Malware analysis flashcenter_pp_ax_install_cn.exe Malicious activity

Add for printing

File name:	flashcenter_pp_ax_install_cn.exe
Full analysis:	https://app.any.run/tasks/c19dfe78-8dc6-4cf7-8b53-276e0e8986ce
Verdict:	Malicious activity
Analysis date:	November 26, 2023, 18:08:43
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	7F08B64BA2BF722683FD592656B5F17F
SHA1:	7AD9692774BE1AC97DDBD35257D9AB3A0CEEAA50
SHA256:	00AF416BD2CFFB0B4F0619BB8FB3DC38FB66B890FE339E3492D08641B343AEE1
SSDEEP:	98304:DlAs0UWkMbJXv+You+Fi3k/RxJY2uQXFHBdkqHsH3cy706ucmxM8HKWINHd/SO/I:S8GLOpocv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.18860 KB4052978
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (64-bit) (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.177.11)
Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.4763.1000)
Microsoft Office Proof (French) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Single Image 2010 (14.0.4763.1000)
Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (64-bit x64) (7.5.1)
PowerShell 7-x64 (7.2.11.0)
Skype version 8.100 (8.100)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
VLC media player (2.2.6)
WinRAR 5.60 (64-bit) (5.60.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - flashcenter_pp_ax_install_cn.exe (PID: 636)
  - InstallFlashPlayer.exe (PID: 308)
  - AA7EF494-CB5A-41E6-95CC-8C631E30BF44 (PID: 2764)
  - E4745DFB-55ED-4203-8D13-2CF7F0C96CF6 (PID: 1460)
  - InstallFlashPlayer.exe (PID: 1200)
  - flashcenter_pp_ax_install_cn.exe (PID: 2420)
  - FlashTool.exe (PID: 3284)
  - flashplayer_install_cn_new.exe (PID: 3424)
  - 2E01E897-ED77-4E08-9EF6-4868E84F8CE0 (PID: 1612)
- Creates a writable file in the system directory
  - InstallFlashPlayer.exe (PID: 308)
  - AA7EF494-CB5A-41E6-95CC-8C631E30BF44 (PID: 2764)
  - E4745DFB-55ED-4203-8D13-2CF7F0C96CF6 (PID: 1460)
  - InstallFlashPlayer.exe (PID: 1200)
  - flashcenter_pp_ax_install_cn.exe (PID: 2420)
  - FlashHelperService.exe (PID: 2504)
- Actions looks like stealing of personal data
  - FlashCenterSvc.exe (PID: 868)
SUSPICIOUS
- Starts application with an unusual extension
  - flashcenter_pp_ax_install_cn.exe (PID: 2420)
- Reads Microsoft Outlook installation path
  - flashcenter_pp_ax_install_cn.exe (PID: 636)
  - flashplayer_install_cn_new.exe (PID: 3424)
- Application launched itself
  - flashcenter_pp_ax_install_cn.exe (PID: 636)
  - FCBrowser.exe (PID: 2804)
  - FCLogin.exe (PID: 1456)
- Checks Windows Trust Settings
  - flashcenter_pp_ax_install_cn.exe (PID: 2420)
  - flashcenter_pp_ax_install_cn.exe (PID: 636)
  - AA7EF494-CB5A-41E6-95CC-8C631E30BF44 (PID: 2764)
  - E4745DFB-55ED-4203-8D13-2CF7F0C96CF6 (PID: 1460)
- Reads security settings of Internet Explorer
  - flashcenter_pp_ax_install_cn.exe (PID: 2420)
  - flashcenter_pp_ax_install_cn.exe (PID: 636)
  - AA7EF494-CB5A-41E6-95CC-8C631E30BF44 (PID: 2764)
  - E4745DFB-55ED-4203-8D13-2CF7F0C96CF6 (PID: 1460)
- Reads the Internet Settings
  - flashcenter_pp_ax_install_cn.exe (PID: 636)
  - AA7EF494-CB5A-41E6-95CC-8C631E30BF44 (PID: 2764)
  - InstallFlashPlayer.exe (PID: 308)
  - E4745DFB-55ED-4203-8D13-2CF7F0C96CF6 (PID: 1460)
  - InstallFlashPlayer.exe (PID: 1200)
  - 2E01E897-ED77-4E08-9EF6-4868E84F8CE0 (PID: 1612)
  - FlashCenter.exe (PID: 1620)
  - FCBrowser.exe (PID: 2804)
  - FCBrowser.exe (PID: 1036)
  - FCLogin.exe (PID: 1456)
  - flashplayer_install_cn_new.exe (PID: 3424)
  - FlashTool.exe (PID: 3284)
- Reads settings of System Certificates
  - flashcenter_pp_ax_install_cn.exe (PID: 2420)
