File name:

flashcenter_pp_ax_install_cn.exe

Full analysis: https://app.any.run/tasks/42af9617-62e6-44fc-bb0e-0a0546ff48f5
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: December 27, 2024, 20:56:01
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
loader
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

7424FE053510D978F05F464EF34DD045

SHA1:

BBC9BB0BEEDC025CED722CB7D3217DB129F1A75F

SHA256:

C2BCFCD1BAA8CC96AA6674AE8C2275ADFC1BFDEBED22BD537D44CC1C11406CA9

SSDEEP:

98304:BCCpE2Qsfbn9GYpz2XrA7OVJlx7JHVYaXynJMWu+FYKAH3cy706ucmxM8HKWINHI:m8GLOpoc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • FlashCenterSvc.exe (PID: 1856)

  • SUSPICIOUS

    • Application launched itself

      • flashcenter_pp_ax_install_cn.exe (PID: 6444)
      • FCBrowser.exe (PID: 6416)

    • Reads security settings of Internet Explorer

      • flashcenter_pp_ax_install_cn.exe (PID: 6628)
      • flashcenter_pp_ax_install_cn.exe (PID: 6444)
      • InstallFlashPlayer.exe (PID: 4576)
      • 650A07F5-FECB-4DFB-95F8-7D6E788E1D1C (PID: 4840)
      • 5F48566F-C9B7-4B93-95D4-27E3D99EB7B0 (PID: 7092)
      • InstallFlashPlayer.exe (PID: 488)
      • InstallFlashPlayer.exe (PID: 6804)
      • FlashHelperService.exe (PID: 1544)
      • 7557EEFD-F22D-4F4F-AB1A-3324B508AE22 (PID: 932)
      • FlashCenter.exe (PID: 6068)
      • FlashCenterSvc.exe (PID: 1856)

    • Checks Windows Trust Settings

      • flashcenter_pp_ax_install_cn.exe (PID: 6628)
      • flashcenter_pp_ax_install_cn.exe (PID: 6444)
      • 650A07F5-FECB-4DFB-95F8-7D6E788E1D1C (PID: 4840)
      • 5F48566F-C9B7-4B93-95D4-27E3D99EB7B0 (PID: 7092)
      • InstallFlashPlayer.exe (PID: 488)

    • Reads Microsoft Outlook installation path

      • flashcenter_pp_ax_install_cn.exe (PID: 6444)

    • Reads Internet Explorer settings

      • flashcenter_pp_ax_install_cn.exe (PID: 6444)

    • Executable content was dropped or overwritten

      • flashcenter_pp_ax_install_cn.exe (PID: 6444)
      • 650A07F5-FECB-4DFB-95F8-7D6E788E1D1C (PID: 4840)
      • InstallFlashPlayer.exe (PID: 4576)
      • 5F48566F-C9B7-4B93-95D4-27E3D99EB7B0 (PID: 7092)
      • InstallFlashPlayer.exe (PID: 6804)
      • InstallFlashPlayer.exe (PID: 488)
      • flashcenter_pp_ax_install_cn.exe (PID: 6628)
      • 7557EEFD-F22D-4F4F-AB1A-3324B508AE22 (PID: 932)

    • Starts application with an unusual extension

      • flashcenter_pp_ax_install_cn.exe (PID: 6628)

    • Disables SEHOP

      • InstallFlashPlayer.exe (PID: 4576)
      • 650A07F5-FECB-4DFB-95F8-7D6E788E1D1C (PID: 4840)
      • InstallFlashPlayer.exe (PID: 6804)
      • InstallFlashPlayer.exe (PID: 488)

    • Reads the date of Windows installation

      • InstallFlashPlayer.exe (PID: 4576)
      • InstallFlashPlayer.exe (PID: 6804)

    • Starts CMD.EXE for commands execution

      • InstallFlashPlayer.exe (PID: 4576)
      • 650A07F5-FECB-4DFB-95F8-7D6E788E1D1C (PID: 4840)
      • InstallFlashPlayer.exe (PID: 6804)
      • InstallFlashPlayer.exe (PID: 488)
      • 5F48566F-C9B7-4B93-95D4-27E3D99EB7B0 (PID: 7092)

