File name:

flashcenter_pp_ax_install_cn.exe

Full analysis: https://app.any.run/tasks/42af9617-62e6-44fc-bb0e-0a0546ff48f5
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: December 27, 2024, 20:56:01
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
loader
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

7424FE053510D978F05F464EF34DD045

SHA1:

BBC9BB0BEEDC025CED722CB7D3217DB129F1A75F

SHA256:

C2BCFCD1BAA8CC96AA6674AE8C2275ADFC1BFDEBED22BD537D44CC1C11406CA9

SSDEEP:

98304:BCCpE2Qsfbn9GYpz2XrA7OVJlx7JHVYaXynJMWu+FYKAH3cy706ucmxM8HKWINHI:m8GLOpoc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • FlashCenterSvc.exe (PID: 1856)

  • SUSPICIOUS

    • Checks Windows Trust Settings

      • flashcenter_pp_ax_install_cn.exe (PID: 6628)
      • flashcenter_pp_ax_install_cn.exe (PID: 6444)
      • 650A07F5-FECB-4DFB-95F8-7D6E788E1D1C (PID: 4840)
      • 5F48566F-C9B7-4B93-95D4-27E3D99EB7B0 (PID: 7092)
      • InstallFlashPlayer.exe (PID: 488)

    • Reads security settings of Internet Explorer

      • flashcenter_pp_ax_install_cn.exe (PID: 6628)
      • flashcenter_pp_ax_install_cn.exe (PID: 6444)
      • InstallFlashPlayer.exe (PID: 4576)
      • 650A07F5-FECB-4DFB-95F8-7D6E788E1D1C (PID: 4840)
      • 5F48566F-C9B7-4B93-95D4-27E3D99EB7B0 (PID: 7092)
      • InstallFlashPlayer.exe (PID: 488)
      • InstallFlashPlayer.exe (PID: 6804)
      • FlashHelperService.exe (PID: 1544)
      • 7557EEFD-F22D-4F4F-AB1A-3324B508AE22 (PID: 932)
      • FlashCenter.exe (PID: 6068)
      • FlashCenterSvc.exe (PID: 1856)

    • Application launched itself

      • flashcenter_pp_ax_install_cn.exe (PID: 6444)
      • FCBrowser.exe (PID: 6416)

    • Reads Microsoft Outlook installation path

      • flashcenter_pp_ax_install_cn.exe (PID: 6444)

    • Executable content was dropped or overwritten

      • flashcenter_pp_ax_install_cn.exe (PID: 6444)
      • 650A07F5-FECB-4DFB-95F8-7D6E788E1D1C (PID: 4840)
      • InstallFlashPlayer.exe (PID: 4576)
      • 5F48566F-C9B7-4B93-95D4-27E3D99EB7B0 (PID: 7092)
      • InstallFlashPlayer.exe (PID: 488)
      • InstallFlashPlayer.exe (PID: 6804)
      • flashcenter_pp_ax_install_cn.exe (PID: 6628)
      • 7557EEFD-F22D-4F4F-AB1A-3324B508AE22 (PID: 932)

    • Starts application with an unusual extension

      • flashcenter_pp_ax_install_cn.exe (PID: 6628)

    • Reads Internet Explorer settings

      • flashcenter_pp_ax_install_cn.exe (PID: 6444)

    • Disables SEHOP

      • InstallFlashPlayer.exe (PID: 4576)
      • 650A07F5-FECB-4DFB-95F8-7D6E788E1D1C (PID: 4840)
      • InstallFlashPlayer.exe (PID: 488)
      • InstallFlashPlayer.exe (PID: 6804)

    • Starts CMD.EXE for commands execution

      • InstallFlashPlayer.exe (PID: 4576)
      • 650A07F5-FECB-4DFB-95F8-7D6E788E1D1C (PID: 4840)
      • InstallFlashPlayer.exe (PID: 6804)
      • InstallFlashPlayer.exe (PID: 488)
      • 5F48566F-C9B7-4B93-95D4-27E3D99EB7B0 (PID: 7092)