  - flashcenter_pp_ax_install_cn.exe (PID: 636)
  - AA7EF494-CB5A-41E6-95CC-8C631E30BF44 (PID: 2764)
  - E4745DFB-55ED-4203-8D13-2CF7F0C96CF6 (PID: 1460)
  - FlashCenter.exe (PID: 1620)
  - FCBrowser.exe (PID: 1036)
  - FlashTool.exe (PID: 3284)
  - flashplayer_install_cn_new.exe (PID: 3424)
- Reads Internet Explorer settings
  - flashcenter_pp_ax_install_cn.exe (PID: 636)
  - flashplayer_install_cn_new.exe (PID: 3424)
- Process requests binary or script from the Internet
  - AA7EF494-CB5A-41E6-95CC-8C631E30BF44 (PID: 2764)
  - E4745DFB-55ED-4203-8D13-2CF7F0C96CF6 (PID: 1460)
- Starts CMD.EXE for commands execution
  - InstallFlashPlayer.exe (PID: 308)
  - AA7EF494-CB5A-41E6-95CC-8C631E30BF44 (PID: 2764)
  - InstallFlashPlayer.exe (PID: 1200)
  - E4745DFB-55ED-4203-8D13-2CF7F0C96CF6 (PID: 1460)
- Disables SEHOP
  - E4745DFB-55ED-4203-8D13-2CF7F0C96CF6 (PID: 1460)
- Executes as Windows Service
  - FlashHelperService.exe (PID: 2504)
  - FlashCenterSvc.exe (PID: 868)
- Creates a software uninstall entry
  - 2E01E897-ED77-4E08-9EF6-4868E84F8CE0 (PID: 1612)
- Drops 7-zip archiver for unpacking
  - 2E01E897-ED77-4E08-9EF6-4868E84F8CE0 (PID: 1612)
- The process drops C-runtime libraries
  - 2E01E897-ED77-4E08-9EF6-4868E84F8CE0 (PID: 1612)
- The process creates files with name similar to system file names
  - 2E01E897-ED77-4E08-9EF6-4868E84F8CE0 (PID: 1612)
  - FCBrowser.exe (PID: 2804)
- Malware-specific behavior (creating "System.dll" in Temp)
  - 2E01E897-ED77-4E08-9EF6-4868E84F8CE0 (PID: 1612)
- Uses TASKKILL.EXE to kill process
  - 2E01E897-ED77-4E08-9EF6-4868E84F8CE0 (PID: 1612)
- Process drops legitimate windows executable
  - 2E01E897-ED77-4E08-9EF6-4868E84F8CE0 (PID: 1612)
- Searches for installed software
  - flashcenter_pp_ax_install_cn.exe (PID: 636)
  - FlashCenterSvc.exe (PID: 868)
- Adds/modifies Windows certificates
  - FCBrowser.exe (PID: 2804)
  - FlashRepair.exe (PID: 3408)
INFO
- Checks supported languages
  - flashcenter_pp_ax_install_cn.exe (PID: 636)
  - flashcenter_pp_ax_install_cn.exe (PID: 2420)
  - InstallFlashPlayer.exe (PID: 308)
  - AA7EF494-CB5A-41E6-95CC-8C631E30BF44 (PID: 2764)
  - InstallFlashPlayer.exe (PID: 1200)
  - FlashPlayerUpdateService.exe (PID: 2284)
  - E4745DFB-55ED-4203-8D13-2CF7F0C96CF6 (PID: 1460)
  - 2E01E897-ED77-4E08-9EF6-4868E84F8CE0 (PID: 1612)
  - FlashHelperService.exe (PID: 2444)
  - FlashHelperService.exe (PID: 2504)
  - FlashCenterSvc.exe (PID: 116)
  - FlashCenterSvc.exe (PID: 868)
  - FlashCenter.exe (PID: 1620)
  - FCLogin.exe (PID: 2876)
  - FCBrowser.exe (PID: 2804)
  - FCBrowser.exe (PID: 1364)
  - FCBrowser.exe (PID: 1308)
  - FCBrowser.exe (PID: 1612)
  - FCBrowser.exe (PID: 1036)
  - FCLogin.exe (PID: 2704)
  - FCLogin.exe (PID: 2176)
  - FCLogin.exe (PID: 2752)
  - FCBrowser.exe (PID: 2980)
  - FlashTool.exe (PID: 3284)
  - FCLogin.exe (PID: 1456)
  - FlashRepair.exe (PID: 3408)
  - flashplayer_install_cn_new.exe (PID: 3424)
  - FlashHelperService.exe (PID: 3620)
- Reads the computer name
  - flashcenter_pp_ax_install_cn.exe (PID: 636)
  - flashcenter_pp_ax_install_cn.exe (PID: 2420)
  - AA7EF494-CB5A-41E6-95CC-8C631E30BF44 (PID: 2764)
  - InstallFlashPlayer.exe (PID: 308)
  - FlashPlayerUpdateService.exe (PID: 2284)
  - InstallFlashPlayer.exe (PID: 1200)
  - E4745DFB-55ED-4203-8D13-2CF7F0C96CF6 (PID: 1460)
  - FlashHelperService.exe (PID: 2444)
  - FlashHelperService.exe (PID: 2504)
  - 2E01E897-ED77-4E08-9EF6-4868E84F8CE0 (PID: 1612)
  - FlashCenterSvc.exe (PID: 116)
  - FlashCenterSvc.exe (PID: 868)
  - FlashCenter.exe (PID: 1620)
