca16101eb68a5062d6caf9b00a45707eca34274eb786bb0757333e04517478f886309666714b67b805b71253db9ac57bb3267f |
C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
| MD5 | 5baa2bd0e17b87581ac0b0f7efb9d1b7 |
| SHA1 | 3c4c9bd01527ab6c80b057e0c738f7b654bcf550 |
| SHA256 | e261721958b80e7fad669e34b8de2d4e561a6a70b47ae4a2c3329d412e361a3a |
| SHA512 | 88d868494e2c2c45cefa6df3a8d151fa2e7232964c01f36942b56fd889f90faca6f61d0708ff8d585c5b9af2d21fe6e80a0a70b88a367a897aa65979515f6ffd |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\x64files\Flash.ocx
| MD5 | 7eabca77af8910bd932b277407d3fabd |
| SHA1 | 9759847abb6ce95d5cbac873312d535af58acc39 |
| SHA256 | e2195bcef77885a794d431e2b9682f0b7fda91d4cf16bce4c20e4385c166c866 |
| SHA512 | a363136ea0bbfdc00546593a20c12810852ec825347012037d859b969a2d80c06bdeea5e07007e8b1c988684205642abde16e5749c2244cbd48a7bce7bcf61b6 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\x32files\Flash.ocx
| MD5 | eefe42ff46c41243da71c15667be2d04 |
| SHA1 | 8fba8ba3c45918627e999bc09547fab8837b04f2 |
| SHA256 | 2a3feb0f0370c5c23580a5a3745913ff839800546f5b2a5c783936d030425d39 |
| SHA512 | 5c4844e3eeb5413885940540e929bc205c13f65439e11bd72209017238d03e58b743cae468a7470fce63309df6f17baf19ff48970a75a53f2b453903f3b869d3 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Cleaner_Flash_Player_AX.bat
| MD5 | b444d4d5d3979497975a98d61ae7ee6c |
| SHA1 | 0eac5ab65a1df52e7d5cdc3c6ddcfdd5e1195842 |
| SHA256 | cc22fd3b4156bfa88ecfa173841db14e379d9b9b72fa552f9a331aee161d36d9 |
| SHA512 | a7cad967b1ae1fdff5f0de1d0b399a91afc83d5eae3ccebdb131fba1bb332b959f969bb0dc317e652236ef127980ee5faa1dd7d0a2bda0b6b12105705189c48a |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Adobe_Flash_Player_NPAPI_v34_0_0_242.exe
| MD5 | 625d8f8103ecc10c8dd40ef35471b850 |
| SHA1 | 5ad3a0b6e38f8a96047ec85c7d3dcaca6600baaf |
| SHA256 | 813cda0e4dcdda5dee77a11a8714210f0358e6f7a24a42388c2853a26203dfff |
| SHA512 | aab197319074ae8ee15d43ea2252c4b1e99a8be63d720a94f3fc814536854d2c36aa71693838f5d6e7494cd9c19a7fbfd9fb684b4682342736aecdd5ae9f7480 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002\!)Install_Flash_Player_NPAPI.bat
| MD5 | c6769acbd81beb9bbc008b687fbacd47 |
| SHA1 | 03b578994e0c3123737c5105623dc8dcc1cf7cf5 |
| SHA256 | fc1f1925da75a23e918b9b062f21216672ba1f22f6ca3d9c2fa1b7a69c3c4967 |
| SHA512 | 206b5f287ee5f91f3ff8ce9446553d31229bb1cd3c4edda797bc0e94fccd2e48fbd444ea9a5c78bb7eae92dfa8c4d2410d5619c6743b39718a9c7df030e5334f |
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin.exe
| MD5 | d69487647ab990165d8b74d82a3199c5 |
| SHA1 | 44fe88059c8589da0ebdd6c16d2c129d7adade2f |
| SHA256 | b1203c8f13cdcbe305c9e509bdbfcbd724a73eb1aa6adb71e81577f3cbe3639b |
| SHA512 | 65d952636e0eafa6e600244ba543c76a19e20c95eb09f198fe94d914bd3003a91fc452770f4b60d07d31291a05f6d55cf15096cf123cc11bf189198e19177b7e |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002\x32files\NPSWF.dll