    • Process requests binary or script from the Internet

      • 650A07F5-FECB-4DFB-95F8-7D6E788E1D1C (PID: 4840)

    • Hides command output

      • cmd.exe (PID: 6784)
      • cmd.exe (PID: 3732)
      • cmd.exe (PID: 2088)
      • cmd.exe (PID: 6372)
      • cmd.exe (PID: 6188)

    • Reads the date of Windows installation

      • InstallFlashPlayer.exe (PID: 4576)
      • InstallFlashPlayer.exe (PID: 6804)

    • Creates/Modifies COM task schedule object

      • InstallFlashPlayer.exe (PID: 488)
      • InstallFlashPlayer.exe (PID: 6804)

    • Creates a software uninstall entry

      • InstallFlashPlayer.exe (PID: 488)
      • 7557EEFD-F22D-4F4F-AB1A-3324B508AE22 (PID: 932)
      • FlashHelperService.exe (PID: 1544)

    • Executes as Windows Service

      • FlashHelperService.exe (PID: 1544)
      • FlashCenterSvc.exe (PID: 1856)

    • The process creates files with name similar to system file names

      • 7557EEFD-F22D-4F4F-AB1A-3324B508AE22 (PID: 932)
      • FCBrowser.exe (PID: 6416)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • 7557EEFD-F22D-4F4F-AB1A-3324B508AE22 (PID: 932)

    • Uses TASKKILL.EXE to kill process

      • 7557EEFD-F22D-4F4F-AB1A-3324B508AE22 (PID: 932)

    • Drops 7-zip archiver for unpacking

      • 7557EEFD-F22D-4F4F-AB1A-3324B508AE22 (PID: 932)

    • Process drops legitimate windows executable

      • 7557EEFD-F22D-4F4F-AB1A-3324B508AE22 (PID: 932)

    • The process drops C-runtime libraries

      • 7557EEFD-F22D-4F4F-AB1A-3324B508AE22 (PID: 932)

    • Searches for installed software

      • flashcenter_pp_ax_install_cn.exe (PID: 6444)
      • FlashCenterSvc.exe (PID: 1856)
      • FlashHelperService.exe (PID: 1544)

    • Adds/modifies Windows certificates

      • FCBrowser.exe (PID: 5392)

  • INFO

    • Create files in a temporary directory

      • flashcenter_pp_ax_install_cn.exe (PID: 6444)
      • 7557EEFD-F22D-4F4F-AB1A-3324B508AE22 (PID: 932)

    • The sample compiled with english language support

      • flashcenter_pp_ax_install_cn.exe (PID: 6444)
      • 650A07F5-FECB-4DFB-95F8-7D6E788E1D1C (PID: 4840)
      • InstallFlashPlayer.exe (PID: 4576)
      • 5F48566F-C9B7-4B93-95D4-27E3D99EB7B0 (PID: 7092)
      • InstallFlashPlayer.exe (PID: 488)
      • InstallFlashPlayer.exe (PID: 6804)
      • 7557EEFD-F22D-4F4F-AB1A-3324B508AE22 (PID: 932)

    • Checks supported languages

      • flashcenter_pp_ax_install_cn.exe (PID: 6444)
      • flashcenter_pp_ax_install_cn.exe (PID: 6628)
      • 650A07F5-FECB-4DFB-95F8-7D6E788E1D1C (PID: 4840)
      • InstallFlashPlayer.exe (PID: 4576)
      • FlashPlayerUpdateService.exe (PID: 3640)
      • InstallFlashPlayer.exe (PID: 6804)
      • 5F48566F-C9B7-4B93-95D4-27E3D99EB7B0 (PID: 7092)
      • InstallFlashPlayer.exe (PID: 488)
      • FlashHelperService.exe (PID: 3992)
      • FlashHelperService.exe (PID: 1544)
      • 7557EEFD-F22D-4F4F-AB1A-3324B508AE22 (PID: 932)
      • FlashCenterSvc.exe (PID: 6648)
      • FlashCenterSvc.exe (PID: 1856)
      • FlashCenter.exe (PID: 6068)
      • FCBrowser.exe (PID: 6416)
      • FCLogin.exe (PID: 7024)
      • FCBrowser.exe (PID: 5392)
      • FCBrowser.exe (PID: 5748)
      • FCBrowser.exe (PID: 3824)
      • FCBrowser.exe (PID: 6272)