    • Process requests binary or script from the Internet

      • 650A07F5-FECB-4DFB-95F8-7D6E788E1D1C (PID: 4840)

    • Hides command output

      • cmd.exe (PID: 6784)
      • cmd.exe (PID: 3732)
      • cmd.exe (PID: 6372)
      • cmd.exe (PID: 2088)
      • cmd.exe (PID: 6188)

    • Creates/Modifies COM task schedule object

      • InstallFlashPlayer.exe (PID: 6804)
      • InstallFlashPlayer.exe (PID: 488)

    • Creates a software uninstall entry

      • InstallFlashPlayer.exe (PID: 488)
      • 7557EEFD-F22D-4F4F-AB1A-3324B508AE22 (PID: 932)
      • FlashHelperService.exe (PID: 1544)

    • Executes as Windows Service

      • FlashHelperService.exe (PID: 1544)
      • FlashCenterSvc.exe (PID: 1856)

    • The process creates files with name similar to system file names

      • 7557EEFD-F22D-4F4F-AB1A-3324B508AE22 (PID: 932)
      • FCBrowser.exe (PID: 6416)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • 7557EEFD-F22D-4F4F-AB1A-3324B508AE22 (PID: 932)

    • Uses TASKKILL.EXE to kill process

      • 7557EEFD-F22D-4F4F-AB1A-3324B508AE22 (PID: 932)

    • Process drops legitimate windows executable

      • 7557EEFD-F22D-4F4F-AB1A-3324B508AE22 (PID: 932)

    • The process drops C-runtime libraries

      • 7557EEFD-F22D-4F4F-AB1A-3324B508AE22 (PID: 932)

    • Drops 7-zip archiver for unpacking

      • 7557EEFD-F22D-4F4F-AB1A-3324B508AE22 (PID: 932)

    • Searches for installed software

      • flashcenter_pp_ax_install_cn.exe (PID: 6444)
      • FlashCenterSvc.exe (PID: 1856)
      • FlashHelperService.exe (PID: 1544)

    • Adds/modifies Windows certificates

      • FCBrowser.exe (PID: 5392)

  • INFO

    • Create files in a temporary directory

      • flashcenter_pp_ax_install_cn.exe (PID: 6444)
      • 7557EEFD-F22D-4F4F-AB1A-3324B508AE22 (PID: 932)

    • Reads the computer name

      • flashcenter_pp_ax_install_cn.exe (PID: 6444)
      • flashcenter_pp_ax_install_cn.exe (PID: 6628)
      • 650A07F5-FECB-4DFB-95F8-7D6E788E1D1C (PID: 4840)
      • InstallFlashPlayer.exe (PID: 4576)
      • 5F48566F-C9B7-4B93-95D4-27E3D99EB7B0 (PID: 7092)
      • FlashPlayerUpdateService.exe (PID: 3640)
      • InstallFlashPlayer.exe (PID: 6804)
      • InstallFlashPlayer.exe (PID: 488)
      • FlashHelperService.exe (PID: 3992)
      • FlashHelperService.exe (PID: 1544)
      • 7557EEFD-F22D-4F4F-AB1A-3324B508AE22 (PID: 932)
      • FlashCenterSvc.exe (PID: 6648)
      • FlashCenterSvc.exe (PID: 1856)
      • FlashCenter.exe (PID: 6068)
      • FCBrowser.exe (PID: 6416)
      • FCLogin.exe (PID: 7024)
      • FCBrowser.exe (PID: 5748)
      • FCBrowser.exe (PID: 6272)
      • FCBrowser.exe (PID: 5392)
      • FCBrowser.exe (PID: 3824)
      • FCBrowser.exe (PID: 5340)

    • The sample compiled with english language support

      • flashcenter_pp_ax_install_cn.exe (PID: 6444)
      • 650A07F5-FECB-4DFB-95F8-7D6E788E1D1C (PID: 4840)
      • InstallFlashPlayer.exe (PID: 4576)
      • 5F48566F-C9B7-4B93-95D4-27E3D99EB7B0 (PID: 7092)
      • InstallFlashPlayer.exe (PID: 6804)
      • InstallFlashPlayer.exe (PID: 488)
      • 7557EEFD-F22D-4F4F-AB1A-3324B508AE22 (PID: 932)

    • Checks supported languages

      • flashcenter_pp_ax_install_cn.exe (PID: 6444)
      • flashcenter_pp_ax_install_cn.exe (PID: 6628)
      • InstallFlashPlayer.exe (PID: 4576)
      • 650A07F5-FECB-4DFB-95F8-7D6E788E1D1C (PID: 4840)
      • FlashPlayerUpdateService.exe (PID: 3640)
      • 5F48566F-C9B7-4B93-95D4-27E3D99EB7B0 (PID: 7092)
      • InstallFlashPlayer.exe (PID: 6804)
      • InstallFlashPlayer.exe (PID: 488)
      • FlashHelperService.exe (PID: 3992)
      • FlashHelperService.exe (PID: 1544)
      • 7557EEFD-F22D-4F4F-AB1A-3324B508AE22 (PID: 932)
      • FlashCenterSvc.exe (PID: 6648)
      • FlashCenterSvc.exe (PID: 1856)
      • FlashCenter.exe (PID: 6068)
      • FCBrowser.exe (PID: 6416)
      • FCLogin.exe (PID: 7024)
      • FCBrowser.exe (PID: 6272)
      • FCBrowser.exe (PID: 5392)
      • FCBrowser.exe (PID: 5748)
      • FCBrowser.exe (PID: 3824)

    • Process checks computer location settings

      • flashcenter_pp_ax_install_cn.exe (PID: 6444)
      • 650A07F5-FECB-4DFB-95F8-7D6E788E1D1C (PID: 4840)
      • InstallFlashPlayer.exe (PID: 4576)
      • 5F48566F-C9B7-4B93-95D4-27E3D99EB7B0 (PID: 7092)
      • InstallFlashPlayer.exe (PID: 6804)
      • InstallFlashPlayer.exe (PID: 488)
      • 7557EEFD-F22D-4F4F-AB1A-3324B508AE22 (PID: 932)
      • FCBrowser.exe (PID: 5748)

    • Reads the machine GUID from the registry

      • flashcenter_pp_ax_install_cn.exe (PID: 6628)
      • flashcenter_pp_ax_install_cn.exe (PID: 6444)
      • 650A07F5-FECB-4DFB-95F8-7D6E788E1D1C (PID: 4840)
      • 5F48566F-C9B7-4B93-95D4-27E3D99EB7B0 (PID: 7092)
      • InstallFlashPlayer.exe (PID: 488)
      • InstallFlashPlayer.exe (PID: 6804)
      • FlashHelperService.exe (PID: 1544)
      • FlashCenter.exe (PID: 6068)
      • FCBrowser.exe (PID: 5392)
      • FlashCenterSvc.exe (PID: 1856)

    • Reads the software policy settings

      • flashcenter_pp_ax_install_cn.exe (PID: 6628)
      • flashcenter_pp_ax_install_cn.exe (PID: 6444)
      • 650A07F5-FECB-4DFB-95F8-7D6E788E1D1C (PID: 4840)
      • 5F48566F-C9B7-4B93-95D4-27E3D99EB7B0 (PID: 7092)
      • InstallFlashPlayer.exe (PID: 488)
      • FCBrowser.exe (PID: 5392)

    • Creates files or folders in the user directory

      • flashcenter_pp_ax_install_cn.exe (PID: 6444)
      • flashcenter_pp_ax_install_cn.exe (PID: 6628)
      • 650A07F5-FECB-4DFB-95F8-7D6E788E1D1C (PID: 4840)
      • InstallFlashPlayer.exe (PID: 488)
      • 7557EEFD-F22D-4F4F-AB1A-3324B508AE22 (PID: 932)
      • FlashCenter.exe (PID: 6068)
      • FCLogin.exe (PID: 7024)
      • FlashCenterSvc.exe (PID: 1856)
      • FCBrowser.exe (PID: 6416)
      • FCBrowser.exe (PID: 5392)

    • Checks proxy server information

      • flashcenter_pp_ax_install_cn.exe (PID: 6444)
      • 650A07F5-FECB-4DFB-95F8-7D6E788E1D1C (PID: 4840)
      • 5F48566F-C9B7-4B93-95D4-27E3D99EB7B0 (PID: 7092)
      • InstallFlashPlayer.exe (PID: 488)
      • FlashCenter.exe (PID: 6068)
      • 7557EEFD-F22D-4F4F-AB1A-3324B508AE22 (PID: 932)
      • FCBrowser.exe (PID: 6416)

    • The sample compiled with chinese language support

      • flashcenter_pp_ax_install_cn.exe (PID: 6444)
      • flashcenter_pp_ax_install_cn.exe (PID: 6628)
      • 7557EEFD-F22D-4F4F-AB1A-3324B508AE22 (PID: 932)

    • Process checks whether UAC notifications are on

      • 650A07F5-FECB-4DFB-95F8-7D6E788E1D1C (PID: 4840)
      • InstallFlashPlayer.exe (PID: 4576)
      • 5F48566F-C9B7-4B93-95D4-27E3D99EB7B0 (PID: 7092)
      • InstallFlashPlayer.exe (PID: 488)
      • InstallFlashPlayer.exe (PID: 6804)

    • UPX packer has been detected

      • flashcenter_pp_ax_install_cn.exe (PID: 6444)
      • flashcenter_pp_ax_install_cn.exe (PID: 6628)

    • The process uses the downloaded file

      • InstallFlashPlayer.exe (PID: 4576)
      • flashcenter_pp_ax_install_cn.exe (PID: 6444)
      • 650A07F5-FECB-4DFB-95F8-7D6E788E1D1C (PID: 4840)
      • InstallFlashPlayer.exe (PID: 488)
      • InstallFlashPlayer.exe (PID: 6804)
      • 5F48566F-C9B7-4B93-95D4-27E3D99EB7B0 (PID: 7092)
      • 7557EEFD-F22D-4F4F-AB1A-3324B508AE22 (PID: 932)

    • Creates files in the program directory

      • 7557EEFD-F22D-4F4F-AB1A-3324B508AE22 (PID: 932)

    • Sends debugging messages

      • FlashCenter.exe (PID: 6068)
      • FCLogin.exe (PID: 7024)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (15.1)
.exe | Win32 EXE Yoda's Crypter (14.8)
.exe | Win32 Executable (generic) (2.5)
.exe | Generic Win/DOS Executable (1.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:11:05 10:01:39+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 2337280
InitializedDataSize: 4327936
UninitializedDataSize: -
EntryPoint: 0x1eac95
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 3.0.0.757
ProductVersionNumber: 3.0.0.757
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Adobe Inc
FileDescription: Adobe Download Manager
FileVersion: 3.0.0.757s
InternalName: Adobe Download Manager
LegalCopyright: Copyright 2024 Adobe Inc. All rights reserved.
OriginalFileName: Adobe Download Manager
ProductName: Adobe Download Manager
ProductVersion: 3.0.0.757s
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
198
Monitored processes
70
Malicious processes
8
Suspicious processes
4

Behavior graph

Click at the process to see the details
start flashcenter_pp_ax_install_cn.exe flashcenter_pp_ax_install_cn.exe 650a07f5-fecb-4dfb-95f8-7d6e788e1d1c installflashplayer.exe cmd.exe no specs conhost.exe no specs flashplayerupdateservice.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs 5f48566f-c9b7-4b93-95d4-27e3d99eb7b0 installflashplayer.exe installflashplayer.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs flashhelperservice.exe no specs flashhelperservice.exe 7557eefd-f22d-4f4f-ab1a-3324b508ae22 taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs flashcentersvc.exe no specs flashcentersvc.exe flashcenter.exe fcbrowser.exe no specs fclogin.exe fcbrowser.exe no specs fcbrowser.exe fcbrowser.exe no specs fcbrowser.exe no specs fcbrowser.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
128\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
488"C:\WINDOWS\system32\Macromed\Temp\{F329150A-92BF-4781-BC9A-6CAA56646A5E}\InstallFlashPlayer.exe" -install -iv 8 -au 4294967295C:\Windows\SysWOW64\Macromed\Temp\{F329150A-92BF-4781-BC9A-6CAA56646A5E}\InstallFlashPlayer.exe
5F48566F-C9B7-4B93-95D4-27E3D99EB7B0
User:
admin
Company:
Adobe
Integrity Level:
HIGH
Description:
Adobe® Flash® Player Installer/Uninstaller 34.0 r0*
Exit code:
0
Version:
34,0,0,323
Modules
Images
c:\windows\syswow64\macromed\temp\{f329150a-92bf-4781-bc9a-6caa56646a5e}\installflashplayer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
932"C:\Users\admin\AppData\Local\Adobe\4AB7960D-0633-4D7D-A7E4-BD6F8E4F4020\615704F2-1654-4403-9858-644DE0985684\7557EEFD-F22D-4F4F-AB1A-3324B508AE22" /S=0 /InstallPath="C:\Program Files (x86)\FlashCenter" /TaskBarShortcut=1 /Bootup=1 /DeskShortcut=1 /SetDefaultProgram=0 C:\Users\admin\AppData\Local\Adobe\4AB7960D-0633-4D7D-A7E4-BD6F8E4F4020\615704F2-1654-4403-9858-644DE0985684\7557EEFD-F22D-4F4F-AB1A-3324B508AE22
flashcenter_pp_ax_install_cn.exe
User:
admin
Company:
Chongqing Zhongcheng Network Technology Co., Ltd
Integrity Level:
HIGH
Description:
FlashCenter Installer
Exit code:
0
Version:
3.7.1.5
Modules
Images
c:\users\admin\appdata\local\adobe\4ab7960d-0633-4d7d-a7e4-bd6f8e4f4020\615704f2-1654-4403-9858-644de0985684\7557eefd-f22d-4f4f-ab1a-3324b508ae22
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1144\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeFlashPlayerUpdateService.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1220taskkill /F /IM "FCBrowserManager.exe"C:\Windows\SysWOW64\taskkill.exe7557EEFD-F22D-4F4F-AB1A-3324B508AE22
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1328taskkill /F /IM "FCGameManager.exe"C:\Windows\SysWOW64\taskkill.exe7557EEFD-F22D-4F4F-AB1A-3324B508AE22
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1380taskkill /F /IM "FlashCenterSa.exe"C:\Windows\SysWOW64\taskkill.exe7557EEFD-F22D-4F4F-AB1A-3324B508AE22
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1512\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1544"C:\WINDOWS\SysWOW64\Macromed\Flash\FlashHelperService.exe"C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe
services.exe
User:
SYSTEM
Company:
重庆重橙网络科技有限公司
Integrity Level:
SYSTEM
Description:
Flash Helper Service rc
Version:
2.3.1.49
Modules
Images
c:\windows\syswow64\macromed\flash\flashhelperservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\rpcrt4.dll
1856"C:\Program Files (x86)\FlashCenter\FlashCenterSvc.exe"C:\Program Files (x86)\FlashCenter\FlashCenterSvc.exe
services.exe
User:
SYSTEM
Company:
Chongqing Zhongcheng Network Technology Co., Ltd
Integrity Level:
SYSTEM
Description:
FlashCenterSvc
Version:
3.0.1.20
Modules
Images
c:\program files (x86)\flashcenter\flashcentersvc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\rpcrt4.dll
Total events
25 049
Read events
24 861
Write events
167
Delete events
21

Modification events

(PID) Process:(6444) flashcenter_pp_ax_install_cn.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6444) flashcenter_pp_ax_install_cn.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6444) flashcenter_pp_ax_install_cn.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(4840) 650A07F5-FECB-4DFB-95F8-7D6E788E1D1CKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(4840) 650A07F5-FECB-4DFB-95F8-7D6E788E1D1CKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(4840) 650A07F5-FECB-4DFB-95F8-7D6E788E1D1CKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(4576) InstallFlashPlayer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil64_32_0_0_465_pepper.exe
Operation:delete keyName:(default)
Value:
(PID) Process:(4576) InstallFlashPlayer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Macromedia\FlashPlayerPepper
Operation:writeName:Version
Value:
34.0.0.323
(PID) Process:(4576) InstallFlashPlayer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Macromedia\FlashPlayerPepper
Operation:writeName:PlayerPath
Value:
C:\WINDOWS\system32\Macromed\Flash\pepflashplayer64_34_0_0_323.dll
(PID) Process:(4576) InstallFlashPlayer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Macromedia\FlashPlayerPepper
Operation:writeName:UninstallerPath
Value:
C:\WINDOWS\system32\Macromed\Flash\FlashUtil64_34_0_0_323_pepper.exe
Executable files
120
Suspicious files
129
Text files
294
Unknown types
49

Dropped files

PID
Process
Filename
Type
6444flashcenter_pp_ax_install_cn.exeC:\Users\admin\AppData\Local\Adobe\4AB7960D-0633-4D7D-A7E4-BD6F8E4F4020\status_icon_caution_100.pngimage
MD5:56F804DB5509B1CF08BE5C994AFC2322
SHA256:C4768FC9A84B0D3ECDEEE93820703D769737B992EFD1F0CBE9F7A9D3BBDFA0FB
6628flashcenter_pp_ax_install_cn.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBder
MD5:C7263BBE79E11F4D46F47D650B775764
SHA256:C93AF1012657E7E5645CB82B1D9490FF17A346A26A0227EF522FA1E9D39DFBAE
6628flashcenter_pp_ax_install_cn.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141binary
MD5:AB14720D4DA3D4ED1F137E0B80FD775C
SHA256:8CE314044FEC18978318E1E41F6069FE471C98D673BBF3B183EEC3857110C877
6628flashcenter_pp_ax_install_cn.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141der
MD5:3BBEA0903E2381128DFF0D6CA99F6E58
SHA256:70F5E793E98A997FFD800D8E38B8DB745DE2513B640256EE60D455087AB3F423
6628flashcenter_pp_ax_install_cn.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_586720B4CCE6636BDFF0D8B1F2669FF4der
MD5:A4D5BBC9D6DCDF1030C7648DE5195A87
SHA256:4E4972F677273311A56D146EBCB6294E38E86A143BAE0DC206D27467B4896F15
6444flashcenter_pp_ax_install_cn.exeC:\Users\admin\AppData\Local\Adobe\4AB7960D-0633-4D7D-A7E4-BD6F8E4F4020\warning_icon.pngimage
MD5:DE6D8A7F831194025F1CCF4B7054E6E5
SHA256:0E7D5E9CF99C1D02047153D81A3C2A2C30CF8E15122776E0C0A982A036A48091
6444flashcenter_pp_ax_install_cn.exeC:\Users\admin\AppData\Local\Adobe\4AB7960D-0633-4D7D-A7E4-BD6F8E4F4020\status_icon_x_200.pngimage
MD5:40A32023DBFCCA1A80B69408735E15C2
SHA256:D5A9BFE6D64F5C09F1DE3DCC74B30520DB5F78BCC6FC1E9A87EB141D9B46EA61
6444flashcenter_pp_ax_install_cn.exeC:\Users\admin\AppData\Local\Adobe\4AB7960D-0633-4D7D-A7E4-BD6F8E4F4020\status_icon_caution_150.pngimage
MD5:CA3872EAE64C5BFD8D41198990B11950
SHA256:3438623C461F8F141976A931D3C00F6877D07CF4A8B534AF1EF9FDFE8B0C6174
6444flashcenter_pp_ax_install_cn.exeC:\Users\admin\AppData\Local\Adobe\4AB7960D-0633-4D7D-A7E4-BD6F8E4F4020\status_icon_x_150.pngimage
MD5:5CC222F110ED5839F910FBBA15F35368
SHA256:EEE6E710161A3AA8488FB4C1F118B43FA5C377ECDEDFFAAE78A81865F16CF288
6628flashcenter_pp_ax_install_cn.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBbinary
MD5:79ED648AE1C81D8667E7176BF90C2696
SHA256:0D10FA8B4D7E4B9A1D53563357F69DB6ED41EA77C07B7CC1757B367C93D01EDB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
21
TCP/UDP connections
126
DNS requests
43
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1684
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1684
svchost.exe
GET
200
23.37.237.227:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.37.237.227:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6628
flashcenter_pp_ax_install_cn.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
6628
flashcenter_pp_ax_install_cn.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
6628
flashcenter_pp_ax_install_cn.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAioCjIOiEijpApnjmDKOq0%3D
unknown
whitelisted
6168
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5064
SearchApp.exe
2.21.110.146:443
www.bing.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1684
svchost.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4712
MoUsoCoreWorker.exe
23.37.237.227:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1684
svchost.exe
23.37.237.227:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1176
svchost.exe
20.190.159.4:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
www.bing.com
  • 2.21.110.146
  • 2.21.110.139
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.162
  • 23.48.23.166
  • 23.48.23.158
  • 23.48.23.147
  • 23.48.23.150
  • 23.48.23.164
  • 23.48.23.145
  • 23.48.23.169
whitelisted
www.microsoft.com
  • 23.37.237.227
  • 88.221.169.152
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
google.com
  • 142.250.185.78
whitelisted
login.live.com
  • 20.190.159.4
  • 20.190.159.73
  • 20.190.159.64
  • 20.190.159.23
  • 20.190.159.75
  • 40.126.31.71
  • 20.190.159.68
  • 20.190.159.2
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
www.flash.cn
  • 43.152.26.151
  • 43.152.28.43
  • 43.152.26.239
  • 43.152.29.148
  • 43.152.28.41
  • 43.152.26.209
  • 43.152.26.238
  • 43.152.28.111
  • 43.152.26.154
  • 43.152.29.72
  • 43.175.152.67
  • 43.152.29.101
  • 43.152.26.197
  • 43.152.28.77
  • 43.175.152.66
whitelisted
api.flash.cn
  • 43.152.28.77
  • 43.152.28.43
  • 43.152.26.239
  • 43.152.29.148
  • 43.152.26.151
  • 43.152.26.209
  • 43.152.26.154
  • 43.152.26.197
  • 43.175.152.67
  • 43.152.28.41
  • 43.152.28.111
  • 43.152.26.238
  • 43.152.29.72
  • 43.175.152.66
  • 43.152.29.101
unknown

Threats

Found threats are available for the paid subscriptions
4 ETPRO signatures available at the full report
Process
Message
FlashCenter.exe
QObject::connect: Cannot connect CUrlEvent::signalUrlError(QString) to (nullptr)::(nullptr)
FlashCenter.exe
QObject::connect: Cannot connect CUrlEvent::signalUrlSSLError(QString) to (nullptr)::(nullptr)
FlashCenter.exe
QObject::connect: Cannot connect CUrlEvent::signalUrlFinished(QString) to (nullptr)::(nullptr)
FlashCenter.exe
QObject::connect: Cannot connect CUrlEvent::signalUrlSSLError(QString) to (nullptr)::(nullptr)
FlashCenter.exe
QObject::connect: Cannot connect CUrlEvent::signalUrlError(QString) to (nullptr)::(nullptr)
FlashCenter.exe
QObject::connect: Cannot connect CUrlEvent::signalUrlFinished(QString) to (nullptr)::(nullptr)
FlashCenter.exe
QObject::connect: Cannot connect CUrlEvent::signalUrlFinished(QString) to (nullptr)::(nullptr)
FlashCenter.exe
QObject::connect: Cannot connect CUrlEvent::signalUrlError(QString) to (nullptr)::(nullptr)
FlashCenter.exe
QString::arg: Argument missing: QPushButton{font: 9pt "Microsoft YaHei UI";color:#444444;background-color:#FFFFFF;text-align:left;padding-left:16px;width:128px;height:32px;border: 0px; },
FlashCenter.exe
QObject::connect: Cannot connect CUrlEvent::signalUrlSSLError(QString) to (nullptr)::(nullptr)
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
flashcenter_pp_ax_install_cn.exe