  - FCBrowser.exe (PID: 2804)
  - FCLogin.exe (PID: 2876)
  - FCBrowser.exe (PID: 1036)
  - FCBrowser.exe (PID: 1364)
  - FCBrowser.exe (PID: 1308)
  - FCBrowser.exe (PID: 1612)
  - FCLogin.exe (PID: 2704)
  - FCLogin.exe (PID: 2752)
  - FCLogin.exe (PID: 2176)
  - FCBrowser.exe (PID: 2980)
  - FCLogin.exe (PID: 1456)
  - FlashRepair.exe (PID: 3408)
  - flashplayer_install_cn_new.exe (PID: 3424)
  - FlashTool.exe (PID: 3284)
  - FlashHelperService.exe (PID: 3620)
- Checks proxy server information
  - flashcenter_pp_ax_install_cn.exe (PID: 636)
  - AA7EF494-CB5A-41E6-95CC-8C631E30BF44 (PID: 2764)
  - E4745DFB-55ED-4203-8D13-2CF7F0C96CF6 (PID: 1460)
  - 2E01E897-ED77-4E08-9EF6-4868E84F8CE0 (PID: 1612)
  - FlashCenter.exe (PID: 1620)
  - FlashTool.exe (PID: 3284)
  - flashplayer_install_cn_new.exe (PID: 3424)
- Reads the machine GUID from the registry
  - flashcenter_pp_ax_install_cn.exe (PID: 636)
  - flashcenter_pp_ax_install_cn.exe (PID: 2420)
  - AA7EF494-CB5A-41E6-95CC-8C631E30BF44 (PID: 2764)
  - E4745DFB-55ED-4203-8D13-2CF7F0C96CF6 (PID: 1460)
  - InstallFlashPlayer.exe (PID: 1200)
  - FlashHelperService.exe (PID: 2504)
  - 2E01E897-ED77-4E08-9EF6-4868E84F8CE0 (PID: 1612)
  - FlashCenterSvc.exe (PID: 868)
  - FlashCenter.exe (PID: 1620)
  - FCBrowser.exe (PID: 2804)
  - FCLogin.exe (PID: 2876)
  - FCBrowser.exe (PID: 1364)
  - FCBrowser.exe (PID: 1036)
  - FCLogin.exe (PID: 1456)
  - FlashTool.exe (PID: 3284)
  - flashplayer_install_cn_new.exe (PID: 3424)
- Creates files or folders in the user directory
  - flashcenter_pp_ax_install_cn.exe (PID: 636)
  - E4745DFB-55ED-4203-8D13-2CF7F0C96CF6 (PID: 1460)
  - 2E01E897-ED77-4E08-9EF6-4868E84F8CE0 (PID: 1612)
  - FlashCenterSvc.exe (PID: 868)
  - FlashCenter.exe (PID: 1620)
  - FCLogin.exe (PID: 2876)
  - FCBrowser.exe (PID: 2804)
  - FCBrowser.exe (PID: 1036)
  - FCLogin.exe (PID: 1456)
  - FlashTool.exe (PID: 3284)
  - flashplayer_install_cn_new.exe (PID: 3424)
- Create files in a temporary directory
  - flashcenter_pp_ax_install_cn.exe (PID: 636)
  - 2E01E897-ED77-4E08-9EF6-4868E84F8CE0 (PID: 1612)
  - FCBrowser.exe (PID: 1036)
  - FlashTool.exe (PID: 3284)
  - flashplayer_install_cn_new.exe (PID: 3424)
- Process checks are UAC notifies on
  - AA7EF494-CB5A-41E6-95CC-8C631E30BF44 (PID: 2764)
  - InstallFlashPlayer.exe (PID: 308)
  - E4745DFB-55ED-4203-8D13-2CF7F0C96CF6 (PID: 1460)
  - InstallFlashPlayer.exe (PID: 1200)
- Creates files in the program directory
  - 2E01E897-ED77-4E08-9EF6-4868E84F8CE0 (PID: 1612)
- Reads Environment values
  - 2E01E897-ED77-4E08-9EF6-4868E84F8CE0 (PID: 1612)
- Process checks computer location settings
  - FCBrowser.exe (PID: 1364)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	UPX compressed Win32 Executable (15.1)
.exe	\|	Win32 EXE Yoda's Crypter (14.8)
.exe	\|	Win32 Executable (generic) (2.5)
.exe	\|	Generic Win/DOS Executable (1.1)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2023:11:07 09:15:39+01:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	11
CodeSize:	2332160
InitializedDataSize:	4325376
UninitializedDataSize:	-
EntryPoint:	0x1e997e
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	3.0.0.711
ProductVersionNumber:	3.0.0.711
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Adobe Inc
FileDescription:	Adobe Download Manager
FileVersion:	3.0.0.711s
InternalName:	Adobe Download Manager
LegalCopyright:	Copyright 2023 Adobe Inc. All rights reserved.
OriginalFileName:	Adobe Download Manager
ProductName:	Adobe Download Manager
ProductVersion:	3.0.0.711s