    • Reads the computer name

      • flashcenter_pp_ax_install_cn.exe (PID: 6444)
      • flashcenter_pp_ax_install_cn.exe (PID: 6628)
      • InstallFlashPlayer.exe (PID: 4576)
      • 650A07F5-FECB-4DFB-95F8-7D6E788E1D1C (PID: 4840)
      • FlashPlayerUpdateService.exe (PID: 3640)
      • 5F48566F-C9B7-4B93-95D4-27E3D99EB7B0 (PID: 7092)
      • InstallFlashPlayer.exe (PID: 488)
      • InstallFlashPlayer.exe (PID: 6804)
      • FlashHelperService.exe (PID: 3992)
      • FlashHelperService.exe (PID: 1544)
      • FlashCenterSvc.exe (PID: 6648)
      • FlashCenterSvc.exe (PID: 1856)
      • 7557EEFD-F22D-4F4F-AB1A-3324B508AE22 (PID: 932)
      • FlashCenter.exe (PID: 6068)
      • FCLogin.exe (PID: 7024)
      • FCBrowser.exe (PID: 6416)
      • FCBrowser.exe (PID: 6272)
      • FCBrowser.exe (PID: 5392)
      • FCBrowser.exe (PID: 5748)
      • FCBrowser.exe (PID: 3824)
      • FCBrowser.exe (PID: 5340)

    • Process checks computer location settings

      • flashcenter_pp_ax_install_cn.exe (PID: 6444)
      • 650A07F5-FECB-4DFB-95F8-7D6E788E1D1C (PID: 4840)
      • InstallFlashPlayer.exe (PID: 4576)
      • 5F48566F-C9B7-4B93-95D4-27E3D99EB7B0 (PID: 7092)
      • InstallFlashPlayer.exe (PID: 6804)
      • InstallFlashPlayer.exe (PID: 488)
      • 7557EEFD-F22D-4F4F-AB1A-3324B508AE22 (PID: 932)
      • FCBrowser.exe (PID: 5748)

    • Reads the software policy settings

      • flashcenter_pp_ax_install_cn.exe (PID: 6628)
      • flashcenter_pp_ax_install_cn.exe (PID: 6444)
      • 650A07F5-FECB-4DFB-95F8-7D6E788E1D1C (PID: 4840)
      • 5F48566F-C9B7-4B93-95D4-27E3D99EB7B0 (PID: 7092)
      • InstallFlashPlayer.exe (PID: 488)
      • FCBrowser.exe (PID: 5392)

    • Reads the machine GUID from the registry

      • flashcenter_pp_ax_install_cn.exe (PID: 6628)
      • flashcenter_pp_ax_install_cn.exe (PID: 6444)
      • 650A07F5-FECB-4DFB-95F8-7D6E788E1D1C (PID: 4840)
      • 5F48566F-C9B7-4B93-95D4-27E3D99EB7B0 (PID: 7092)
      • InstallFlashPlayer.exe (PID: 488)
      • InstallFlashPlayer.exe (PID: 6804)
      • FlashHelperService.exe (PID: 1544)
      • FlashCenter.exe (PID: 6068)
      • FCBrowser.exe (PID: 5392)
      • FlashCenterSvc.exe (PID: 1856)

    • Creates files or folders in the user directory

      • flashcenter_pp_ax_install_cn.exe (PID: 6444)
      • flashcenter_pp_ax_install_cn.exe (PID: 6628)
      • 650A07F5-FECB-4DFB-95F8-7D6E788E1D1C (PID: 4840)
      • InstallFlashPlayer.exe (PID: 488)
      • 7557EEFD-F22D-4F4F-AB1A-3324B508AE22 (PID: 932)
      • FCLogin.exe (PID: 7024)
      • FlashCenterSvc.exe (PID: 1856)
      • FlashCenter.exe (PID: 6068)
      • FCBrowser.exe (PID: 6416)
      • FCBrowser.exe (PID: 5392)