| MD5 | 91463e091ca6536e874b587abc01fec1 |
| SHA1 | 57ff7abdbd53df61fc0be78def360c0b34e3cd99 |
| SHA256 | 23681c8ce85901f1c108450097b46c96bee4b95fec8c68ae2763c2f639f4ae8e |
| SHA512 | dc08b176f31ae13dc5544ed146c5fc59232d193afa104ab84707fd79f0050abe5290fa246a957df669112f497ce81fa67522b67e3b3e640e698552d8aea5f1c3 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002\Cleaner_Flash_Player_NPAPI.bat
| MD5 | 960fa5690a75088fd25e50217cb6d6f8 |
| SHA1 | 9ff3fb909835bda47d3ca7b45b69754dc3b79cf2 |
| SHA256 | 256e1bc27ddd9d0f0197371ed5db4211cdfb704b41f89ddf72d07547551fa585 |
| SHA512 | 19442c8590c9f7d592bdc8490ba8c72072472032b10b224a0ea790adbefd1bbb4d6637d7def34667aeea991d11a991fefe84377eb65b5b129e53d5726cd8075d |
C:\Windows\SysWOW64\Macromed\Flash\flashplayer.xpt
| MD5 | a81fd3b03b8c6d6e5a14298110718d3f |
| SHA1 | 2a5eedf714b4dc1e7281968d5e235737b26d7114 |
| SHA256 | 946c2d7808b0f256e5f6b62655246dc9c247833fb2f578519e4354f91deb6e1b |
| SHA512 | 494146bb31cf0e115a6e1c632a8ed5608046f5a8b2bbc900832befb07b8f142581483c222067e4405fc2755b5acf722d576ac04b2b6d9f796e5a872fd5c7ddc9 |
C:\Windows\System32\Macromed\Flash\NPSWF.dll
| MD5 | 0d88e06ecd134582f7660ae8a46c482c |
| SHA1 | 9746f3a91adaacc5fdb007ab5b5af1bf32cf04c3 |
| SHA256 | 1734b7b65de48c0825741b511830e5b3eb8ab866a06b8bc4905830bcae28d6e6 |
| SHA512 | 2483a2c9e5110bdfdd1675fec4a40b9f02a370df8bfaa39698c8aaf3ed4da1abeebb883c05c3020665468d25edf4d0e567bb15edf069d10f80ac7333c2c53c8a |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Adobe_Flash_Player_PPAPI_v34_0_0_242.exe
| MD5 | 30c2b32502f59b4977fe1b180c16263e |
| SHA1 | 3d35da660bb84a5ff626894836df0d07bdabaf1e |
| SHA256 | 358a6063ecd0dda69efa9cf5cd8a876fa256d5168cef3bb7651e5aa15651c47d |
| SHA512 | 6749471c1abe7e3c0a1a386d422b8f9a38b25b574fbd6b8ab1e89d17f063b9fa5c145446e08ecd7991d59e545293400045ed9c73f49328d4545f1821a7998b7c |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\x64files\pepflashplayer.dll
| MD5 | 8620c0590547f61dcec2d9c285737aba |
| SHA1 | 260ecfe8ce040e20dddc7854e134237b4daee9f6 |
| SHA256 | 5c9cee0ca4884a10f50f6206cbd04dcd328c4f7f18af099e178f392afc01228a |
| SHA512 | 383de4fa9b9ee2f1ba83b3daff1afdba6b87e44e7f0e6c2d4748a8a2860d42fc569a2f86717e384cd25182a5e4fed880b1bc8d93761db30ce9d17e3baeaac719 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\x32files\pepflashplayer.dll
| MD5 | ce419f7293a208b564bf53f76a6adaf3 |
| SHA1 | ac946edda007a9ff0e8da38cd91f6dafde96f4ea |
| SHA256 | 31ee83f9500b49a54a9d7ad0e3b5324faf0afd9d41701e0875f3ed2c294881e3 |
| SHA512 | be1836b992af438741484308a87b0d968b971dc2ab43c0b720f0863bb240808753e4b633b01f91ad1516c2894bba6c189c3573edc7a9b420946af88c70dd70fa |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\Cleaner_Flash_Player_PPAPI.bat