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

109

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

116

"C:\Program Files (x86)\FlashCenter\FlashCenterSvc.exe" /start

C:\Program Files (x86)\FlashCenter\FlashCenterSvc.exe

—

2E01E897-ED77-4E08-9EF6-4868E84F8CE0

User:

admin

Company:

Chongqing Zhongcheng Network Technology Co., Ltd

Integrity Level:

HIGH

Description:

FlashCenterSvc

Exit code:

Version:

3.0.1.7

Modules

Images
c:\program files (x86)\flashcenter\flashcentersvc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

308

"C:\Windows\system32\Macromed\Temp\{189ADF45-93E2-4423-A64D-D1C0B20A1AB6}\InstallFlashPlayer.exe" -install -skipARPEntry -iv 8 -au 4294967295

C:\Windows\SysWOW64\Macromed\Temp\{189ADF45-93E2-4423-A64D-D1C0B20A1AB6}\InstallFlashPlayer.exe

—

AA7EF494-CB5A-41E6-95CC-8C631E30BF44

User:

admin

Company:

Adobe

Integrity Level:

HIGH

Description:

Adobe® Flash® Player Installer/Uninstaller 34.0 r0*

Exit code:

Version:

34,0,0,301

Modules

Images
c:\windows\syswow64\macromed\temp\{189adf45-93e2-4423-a64d-d1c0b20a1ab6}\installflashplayer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

572

taskkill /F /IM "FCLogin.exe"

C:\Windows\SysWOW64\taskkill.exe

—

2E01E897-ED77-4E08-9EF6-4868E84F8CE0

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Terminates Processes

Exit code:

128

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

636

"C:\Users\admin\Desktop\flashcenter_pp_ax_install_cn.exe"

C:\Users\admin\Desktop\flashcenter_pp_ax_install_cn.exe

explorer.exe

User:

admin

Company:

Adobe Inc

Integrity Level:

MEDIUM

Description:

Adobe Download Manager

Exit code:

Version:

3.0.0.711s

Modules

Images
c:\users\admin\desktop\flashcenter_pp_ax_install_cn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

684

"C:\Windows\system32\cmd.exe" /c del "C:\Users\admin\AppData\Local\Adobe\2107216B-7387-418E-B1CF-4E2BACCCEED8\030CB1A5-D008-448C-837E-4DEE241E07E7\AA7EF494-CB5A-41E6-95CC-8C631E30BF44" >> NUL

C:\Windows\SysWOW64\cmd.exe

—

AA7EF494-CB5A-41E6-95CC-8C631E30BF44

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

812

taskkill /F /IM "FlashCenter.exe"

C:\Windows\SysWOW64\taskkill.exe

—

2E01E897-ED77-4E08-9EF6-4868E84F8CE0

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Terminates Processes

Exit code:

128

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

848

taskkill /F /IM "FCTips.exe"

C:\Windows\SysWOW64\taskkill.exe

—

2E01E897-ED77-4E08-9EF6-4868E84F8CE0

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Terminates Processes

Exit code:

128

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

868

"C:\Program Files (x86)\FlashCenter\FlashCenterSvc.exe"

C:\Program Files (x86)\FlashCenter\FlashCenterSvc.exe

services.exe

User:

SYSTEM

Company:

Chongqing Zhongcheng Network Technology Co., Ltd

Integrity Level:

SYSTEM

Description:

FlashCenterSvc

Exit code:

Version:

3.0.1.7

Modules

Images
c:\program files (x86)\flashcenter\flashcentersvc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

988

taskkill /F /IM "FlashRepair.exe"

C:\Windows\SysWOW64\taskkill.exe

—

2E01E897-ED77-4E08-9EF6-4868E84F8CE0

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Terminates Processes

Exit code:

128

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

1036

"C:\Program Files (x86)\FlashCenter\FCBrowser.exe" --type=utility --field-trial-handle=1256,9845141922085119339,18296771379972273978,131072 --enable-features=CastMediaRouteProvider,CookieDeprecationMessages,CrossOriginEmbedderPolicy,CrossOriginOpenerPolicy,DocumentPolicy,FeaturePolicyForClientHints,OriginIsolationHeader,OriginPolicy,UserAgentClientHint --disable-features=OutOfBlinkCors --lang=zh-CN --service-sandbox-type=network --no-sandbox --enable-experimental-web-platform-features --log-file="C:\Program Files (x86)\FlashCenter\debug.log" --log-severity=disable --user-agent="Mozilla/5.0 (Windows NT 7sp1; W0W64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36 FCBrowser/3.1.0.61 Browser/3.1.0.61" --lang=zh-CN --log-file="C:\Program Files (x86)\FlashCenter\debug.log" --mojo-platform-channel-handle=1676 /prefetch:8

C:\Program Files (x86)\FlashCenter\FCBrowser.exe

FCBrowser.exe

User:

admin

Company:

Chongqing Zhongcheng Network Technology Co., Ltd

Integrity Level:

HIGH

Description:

FCBrowse

Exit code:

Version:

3.1.0.61

Modules

Images
c:\program files (x86)\flashcenter\fcbrowser.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

Add for printing

Total events

14 009

Read events

13 561

Write events

180

Delete events

268

Modification events


(PID) Process:	(636) flashcenter_pp_ax_install_cn.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(636) flashcenter_pp_ax_install_cn.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(636) flashcenter_pp_ax_install_cn.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(636) flashcenter_pp_ax_install_cn.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(2420) flashcenter_pp_ax_install_cn.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\15A\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(636) flashcenter_pp_ax_install_cn.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(636) flashcenter_pp_ax_install_cn.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(636) flashcenter_pp_ax_install_cn.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\15A\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(2764) AA7EF494-CB5A-41E6-95CC-8C631E30BF44	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(2764) AA7EF494-CB5A-41E6-95CC-8C631E30BF44	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:

Add for printing

Executable files

118

Suspicious files

170

Text files

543

Unknown types

Dropped files

PID	Process	Filename		Type
636	flashcenter_pp_ax_install_cn.exe	C:\Users\admin\AppData\Local\Adobe\2107216B-7387-418E-B1CF-4E2BACCCEED8\status_icon_caution_200.png		image
		MD5:213238D4F6EFEC2B8CD0D76D318EBF8E	SHA256:90B2DCFA026B942AF56635150A0E7A28FBF111C4790519B8F43EECE8EB287FB7
636	flashcenter_pp_ax_install_cn.exe	C:\Users\admin\AppData\Local\Adobe\2107216B-7387-418E-B1CF-4E2BACCCEED8\status_icon_check_150.png		image
		MD5:AA02AB840568AD99107CDECE6621C3AC	SHA256:8743B4FEBE9F3C99E1C5B647255E6367DDAC8580E1388FEAF78E0BC84FBB1776
636	flashcenter_pp_ax_install_cn.exe	C:\Users\admin\AppData\Local\Adobe\2107216B-7387-418E-B1CF-4E2BACCCEED8\warning_icon.png		image
		MD5:DE6D8A7F831194025F1CCF4B7054E6E5	SHA256:0E7D5E9CF99C1D02047153D81A3C2A2C30CF8E15122776E0C0A982A036A48091
636	flashcenter_pp_ax_install_cn.exe	C:\Users\admin\AppData\Local\Adobe\2107216B-7387-418E-B1CF-4E2BACCCEED8\status_icon_caution_150.png		image
		MD5:CA3872EAE64C5BFD8D41198990B11950	SHA256:3438623C461F8F141976A931D3C00F6877D07CF4A8B534AF1EF9FDFE8B0C6174
636	flashcenter_pp_ax_install_cn.exe	C:\Users\admin\AppData\Local\Adobe\2107216B-7387-418E-B1CF-4E2BACCCEED8\status_icon_caution_125.png		image
		MD5:4A2BF8C96F910B1B2AE63A9F4A0D4B8F	SHA256:0CB2F4EE1C451A8825EB8EDB45858B28345F73423C7A7AEF4168C46F7E3638BF
636	flashcenter_pp_ax_install_cn.exe	C:\Users\admin\AppData\Local\Temp\Adobe_CDMLogs\Adobe_CDM.log		text
		MD5:F3B25701FE362EC84616A93A45CE9998	SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
636	flashcenter_pp_ax_install_cn.exe	C:\Users\admin\AppData\Local\Adobe\2107216B-7387-418E-B1CF-4E2BACCCEED8\status_icon_check_125.png		image
		MD5:CD14309BBB8F5AD698E3196BBFCA88B6	SHA256:CF9AF9956E356D637E43A0B82C9328B13764ECD0BB3E3686A08AA2C2640A6C8B
636	flashcenter_pp_ax_install_cn.exe	C:\Users\admin\AppData\Local\Adobe\2107216B-7387-418E-B1CF-4E2BACCCEED8\status_icon_x_200.png		image
		MD5:40A32023DBFCCA1A80B69408735E15C2	SHA256:D5A9BFE6D64F5C09F1DE3DCC74B30520DB5F78BCC6FC1E9A87EB141D9B46EA61
636	flashcenter_pp_ax_install_cn.exe	C:\Users\admin\AppData\Local\Adobe\2107216B-7387-418E-B1CF-4E2BACCCEED8\status_icon_caution_100.png		image
		MD5:56F804DB5509B1CF08BE5C994AFC2322	SHA256:C4768FC9A84B0D3ECDEEE93820703D769737B992EFD1F0CBE9F7A9D3BBDFA0FB
636	flashcenter_pp_ax_install_cn.exe	C:\Users\admin\AppData\Local\Adobe\2107216B-7387-418E-B1CF-4E2BACCCEED8\status_icon_x_125.png		image
		MD5:B33C312C95B36E4A3B0F4984B9FE09F2	SHA256:BA0D355243271CB79F5E3EAA3BCAA8BF9169C2E5B0B8E98C6E8418CF6F15AB9D