    • Checks proxy server information

      • flashcenter_pp_ax_install_cn.exe (PID: 6444)
      • 650A07F5-FECB-4DFB-95F8-7D6E788E1D1C (PID: 4840)
      • 5F48566F-C9B7-4B93-95D4-27E3D99EB7B0 (PID: 7092)
      • InstallFlashPlayer.exe (PID: 488)
      • 7557EEFD-F22D-4F4F-AB1A-3324B508AE22 (PID: 932)
      • FlashCenter.exe (PID: 6068)
      • FCBrowser.exe (PID: 6416)

    • UPX packer has been detected

      • flashcenter_pp_ax_install_cn.exe (PID: 6444)
      • flashcenter_pp_ax_install_cn.exe (PID: 6628)

    • The sample compiled with chinese language support

      • flashcenter_pp_ax_install_cn.exe (PID: 6444)
      • flashcenter_pp_ax_install_cn.exe (PID: 6628)
      • 7557EEFD-F22D-4F4F-AB1A-3324B508AE22 (PID: 932)

    • The process uses the downloaded file

      • flashcenter_pp_ax_install_cn.exe (PID: 6444)
      • 650A07F5-FECB-4DFB-95F8-7D6E788E1D1C (PID: 4840)
      • InstallFlashPlayer.exe (PID: 4576)
      • InstallFlashPlayer.exe (PID: 488)
      • InstallFlashPlayer.exe (PID: 6804)
      • 5F48566F-C9B7-4B93-95D4-27E3D99EB7B0 (PID: 7092)
      • 7557EEFD-F22D-4F4F-AB1A-3324B508AE22 (PID: 932)

    • Process checks whether UAC notifications are on

      • InstallFlashPlayer.exe (PID: 4576)
      • 650A07F5-FECB-4DFB-95F8-7D6E788E1D1C (PID: 4840)
      • 5F48566F-C9B7-4B93-95D4-27E3D99EB7B0 (PID: 7092)
      • InstallFlashPlayer.exe (PID: 488)
      • InstallFlashPlayer.exe (PID: 6804)

    • Creates files in the program directory

      • 7557EEFD-F22D-4F4F-AB1A-3324B508AE22 (PID: 932)

    • Sends debugging messages

      • FlashCenter.exe (PID: 6068)
      • FCLogin.exe (PID: 7024)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (15.1)
.exe | Win32 EXE Yoda's Crypter (14.8)
.exe | Win32 Executable (generic) (2.5)
.exe | Generic Win/DOS Executable (1.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:11:05 10:01:39+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 2337280
InitializedDataSize: 4327936
UninitializedDataSize: -
EntryPoint: 0x1eac95
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 3.0.0.757
ProductVersionNumber: 3.0.0.757
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Adobe Inc
FileDescription: Adobe Download Manager
FileVersion: 3.0.0.757s
InternalName: Adobe Download Manager
LegalCopyright: Copyright 2024 Adobe Inc. All rights reserved.
OriginalFileName: Adobe Download Manager
ProductName: Adobe Download Manager
ProductVersion: 3.0.0.757s
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
198
Monitored processes
70
Malicious processes
8
Suspicious processes
4