| MD5 | 1502e7531bf2ad953a7cc67736ba24da |
| SHA1 | 6fab2b539b233fb8f5ef000808b9387f45ca8f70 |
| SHA256 | ce2e51405fc9fb05037723e35e8d9c76cf5a9b11487a2c612c5f8c03cb278a53 |
| SHA512 | c946fb3a8d8b37b60c566baeae5364ab3896b6a63e415e991117471c891d88b1876aee419a7699c9fbf5295fb9fe6096a722212e87bd896c16f9eefbc6a23bda |
C:\Windows\SysWOW64\Macromed\Flash\manifest.json
| MD5 | 7b5c855830971a5c16c43470b5a812ac |
| SHA1 | f77f8e1d7b6f73d2b628dccef294d076c4d34749 |
| SHA256 | cbc2c838a56da3ca11c51d9c2910557b38ffa4c6300e5059ed0513681b4a5b7d |
| SHA512 | 44b8d6557b8b1becfd3cc8d455425d8677f2f634fe871803bf0bce55198052526c53d5dcc63617c991b47d98c406d06ea2602eab10690edec98eddaf5354c240 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\x32files\Flash.ico
| MD5 | 0c2b1344d597a3423e8237a60644cc30 |
| SHA1 | 9986ec34189f98a6efe483fda98359f82d2d936d |
| SHA256 | 3e88938769ed6f5b25f9c9a5e0c87bb7cdfd0a6f487ef2163cde5afb6f50a10a |
| SHA512 | c75c5cc381729b199a8a02d26f55c93b3b7fd6df595269350864945c823ddddb9e5ddea211160ab5758cdee7d50eca8be5502aab484825833b8c6e49cf18c870 |
C:\Windows\System32\Macromed\Flash\manifest.json
| MD5 | 337eb162cea925270fc710360af2d273 |
| SHA1 | 30bbfeb50786a9cafdd34c3bbac528f7623344f0 |
| SHA256 | ce1d3d79b98392a19dd90c81f9d73759584129d36f95c6e0c0ea781524304b3d |
| SHA512 | ee46b95b6160b26ebecc7cc22b2e86a13c0e0cdbcc9ca7e182b0d78e2c99ca0e307dfa7e9c9c2af86003ff0c58846c972eb03de8d849ccef20094db17f1f8ab3 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\!)Install_Flash_Player_PPAPI.bat
| MD5 | 0ac0deafd751dde453045dba2e1767c8 |
| SHA1 | d8800091f2d9477465605a1fd3b37f9671b96963 |
| SHA256 | bf22a51a25a685ea88c1cb4fe4ef9ec1ba7aee256272bfff060cb6921bf76c2f |
| SHA512 | a2d8b1bc0fffe560616b129fd04c779ad863b78904e9dec43066ff42ec954d33bd605b6bf2fccfc83d29372db7358c48c86f4692cd1b2f2febf40c5c2b692ef8 |
C:\Program Files (x86)\GamoVation\FISHAO\FISHAO.exe
| MD5 | 10f36f6c5220e9771aa27f43fc489480 |
| SHA1 | 30204dce52854eb0ad7c15b56c2f45f19e8d0f08 |
| SHA256 | ebc304b388129e0ab97ad755131cb70b63e86f5c0cd1ac2f3363afaf652a881a |
| SHA512 | dbc4fd2062c0e686ba6c9ccf1b6c7e8d97f1e1424c980d3a8b944c4b8bfc06ded21964471dc9861de7a2b48963c5e5df7ae3ae0959fde46eee76c858a0e0e864 |
C:\Program Files (x86)\GamoVation\FISHAO\FISHAO.exe.config
| MD5 | 13ff21470b63470978e08e4933eb8e56 |
| SHA1 | 3fa7077272c55e85141236d90d302975e3d14b2e |
| SHA256 | 16286566d54d81c3721f7ecf7f426d965de364e9be2f9e628d7363b684b6fe6a |
| SHA512 | 56d0e52874744df091ba8421eeda9c37854ece32a826bd251f74b88b6334df69736b8cd97104e6e7b2279ef01d2144fee100392744cc1afb7025ebbad5c307a8 |
memory/2008-215-0x00000000004B0000-0x000000000058C000-memory.dmp
memory/2008-216-0x0000000005560000-0x0000000005B06000-memory.dmp
memory/2008-217-0x0000000004EE0000-0x0000000004F72000-memory.dmp
memory/2008-218-0x0000000004F90000-0x0000000004F9A000-memory.dmp