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

135

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1612	2E01E897-ED77-4E08-9EF6-4868E84F8CE0	GET	—	112.47.51.222:80	http://tongji.flash.cn/hm4.gif?product=FC&event=install&uid=CFB908E1E60FC4BC12BBB209DB406F6A&zcid=CFB908E1E60FC4BC12BBB209DB406F6A&um=B6B90A22C75A37D0C5A7A17FF123C633&platform=Windows&channel=10041&oldchannel=&version=3.1.0.61&key=0&data={"osversion":"6.1.7601.23915","type":"0","time":"1701022253","success":"0"}&osversion=6.1.7601.23915&signature=176CF6A842A2AB65460C415F389FC977654C9F061D977BDA2FDC609B8A34CC33079E244BBEC4F731127DD0CA9E23283FDE592ABA124FFA1354A44B38104E6F413C7785758E744C55D53FFEABB3D96448E929B050979368BB28564A72D6495F982709C1F524D9F8C4E1BA573FA70FA2BA5A821BFDF1645792B2BE42946BA9DC2CE80ED74D1CAE359251646C7830A4E827B0FE8247028F2979558B39D29B2C87A43ABC733FE85AC460B52E7E5D286CFF1A9FBB2FCD75A70D63F80E75D1CBA0E0A1	unknown	—	—	unknown
2764	AA7EF494-CB5A-41E6-95CC-8C631E30BF44	GET	404	72.247.154.209:80	http://fpdownload2.macromedia.com/get/flashplayer/update/current/install/version.xml34.0.0.301~installVector=108&previousVersion=27.0.0.187&pProc=flashcenter_pp_ax_install_cn.exe&lang=en&cpuWordLength=64&playerType=pep&os=win&osVer=13&isDebug=0	unknown	html	440 b	unknown
1460	E4745DFB-55ED-4203-8D13-2CF7F0C96CF6	GET	404	72.247.154.209:80	http://fpdownload2.macromedia.com/get/flashplayer/update/current/install/version.xml34.0.0.301~installVector=108&previousVersion=27.0.0.187&pProc=flashcenter_pp_ax_install_cn.exe&lang=en&cpuWordLength=64&playerType=ax&os=win&osVer=13&isDebug=0	unknown	html	439 b	unknown
1036	FCBrowser.exe	GET	200	2.19.198.81:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?6817b7fb3055eadd	unknown	compressed	61.6 Kb	unknown
1036	FCBrowser.exe	GET	200	2.19.198.81:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?6ca836be4f6e971e	unknown	compressed	61.6 Kb	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	224.0.0.252:5355	—	—	—	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
1956	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
324	svchost.exe	224.0.0.252:5355	—	—	—	unknown
636	flashcenter_pp_ax_install_cn.exe	43.152.26.142:443	www.flash.cn	ACE	DE	unknown
636	flashcenter_pp_ax_install_cn.exe	43.152.26.154:443	www.flash.cn	ACE	DE	unknown
636	flashcenter_pp_ax_install_cn.exe	23.45.238.176:443	fusionpings.adobe.com	AKAMAI-AS	DE	unknown
2764	AA7EF494-CB5A-41E6-95CC-8C631E30BF44	2.20.211.180:443	fpdownload.macromedia.com	AKAMAI-AS	CH	unknown
2764	AA7EF494-CB5A-41E6-95CC-8C631E30BF44	72.247.154.209:80	fpdownload2.macromedia.com	Akamai International B.V.	DE	unknown

DNS requests

Domain	IP	Reputation
www.flash.cn	43.152.26.142 43.152.26.154 43.152.26.221 43.152.26.151 43.152.44.160 43.152.26.104 43.152.26.58 43.152.26.197 112.47.51.32 112.47.51.221 112.47.51.224 112.47.51.222 112.47.51.225 112.47.51.223	whitelisted
api.flash.cn	43.152.26.154 43.152.26.58 43.152.26.197 43.152.26.142 43.152.44.160 43.152.26.151 43.152.26.104 43.152.26.221 112.47.51.32 112.47.51.221 112.47.51.224 112.47.51.222 112.47.51.225 112.47.51.223	unknown
fusionpings.adobe.com	23.45.238.176	whitelisted
fpdownload.macromedia.com	2.20.211.180 23.206.117.14	whitelisted
fpdownload2.macromedia.com	72.247.154.209 72.247.154.184	whitelisted
tongji.flash.cn	112.47.51.222 112.47.51.225 112.47.51.223 112.47.51.32 112.47.51.221 112.47.51.224 114.112.216.187 116.153.64.177 36.249.64.211 122.189.81.102 220.200.129.231 125.39.223.208 61.243.13.91 101.69.174.125 113.207.30.62 61.162.174.89 101.72.233.225 58.20.196.103 116.153.64.182 115.56.90.187 1.56.98.101	whitelisted
apifcv2.flash.cn	211.97.84.216 112.64.213.145 116.153.46.49 121.29.2.119 101.69.99.6 61.54.94.104 36.250.243.8 61.243.158.124 61.167.56.183 61.243.13.29 113.207.69.125 116.177.240.70 122.189.171.228	unknown
api-game.flash.cn	112.47.51.222 112.47.51.225 112.47.51.223 112.47.51.32 112.47.51.221 112.47.51.224 115.56.90.187 61.162.174.89 122.189.81.102 113.207.30.62 125.39.223.208 61.243.13.91 1.56.98.101 58.20.196.103 220.200.129.231 101.69.174.125 101.72.233.225 116.153.64.177 36.249.64.211 114.112.216.187 116.153.64.182	unknown
static.ffzww.com	122.189.171.106 61.243.158.204 61.243.158.244 61.243.158.245 61.54.7.111 61.54.7.107 61.54.7.127 61.54.7.129 36.248.64.77 61.54.7.112 61.243.158.136 202.97.231.60 61.243.158.194	unknown
apifc.flash.cn	114.112.216.187 122.189.81.102 220.200.129.231 116.153.64.177 101.72.233.225 1.56.98.101 58.20.196.103 115.56.90.187 101.69.174.125 116.153.64.182 61.162.174.89 113.207.30.62 125.39.223.208 61.243.13.91 36.249.64.211	unknown