Behavior graph

Click at the process to see the details
start flashcenter_pp_ax_install_cn.exe flashcenter_pp_ax_install_cn.exe 650a07f5-fecb-4dfb-95f8-7d6e788e1d1c installflashplayer.exe cmd.exe no specs conhost.exe no specs flashplayerupdateservice.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs 5f48566f-c9b7-4b93-95d4-27e3d99eb7b0 installflashplayer.exe installflashplayer.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs flashhelperservice.exe no specs flashhelperservice.exe 7557eefd-f22d-4f4f-ab1a-3324b508ae22 taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs flashcentersvc.exe no specs flashcentersvc.exe flashcenter.exe fcbrowser.exe no specs fclogin.exe fcbrowser.exe no specs fcbrowser.exe fcbrowser.exe no specs fcbrowser.exe no specs fcbrowser.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
128\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
488"C:\WINDOWS\system32\Macromed\Temp\{F329150A-92BF-4781-BC9A-6CAA56646A5E}\InstallFlashPlayer.exe" -install -iv 8 -au 4294967295C:\Windows\SysWOW64\Macromed\Temp\{F329150A-92BF-4781-BC9A-6CAA56646A5E}\InstallFlashPlayer.exe
5F48566F-C9B7-4B93-95D4-27E3D99EB7B0
User:
admin
Company:
Adobe
Integrity Level:
HIGH
Description:
Adobe® Flash® Player Installer/Uninstaller 34.0 r0*
Exit code:
0
Version:
34,0,0,323
Modules
Images
c:\windows\syswow64\macromed\temp\{f329150a-92bf-4781-bc9a-6caa56646a5e}\installflashplayer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
932"C:\Users\admin\AppData\Local\Adobe\4AB7960D-0633-4D7D-A7E4-BD6F8E4F4020\615704F2-1654-4403-9858-644DE0985684\7557EEFD-F22D-4F4F-AB1A-3324B508AE22" /S=0 /InstallPath="C:\Program Files (x86)\FlashCenter" /TaskBarShortcut=1 /Bootup=1 /DeskShortcut=1 /SetDefaultProgram=0 C:\Users\admin\AppData\Local\Adobe\4AB7960D-0633-4D7D-A7E4-BD6F8E4F4020\615704F2-1654-4403-9858-644DE0985684\7557EEFD-F22D-4F4F-AB1A-3324B508AE22
flashcenter_pp_ax_install_cn.exe
User:
admin
Company:
Chongqing Zhongcheng Network Technology Co., Ltd
Integrity Level:
HIGH
Description:
FlashCenter Installer
Exit code:
0
Version:
3.7.1.5
Modules
Images
c:\users\admin\appdata\local\adobe\4ab7960d-0633-4d7d-a7e4-bd6f8e4f4020\615704f2-1654-4403-9858-644de0985684\7557eefd-f22d-4f4f-ab1a-3324b508ae22
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1144\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeFlashPlayerUpdateService.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1220taskkill /F /IM "FCBrowserManager.exe"C:\Windows\SysWOW64\taskkill.exe7557EEFD-F22D-4F4F-AB1A-3324B508AE22
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1328taskkill /F /IM "FCGameManager.exe"C:\Windows\SysWOW64\taskkill.exe7557EEFD-F22D-4F4F-AB1A-3324B508AE22
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1380taskkill /F /IM "FlashCenterSa.exe"C:\Windows\SysWOW64\taskkill.exe7557EEFD-F22D-4F4F-AB1A-3324B508AE22
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1512\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1544"C:\WINDOWS\SysWOW64\Macromed\Flash\FlashHelperService.exe"C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe
services.exe
User:
SYSTEM
Company:
重庆重橙网络科技有限公司
Integrity Level:
SYSTEM
Description:
Flash Helper Service rc
Version:
2.3.1.49
Modules
Images
c:\windows\syswow64\macromed\flash\flashhelperservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\rpcrt4.dll
1856"C:\Program Files (x86)\FlashCenter\FlashCenterSvc.exe"C:\Program Files (x86)\FlashCenter\FlashCenterSvc.exe
services.exe
User:
SYSTEM
Company:
Chongqing Zhongcheng Network Technology Co., Ltd
Integrity Level:
SYSTEM
Description:
FlashCenterSvc
Version:
3.0.1.20
Modules
Images
c:\program files (x86)\flashcenter\flashcentersvc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\rpcrt4.dll
Total events
25 049
Read events
24 861
Write events
167
Delete events
21

Modification events

(PID) Process:(6444) flashcenter_pp_ax_install_cn.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6444) flashcenter_pp_ax_install_cn.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6444) flashcenter_pp_ax_install_cn.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(4840) 650A07F5-FECB-4DFB-95F8-7D6E788E1D1CKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(4840) 650A07F5-FECB-4DFB-95F8-7D6E788E1D1CKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(4840) 650A07F5-FECB-4DFB-95F8-7D6E788E1D1CKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(4576) InstallFlashPlayer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil64_32_0_0_465_pepper.exe
Operation:delete keyName:(default)
Value:
(PID) Process:(4576) InstallFlashPlayer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Macromedia\FlashPlayerPepper
Operation:writeName:Version
Value:
34.0.0.323
(PID) Process:(4576) InstallFlashPlayer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Macromedia\FlashPlayerPepper
Operation:writeName:PlayerPath
Value:
C:\WINDOWS\system32\Macromed\Flash\pepflashplayer64_34_0_0_323.dll
(PID) Process:(4576) InstallFlashPlayer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Macromedia\FlashPlayerPepper
Operation:writeName:UninstallerPath
Value:
C:\WINDOWS\system32\Macromed\Flash\FlashUtil64_34_0_0_323_pepper.exe
Executable files
120
Suspicious files
129
Text files
294
Unknown types
49

Dropped files

PID
Process
Filename
Type
6444flashcenter_pp_ax_install_cn.exeC:\Users\admin\AppData\Local\Adobe\4AB7960D-0633-4D7D-A7E4-BD6F8E4F4020\status_icon_caution_200.pngimage
MD5:213238D4F6EFEC2B8CD0D76D318EBF8E
SHA256:90B2DCFA026B942AF56635150A0E7A28FBF111C4790519B8F43EECE8EB287FB7
6444flashcenter_pp_ax_install_cn.exeC:\Users\admin\AppData\Local\Adobe\4AB7960D-0633-4D7D-A7E4-BD6F8E4F4020\warning_icon.pngimage
MD5:DE6D8A7F831194025F1CCF4B7054E6E5
SHA256:0E7D5E9CF99C1D02047153D81A3C2A2C30CF8E15122776E0C0A982A036A48091
6628flashcenter_pp_ax_install_cn.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBder
MD5:C7263BBE79E11F4D46F47D650B775764
SHA256:C93AF1012657E7E5645CB82B1D9490FF17A346A26A0227EF522FA1E9D39DFBAE
6444flashcenter_pp_ax_install_cn.exeC:\Users\admin\AppData\Local\Temp\Adobe_CDMLogs\Adobe_CDM.logtext
MD5:F3B25701FE362EC84616A93A45CE9998
SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
6628flashcenter_pp_ax_install_cn.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_586720B4CCE6636BDFF0D8B1F2669FF4binary
MD5:1E7C896809282895FE7565C5BF450FC9
SHA256:BC60C244700CB3A8FA604B0C62ACA4F7ABD5D55F43C2EB8E3407DDB3443D8BDB
6444flashcenter_pp_ax_install_cn.exeC:\Users\admin\AppData\Local\Adobe\4AB7960D-0633-4D7D-A7E4-BD6F8E4F4020\status_icon_check_150.pngimage
MD5:AA02AB840568AD99107CDECE6621C3AC
SHA256:8743B4FEBE9F3C99E1C5B647255E6367DDAC8580E1388FEAF78E0BC84FBB1776
6628flashcenter_pp_ax_install_cn.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141der
MD5:3BBEA0903E2381128DFF0D6CA99F6E58
SHA256:70F5E793E98A997FFD800D8E38B8DB745DE2513B640256EE60D455087AB3F423
6444flashcenter_pp_ax_install_cn.exeC:\Users\admin\AppData\Local\Adobe\4AB7960D-0633-4D7D-A7E4-BD6F8E4F4020\status_icon_x_150.pngimage
MD5:5CC222F110ED5839F910FBBA15F35368
SHA256:EEE6E710161A3AA8488FB4C1F118B43FA5C377ECDEDFFAAE78A81865F16CF288
6628flashcenter_pp_ax_install_cn.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBbinary
MD5:79ED648AE1C81D8667E7176BF90C2696
SHA256:0D10FA8B4D7E4B9A1D53563357F69DB6ED41EA77C07B7CC1757B367C93D01EDB
6444flashcenter_pp_ax_install_cn.exeC:\Users\admin\AppData\Local\Adobe\4AB7960D-0633-4D7D-A7E4-BD6F8E4F4020\status_icon_caution_150.pngimage
MD5:CA3872EAE64C5BFD8D41198990B11950
SHA256:3438623C461F8F141976A931D3C00F6877D07CF4A8B534AF1EF9FDFE8B0C6174
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
21
TCP/UDP connections
126
DNS requests
43
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1684
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1684
svchost.exe
GET
200
23.37.237.227:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.37.237.227:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6628
flashcenter_pp_ax_install_cn.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
6628
flashcenter_pp_ax_install_cn.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
6168
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6628
flashcenter_pp_ax_install_cn.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAioCjIOiEijpApnjmDKOq0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5064
SearchApp.exe
2.21.110.146:443
www.bing.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1684
svchost.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4712
MoUsoCoreWorker.exe
23.37.237.227:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1684
svchost.exe
23.37.237.227:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1176
svchost.exe
20.190.159.4:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
www.bing.com
  • 2.21.110.146
  • 2.21.110.139
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.162
  • 23.48.23.166
  • 23.48.23.158
  • 23.48.23.147
  • 23.48.23.150
  • 23.48.23.164
  • 23.48.23.145
  • 23.48.23.169
whitelisted
www.microsoft.com
  • 23.37.237.227
  • 88.221.169.152
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
google.com
  • 142.250.185.78
whitelisted
login.live.com
  • 20.190.159.4
  • 20.190.159.73
  • 20.190.159.64
  • 20.190.159.23
  • 20.190.159.75
  • 40.126.31.71
  • 20.190.159.68
  • 20.190.159.2
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
www.flash.cn
  • 43.152.26.151
  • 43.152.28.43
  • 43.152.26.239
  • 43.152.29.148
  • 43.152.28.41
  • 43.152.26.209
  • 43.152.26.238
  • 43.152.28.111
  • 43.152.26.154
  • 43.152.29.72
  • 43.175.152.67
  • 43.152.29.101
  • 43.152.26.197
  • 43.152.28.77
  • 43.175.152.66
whitelisted
api.flash.cn
  • 43.152.28.77
  • 43.152.28.43
  • 43.152.26.239
  • 43.152.29.148
  • 43.152.26.151
  • 43.152.26.209
  • 43.152.26.154
  • 43.152.26.197
  • 43.175.152.67
  • 43.152.28.41
  • 43.152.28.111
  • 43.152.26.238
  • 43.152.29.72
  • 43.175.152.66
  • 43.152.29.101
unknown

Threats

Found threats are available for the paid subscriptions
4 ETPRO signatures available at the full report
Process
Message
FlashCenter.exe
QObject::connect: Cannot connect CUrlEvent::signalUrlError(QString) to (nullptr)::(nullptr)
FlashCenter.exe
QObject::connect: Cannot connect CUrlEvent::signalUrlSSLError(QString) to (nullptr)::(nullptr)
FlashCenter.exe
QObject::connect: Cannot connect CUrlEvent::signalUrlFinished(QString) to (nullptr)::(nullptr)
FlashCenter.exe
QObject::connect: Cannot connect CUrlEvent::signalUrlSSLError(QString) to (nullptr)::(nullptr)
FlashCenter.exe
QObject::connect: Cannot connect CUrlEvent::signalUrlError(QString) to (nullptr)::(nullptr)
FlashCenter.exe
QObject::connect: Cannot connect CUrlEvent::signalUrlFinished(QString) to (nullptr)::(nullptr)
FlashCenter.exe
QObject::connect: Cannot connect CUrlEvent::signalUrlFinished(QString) to (nullptr)::(nullptr)
FlashCenter.exe
QObject::connect: Cannot connect CUrlEvent::signalUrlError(QString) to (nullptr)::(nullptr)
FlashCenter.exe
QString::arg: Argument missing: QPushButton{font: 9pt "Microsoft YaHei UI";color:#444444;background-color:#FFFFFF;text-align:left;padding-left:16px;width:128px;height:32px;border: 0px; },
FlashCenter.exe
QObject::connect: Cannot connect CUrlEvent::signalUrlSSLError(QString) to (nullptr)::(nullptr)
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
flashcenter_pp_ax_install_cn.exe