File name:

e2d26d8433862ff65c5ad246798ce5a71eada659bb5cb7082a69bafca2e8b585.exe

Full analysis: https://app.any.run/tasks/26a654bc-7019-496e-805c-fa6094edd47e
Verdict: Malicious activity
Analysis date: March 04, 2024, 07:32:56
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

200475D42DCE9C39CC817D341CBE6E54

SHA1:

A64696EE22A3142FA32345A94DA4E632D0D3495E

SHA256:

E2D26D8433862FF65C5AD246798CE5A71EADA659BB5CB7082A69BAFCA2E8B585

SSDEEP:

98304:4U0/Nj8xT8sbwn1PeU4aw5tRtP8kt2+Vw0/EzIuE+XPPJEyF24lRtvkRQf5PMahQ:St5K37cjqVNDG8U+enM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Creates a writable file in the system directory

      • e2d26d8433862ff65c5ad246798ce5a71eada659bb5cb7082a69bafca2e8b585.exe (PID: 5396)
      • FlashHelperService.exe (PID: 5292)
      • FlashPlayerInstaller.exe (PID: 1816)

  • SUSPICIOUS

    • Creates or modifies Windows services

      • FlashHelperService.exe (PID: 3008)
      • FlashHelperService.exe (PID: 5292)

    • Reads security settings of Internet Explorer

      • e2d26d8433862ff65c5ad246798ce5a71eada659bb5cb7082a69bafca2e8b585.exe (PID: 5396)
      • FlashPlayerInstaller.exe (PID: 1816)
      • FlashHelperService.exe (PID: 5292)

    • Reads the date of Windows installation

      • e2d26d8433862ff65c5ad246798ce5a71eada659bb5cb7082a69bafca2e8b585.exe (PID: 5396)

    • Executes as Windows Service

      • FlashHelperService.exe (PID: 5292)

    • Changes Internet Explorer settings (feature browser emulation)

      • FlashHelperService.exe (PID: 5292)

    • Checks Windows Trust Settings

      • FlashPlayerInstaller.exe (PID: 1816)

  • INFO

    • Checks supported languages

      • e2d26d8433862ff65c5ad246798ce5a71eada659bb5cb7082a69bafca2e8b585.exe (PID: 5396)
      • FlashHelperService.exe (PID: 3008)
      • FlashHelperService.exe (PID: 5292)
      • FlashPlayerInstaller.exe (PID: 1816)

    • Reads the computer name

      • e2d26d8433862ff65c5ad246798ce5a71eada659bb5cb7082a69bafca2e8b585.exe (PID: 5396)
      • FlashHelperService.exe (PID: 3008)
      • FlashHelperService.exe (PID: 5292)
      • FlashPlayerInstaller.exe (PID: 1816)

    • Process checks computer location settings

      • e2d26d8433862ff65c5ad246798ce5a71eada659bb5cb7082a69bafca2e8b585.exe (PID: 5396)

    • Creates files or folders in the user directory

      • FlashPlayerInstaller.exe (PID: 1816)

    • Reads the machine GUID from the registry

      • FlashPlayerInstaller.exe (PID: 1816)
      • FlashHelperService.exe (PID: 5292)

    • Reads the software policy settings

      • FlashPlayerInstaller.exe (PID: 1816)

    • Process checks whether UAC notifications are on

      • FlashPlayerInstaller.exe (PID: 1816)

    • Checks proxy server information

      • FlashPlayerInstaller.exe (PID: 1816)
      • slui.exe (PID: 3624)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:03:06 09:27:16+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 101888
InitializedDataSize: 12945408
UninitializedDataSize: -
EntryPoint: 0x102f7
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 34.0.0.225
ProductVersionNumber: 34.0.0.225
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Adobe Systems Incorporated
FileDescription: Adobe® Flash® Player Installer/Uninstaller 34.0 r0
FileVersion: 34,0,0,225
InternalName: Adobe® Flash® Player Installer/Uninstaller 34.0
LegalCopyright: Copyright © 1996-2019 Adobe Systems Incorporated
LegalTrademarks: Adobe® Flash® Player
OriginalFileName: FlashUtil.exe
ProductName: Adobe® Flash® Player Installer/Uninstaller
ProductVersion: 34,0,0,225
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
6
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start e2d26d8433862ff65c5ad246798ce5a71eada659bb5cb7082a69bafca2e8b585.exe flashhelperservice.exe no specs flashhelperservice.exe flashplayerinstaller.exe slui.exe e2d26d8433862ff65c5ad246798ce5a71eada659bb5cb7082a69bafca2e8b585.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1816"C:\WINDOWS\system32\Macromed\Temp\{5F09D135-7281-44AD-B696-99AE6637BD1A}\FlashPlayerInstaller.exe" -iv 20C:\Windows\SysWOW64\Macromed\Temp\{5F09D135-7281-44AD-B696-99AE6637BD1A}\FlashPlayerInstaller.exe
e2d26d8433862ff65c5ad246798ce5a71eada659bb5cb7082a69bafca2e8b585.exe
User:
admin
Company:
Adobe
Integrity Level:
HIGH
Description:
Adobe® Flash® Player Installer/Uninstaller 34.0 r0*
Exit code:
0
Version:
34,0,0,282
Modules
Images
c:\windows\syswow64\macromed\temp\{5f09d135-7281-44ad-b696-99ae6637bd1a}\flashplayerinstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
3008"C:\WINDOWS\system32\Macromed\Flash\FlashHelperService.exe" -Start -dp=0 -fp=pluginC:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exee2d26d8433862ff65c5ad246798ce5a71eada659bb5cb7082a69bafca2e8b585.exe
User:
admin
Company:
重庆重橙网络科技有限公司
Integrity Level:
HIGH
Description:
Flash Helper Service
Exit code:
0
Version:
2.2.1.96
Modules
Images
c:\windows\syswow64\macromed\flash\flashhelperservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
3624C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
5292"C:\WINDOWS\SysWOW64\Macromed\Flash\FlashHelperService.exe" -dp=0 -fp=pluginC:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe
services.exe
User:
SYSTEM
Company:
重庆重橙网络科技有限公司
Integrity Level:
SYSTEM
Description:
Flash Helper Service
Exit code:
0
Version:
2.2.1.96
Modules
Images
c:\windows\syswow64\macromed\flash\flashhelperservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\rpcrt4.dll
5396"C:\Users\admin\AppData\Local\Temp\e2d26d8433862ff65c5ad246798ce5a71eada659bb5cb7082a69bafca2e8b585.exe" C:\Users\admin\AppData\Local\Temp\e2d26d8433862ff65c5ad246798ce5a71eada659bb5cb7082a69bafca2e8b585.exe
explorer.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
HIGH
Description:
Adobe® Flash® Player Installer/Uninstaller 34.0 r0
Exit code:
0
Version:
34,0,0,225
Modules
Images
c:\users\admin\appdata\local\temp\e2d26d8433862ff65c5ad246798ce5a71eada659bb5cb7082a69bafca2e8b585.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6304"C:\Users\admin\AppData\Local\Temp\e2d26d8433862ff65c5ad246798ce5a71eada659bb5cb7082a69bafca2e8b585.exe" C:\Users\admin\AppData\Local\Temp\e2d26d8433862ff65c5ad246798ce5a71eada659bb5cb7082a69bafca2e8b585.exeexplorer.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe® Flash® Player Installer/Uninstaller 34.0 r0
Exit code:
3221226540
Version:
34,0,0,225
Modules
Images
c:\users\admin\appdata\local\temp\e2d26d8433862ff65c5ad246798ce5a71eada659bb5cb7082a69bafca2e8b585.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
3 213
Read events
3 179
Write events
33
Delete events
1

Modification events

(PID) Process:(5396) e2d26d8433862ff65c5ad246798ce5a71eada659bb5cb7082a69bafca2e8b585.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(5396) e2d26d8433862ff65c5ad246798ce5a71eada659bb5cb7082a69bafca2e8b585.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(5396) e2d26d8433862ff65c5ad246798ce5a71eada659bb5cb7082a69bafca2e8b585.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(5396) e2d26d8433862ff65c5ad246798ce5a71eada659bb5cb7082a69bafca2e8b585.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3008) FlashHelperService.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{B9020634-CE8F-4F09-9FBC-D108A73A4676}
Operation:delete valueName:LocalService
Value:
(PID) Process:(3008) FlashHelperService.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{B9020634-CE8F-4F09-9FBC-D108A73A4676}
Operation:writeName:LocalService
Value:
Flash Helper Service
(PID) Process:(3008) FlashHelperService.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Flash Helper Service
Operation:writeName:ImagePath
Value:
"C:\WINDOWS\SysWOW64\Macromed\Flash\FlashHelperService.exe" -dp=0 -fp=plugin
(PID) Process:(5292) FlashHelperService.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Macromedia\FlashHelper
Operation:writeName:guid
Value:
{76296040-A560-4b40-AC1E-EAD5B1174C3F}
(PID) Process:(5292) FlashHelperService.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\miniconfig
Operation:writeName:guid
Value:
{76296040-A560-4b40-AC1E-EAD5B1174C3F}
(PID) Process:(5292) FlashHelperService.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Macromedia\FlashHelper
Operation:writeName:ueip
Value:
1
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
1816FlashPlayerInstaller.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419
MD5:
SHA256:
1816FlashPlayerInstaller.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\59D76868C250B3240414CE3EFBB12518_76F95DDD2DF771A335D86D21750F5C97
MD5:
SHA256:
5292FlashHelperService.exeC:\WINDOWS\SysWOW64\Macromed\Flash\flashupdater.cfg
MD5:F60D1CE486A36FB13C91386006A05CC9
SHA256:9AD291BAF0829A927687A6C751A5762AE65BB9B91FD72446962789EDE4CBE931
5396e2d26d8433862ff65c5ad246798ce5a71eada659bb5cb7082a69bafca2e8b585.exeC:\WINDOWS\SysWOW64\Macromed\Temp\{5F09D135-7281-44AD-B696-99AE6637BD1A}\FlashPlayerInstaller.exe
MD5:
SHA256:
5292FlashHelperService.exeC:\WINDOWS\system32\Macromed\Flash\flashupdater.cfg
MD5:71FFE3E18F263DA9E99E4B8B2691055B
SHA256:A4D5B676A6FF0422174139AE276C4E1EA83C16EB966065A54C5756EFF2E8FBE8
1816FlashPlayerInstaller.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419
MD5:3067E6F6C2A5BDFB802C29E9890E389C
SHA256:14923647AF456E3122CBF0ACFA1AE66869B67813CE7E4B08C9727FAD25047696
1816FlashPlayerInstaller.exeC:\WINDOWS\SysWOW64\Macromed\Temp\{1265F17F-FB99-4388-8B45-54AE87A8B9D0}\fpb.tmp
MD5:EBD7A215DB524D29C331E860DA41521C
SHA256:14276B221E1D0C773B652AD83299347004C52EDF776E449821D4435D1EDDFDEA
1816FlashPlayerInstaller.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\59D76868C250B3240414CE3EFBB12518_76F95DDD2DF771A335D86D21750F5C97
MD5:B773BD7B8E2DC2904DFED77FE243314F
SHA256:4E3DA5F8C38A2297E528A00E6339BAD80C717FEC1E95EEAE515A51294C4CB862
1816FlashPlayerInstaller.exeC:\WINDOWS\SysWOW64\Macromed\Temp\{2F3EF2BC-4DB0-4335-9DAA-AF7D653557A3}\fpb.tmp
MD5:C393B32BED4905CE258EE8B8C15EDA47
SHA256:EABE2A7114279AD4CBF65DF1C28C7B475A626F7AB25DECBD07302C63F4DC8FD5
5396e2d26d8433862ff65c5ad246798ce5a71eada659bb5cb7082a69bafca2e8b585.exeC:\WINDOWS\SysWOW64\Macromed\Flash\FlashHelperService.exe
MD5:4578F340915424D019CEAF2A5B1CA4BC
SHA256:FBC878D8620B85C032B918D1C038D492C877ED8396CDA5112F042E6A62AB3F8F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
42
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5928
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
471 b
unknown
3500
svchost.exe
GET
200
2.16.164.9:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
1.01 Kb
unknown
1816
FlashPlayerInstaller.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAz1vQYrVgL0erhQLCPM8GY%3D
unknown
471 b
unknown
1816
FlashPlayerInstaller.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnxLiz3Fu1WB6n1%2FE6xWn1b0jXiQQUdIWAwGbH3zfez70pN6oDHb7tzRcCEASOjlE%2B462x5f%2BQYXZVXYI%3D
unknown
471 b
unknown
872
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAzlnDD9eoNTLi0BRrMy%2BWU%3D
unknown
312 b
unknown
5408
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA177el9ggmWelJjG4vdGL0%3D
unknown
471 b
unknown
2464
svchost.exe
GET
200
69.192.161.44:80
http://x1.c.lencr.org/
unknown
binary
717 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
3500
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3848
svchost.exe
239.255.255.250:1900
unknown
5928
svchost.exe
40.126.31.69:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
6896
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5928
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
3500
svchost.exe
2.16.164.9:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
1816
FlashPlayerInstaller.exe
23.192.254.115:443
fpdownload.macromedia.com
AKAMAI-AS
US
unknown
1816
FlashPlayerInstaller.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
ocsp.digicert.com
  • 192.229.221.95
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 2.16.164.9
  • 2.16.164.106
whitelisted
fpdownload.macromedia.com
  • 23.192.254.115
whitelisted
www.bing.com
  • 2.23.209.156
  • 2.23.209.160
  • 2.23.209.158
  • 2.23.209.143
  • 2.23.209.149
  • 2.23.209.144
  • 2.23.209.150
  • 2.23.209.154
  • 2.23.209.148
whitelisted
arc.msn.com
  • 20.31.169.57
whitelisted
slscr.update.microsoft.com
  • 40.68.123.157
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
api.flash.cn
  • 117.149.248.40
  • 112.47.51.224
  • 112.47.51.222
  • 112.47.51.221
  • 112.47.51.223
  • 112.47.51.225
unknown
tongji.flash.cn
  • 112.47.51.221
  • 112.47.51.222
  • 112.47.51.223
  • 112.47.51.224
  • 112.47.51.225
  • 117.149.248.40
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
e2d26d8433862ff65c5ad246798ce5a71eada659bb5cb7082a69bafca2e8b585.exe