Threats

Found threats are available for the paid subscriptions

2 ETPRO signatures available at the full report

Add for printing

Process	Message
FlashCenter.exe	QObject::connect: Cannot connect CUrlEvent::signalUrlSSLError(QString) to (nullptr)::(nullptr)
FlashCenter.exe	QObject::connect: Cannot connect CUrlEvent::signalUrlFinished(QString) to (nullptr)::(nullptr)
FlashCenter.exe	QObject::connect: Cannot connect CUrlEvent::signalUrlError(QString) to (nullptr)::(nullptr)
FlashCenter.exe	QObject::connect: Cannot connect CUrlEvent::signalUrlSSLError(QString) to (nullptr)::(nullptr)
FlashCenter.exe	QObject::connect: Cannot connect CUrlEvent::signalUrlError(QString) to (nullptr)::(nullptr)
FlashCenter.exe	QString::arg: Argument missing: QPushButton{font: 9pt "Microsoft YaHei UI";color:#444444;background-color:#FFFFFF;text-align:left;padding-left:16px;width:128px;height:32px;border: 0px; },
FlashCenter.exe	QObject::connect: Cannot connect CUrlEvent::signalUrlFinished(QString) to (nullptr)::(nullptr)
FlashCenter.exe	Could not parse stylesheet of object QPushButton(0x4e0c198)
FlashCenter.exe	Could not parse stylesheet of object QPushButton(0x4e0cc10)
FlashCenter.exe	Could not parse stylesheet of object QPushButton(0x4e0cef0)

General Info

flashcenter_pp_ax_install_cn.exe

7F08B64BA2BF722683FD592656B5F17F

7AD9692774BE1AC97DDBD35257D9AB3A0CEEAA50

00AF416BD2CFFB0B4F0619BB8FB3DC38FB66B890FE339E3492D08641B343AEE1

98304:DlAs0UWkMbJXv+You+Fi3k/RxJY2uQXFHBdkqHsH3cy706ucmxM8HKWINHd/SO/I:S8GLOpocv

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Creates a writable file in the system directory

Actions looks like stealing of personal data

SUSPICIOUS

Starts application with an unusual extension

Reads Microsoft Outlook installation path

Application launched itself

Checks Windows Trust Settings

Reads security settings of Internet Explorer

Reads the Internet Settings

Reads settings of System Certificates

Reads Internet Explorer settings

Process requests binary or script from the Internet

Starts CMD.EXE for commands execution

Disables SEHOP

Executes as Windows Service

Creates a software uninstall entry

Drops 7-zip archiver for unpacking

The process drops C-runtime libraries

The process creates files with name similar to system file names

Malware-specific behavior (creating "System.dll" in Temp)

Uses TASKKILL.EXE to kill process

Process drops legitimate windows executable

Searches for installed software

Adds/modifies Windows certificates

INFO

Checks supported languages

Reads the computer name

Checks proxy server information

Reads the machine GUID from the registry

Creates files or folders in the user directory

Create files in a temporary directory

Process checks are UAC notifies on

Creates files in the program directory

Reads Environment values

Process checks computer location settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity