Windows Analysis Report
SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe

Overview

General Information

Sample name: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe
Analysis ID: 1417005
MD5: 4f15b30cc6a579d7f7382b39419ecf0f
SHA1: 52ff04c9b1f5d6a9082d637257f850743d2e4da7
SHA256: 6abe4099601f16093e0a2728fd2f4d3cd34da18177d69cc7ea0082e1f832dd6f
Tags: exe
Infos:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Compliance

Score: 49
Range: 0 - 100

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to create an SMB header
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Installs a global mouse hook
JA3 SSL client fingerprint seen in connection with other malware
Modifies existing windows services
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://tongji.flash.cn/hm4.gif?product=mini&event=show&uid={1CDACC51-0778-478e-9983-CF8CEA5837C2}&um=6F94DF17F2E10BEA5C3FC00A1C2F54B7&platform=windows&channel=10000&version=2.2.1.96&osversion=10.0.19041.1889&signature=F4D5479F05D7436FA93C605395EAFD25&key=2&data=15948E433789B8E742E357ED192DFACA1C5D7F6F92D1217A758374CDAEBBD03C3ABEC9D4684C96362684C9A670A4CF386840EC5A2AB941A6C208E37223F479B47F76B7110DDCFF1A751FE5E5972B8F11032420EFE98881CD55D3F02D41B93E33 Avira URL Cloud: Label: phishing
Source: https://tongji.flash.cn/hm4.gif?product=%s&event=%s&uid=%s&um=%s&platform=windows&channel=10000&vers Avira URL Cloud: Label: phishing
Source: https://tongji.flash.cn/hm4.gif?product=hs&event=fhsinstallWin10ActiveX&uid= Avira URL Cloud: Label: phishing
Multi AV Scanner detection for domain / URL
Source: https://www.flash.cn/cdm/latest/flashplayerpp_update_cn.exe Virustotal: Detection: 6% Perma Link
Source: https://www.flash.cn/cdm/latest/flashplayerax_update_cn.exe Virustotal: Detection: 6% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe ReversingLabs: Detection: 52%
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Virustotal: Detection: 28% Perma Link
Machine Learning detection for dropped file
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Joe Sandbox ML: detected
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_e09b4cb1-2
Contains functionality to create an SMB header
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: mov dword ptr [esi+04h], 424D53FFh 2_2_00941180
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION FlashHelperService.exe Jump to behavior

Compliance
barindex
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FlashCenter Jump to behavior
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Static PE information: certificate valid
Source: unknown HTTPS traffic detected: 43.152.136.177:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown HTTPS traffic detected: 112.47.51.225:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 43.152.136.177:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 112.47.51.225:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 112.47.51.225:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 112.47.51.225:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown HTTPS traffic detected: 112.47.51.225:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: E:\r\ws\St_Make\code\build\win\int\FlashBroker.build\Release\Win32\FlashUtil.pdb source: FlashPlayerInstaller.exe, 00000003.00000003.1676108515.000000000403C000.00000004.00000020.00020000.00000000.sdmp, FlashPlayerInstaller.exe, 00000003.00000002.2857698640.000000006CA03000.00000002.00000001.01000000.0000000A.sdmp, fpb.tmp0.3.dr
Source: Binary string: D:\code\Flash_Helper\FlashHelper\Build\Release\FlashHelperService_release.pdb8 source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp, FlashHelperService.exe, 00000001.00000000.1608179840.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000001.00000002.1610208631.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000000.1609077342.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000002.2855157262.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000002.1685190433.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000000.1682216910.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000000.1684284249.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000002.2855120688.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe.0.dr
Source: Binary string: E:\r\ws\St_Make\code\build\win\int\FlashBroker.build\Release\Win32\FlashUtil.pdb source: FlashPlayerInstaller.exe, 00000003.00000003.1676108515.000000000403C000.00000004.00000020.00020000.00000000.sdmp, FlashPlayerInstaller.exe, 00000003.00000002.2857698640.000000006CA03000.00000002.00000001.01000000.0000000A.sdmp, fpb.tmp0.3.dr
Source: Binary string: E:\r\ws\St_Make\code\build\win\int\Morphology.build\Release\Win32\Morpheme.pdb source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1671202698.00000000048C9000.00000004.00000020.00020000.00000000.sdmp, FlashPlayerInstaller.exe, 00000003.00000003.1675576327.0000000003EB3000.00000004.00000020.00020000.00000000.sdmp, FlashPlayerInstaller.exe, 00000003.00000002.2854757562.0000000000EEC000.00000002.00000001.01000000.00000008.sdmp, FlashPlayerInstaller.exe, 00000003.00000000.1672334542.0000000000EEC000.00000002.00000001.01000000.00000008.sdmp, fpb.tmp.3.dr, FlashPlayerInstaller.exe.0.dr
Source: Binary string: D:\code\Flash_Helper\FlashHelper\Build\Release\FlashHelperService_release.pdb source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp, FlashHelperService.exe, 00000001.00000000.1608179840.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000001.00000002.1610208631.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000000.1609077342.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000002.2855157262.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000002.1685190433.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000000.1682216910.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000000.1684284249.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000002.2855120688.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe.0.dr
Source: Binary string: c:\jenkins\workspace\System_Offline_Installers_Git\2144\2144InstallerEngine\Release\2144InstallerEngine.pdb source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Code function: 0_2_00F88460 _memset,SetDllDirectoryW,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetCommandLineW,CommandLineToArgvW,_memset,_wcsstr,_wcsstr,_wcsstr,_wcsstr,_wcsstr,_wcsstr,_wcsstr,_wcsstr,GetModuleFileNameW,_wcsrchr,GetSystemDirectoryW,GetSystemDirectoryW,FindFirstFileW,FindClose,CopyFileW,DeleteFileW,RemoveDirectoryW,ExitProcess,GetSystemDirectoryW,FreeLibrary,FreeLibrary,ExitProcess, 0_2_00F88460
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Code function: 0_2_00F835F0 GetSystemDirectoryW,FindFirstFileW,DeleteFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 0_2_00F835F0
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_00ADE407 _wcspbrk,__getdrive,FindFirstFileExW,_wcspbrk,__wfullpath_helper,_IsRootUNCName,GetDriveTypeW,_free,___loctotime64_t,_free,__sopen_s,__fstat64i32,__close,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime64_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime64_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,GetLastError,__dosmaperr,FindClose, 2_2_00ADE407
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_009F6B80 FindFirstFileA,FindClose,FindClose,FindClose, 2_2_009F6B80
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Code function: 3_2_6C9E35E0 FindFirstFileW,FindNextFileW,FindNextFileW,_wcslen,FindNextFileW,FindClose,GetLastError, 3_2_6C9E35E0
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Code function: 3_2_6C9DEF50 GetSystemTime,SystemTimeToFileTime,_wcslen,FindFirstFileW,_wcslen,_wcslen,RemoveDirectoryW,_wcslen,_wcslen,DeleteFileW,FindNextFileW,FindClose,FindClose, 3_2_6C9DEF50
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Code function: 3_2_6C9E49AC FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 3_2_6C9E49AC
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Code function: 3_2_6C9E5955 FindFirstFileW,RemoveDirectoryW,RemoveDirectoryW,FindNextFileW,FindClose, 3_2_6C9E5955
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Code function: 3_2_6C9D6AFC new,MultiByteToWideChar,MultiByteToWideChar,_wcslen,FindFirstFileW,FindNextFileW,FindClose,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose, 3_2_6C9D6AFC
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Code function: 3_2_6C9E3A6E FindFirstFileA,GetLastError,_strstr,FindNextFileA,FindClose, 3_2_6C9E3A6E
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Code function: 3_2_6C9D34A8 FindFirstFileW,SysAllocString,GetLastError, 3_2_6C9D34A8
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Code function: 3_2_6C9E0000 GetFileAttributesW,_wcslen,FindFirstFileW,_wcslen,_wcslen,FindNextFileW,FindClose,FindClose,CreateFileW,GetFileSizeEx,CloseHandle, 3_2_6C9E0000
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /config/powerBoot?helper=2.2.1.96& HTTP/1.1Host: api.flash.cnAccept: */*guid:{1CDACC51-0778-478e-9983-CF8CEA5837C2}helper:2.2.1.96
Source: global traffic HTTP traffic detected: GET /config/fc_check_update?helper=2.2.1.96 HTTP/1.1Host: api.flash.cnAccept: */*guid:{1CDACC51-0778-478e-9983-CF8CEA5837C2}helper:2.2.1.96
Source: global traffic HTTP traffic detected: GET /hm2.gif?msgtype=helper&data=6F76D319CE5E22BBEDDE5F7486E15839BD5C3C95456EE934AED2E7589794445E0B8D4D7CCF441E001C435D00E89E4351D683800531FF08900FC8D6C25895094AA7669F2143BD5B8DEAE44A5973CAB16B387AED7ED7EE3F45EAF963E647A4C96C9CE3FAD00ACF80EFE2E1EC094F60E964F51A70BAEF104D3D333862AE58E2DE540778D77890DA67FB2795A102530E5638D61A1267C7BB7D0ADE6D19CA2010C05D988E0347FBCB8C06744887F6AC4D16EBA725ADCEBB8876EEE74BB648603BF73DC0EF381D7CD127A96F3BB8AB3E12D06928EC61A9D692CCCBADD51AC6C16D575A9E058288CA635F19615C2C8F366C7C97BDF9F9416EADC6A0D89ACC4F27931003&token=B5ACDF4229E567BFCC1E227F41CACB42&osversion=10.0.19041.1889&time=1711629661 HTTP/1.1Host: tongji.flash.cnAccept: */*
Source: global traffic HTTP traffic detected: GET /hm2.gif?msgtype=install&data=979EA788DE83B755CE191CCC17A2E381823E74F0BBFB6633E04B4A1E29C8C57B491C3ECD2E94376CF413DBCD03A3DA7E8A0932BF78A49A6458CDEE0F7A24DF3A882EA31A747A2DCC37F9B24F94A5C8C5FB5BE656CFAFFCFC7992C03387D2C2EEDAE585B2121D3C5B6860C43C239656E544A95990485B7C48B0ED77D9919CBE660951123C0E7BA644455DE948BB3A7FB8CF3B644AF4362AFA73B718044621DB5825C54F863852F1D5E17922CCE770B7595EEAEA76BF4E76BB9C700B36209A3B6639B5392EBA3CEACB044F2A3537247E57DA7B63B5BEF558DF6D43855855DC8DA093E2C02A0DD6338235FB8E88FBD0BAE7FBB395102EF61B21CCB59D993472E71DED7B0061A83A7169036ADFA3F9FF85954FAC08A9BEFAAE8225F4F266DA99687D62C301EF66ED4CB281DF4AF2BD904F7361BE3554ED3BDF10CC6253A540971CEB41701FFAF035EDC530BD7399273E8C6EC4BF7337AF158FE558FE0F61B07268C4393AD7C8EFE2E33ECA767ECBBAF15B1E06CF85814809F4E80D6F22629B5058B8DF62819771E9FCC4403A762CA4532319FE06C2F425F0BC41A9EB65C4725C860FA0012AF5839906BCF75AC7AA22984E42D96815C9A9C70FC1066E3E821C10420B5333B5F31D03049015CF91E518DE225000FE3FF7254687661ED8A14673ACC4C8&token=72664B7DD2A5E5278E8C3C6323CEF6BE&osversion=10.0.19041.1889&time=1711629661 HTTP/1.1Host: tongji.flash.cnAccept: */*
Source: global traffic HTTP traffic detected: GET /hm2.gif?msgtype=mini&data=CDDF8FC74D3B33B2BC58AC6497635275A578D991405693D301B4C76D59C4293ED05FC25481CAD619640BC8674E985947D3ADC6D7F013C0338C95136482D16D8B6B920131A026D54E777254D3247DC5A3E1B0007F1D1EABAD078C74FC3BC4D6AE1DD0D06BD9480C61D2E4FCA06FDDD705977A60698BF212CC854832B570A70F8242FD2F48A0723CCBB0EC109C413882CD90E35D7F53420390F5C02E171ECA905459A43935B9BAE436DE3D299CC5521C5310A26A0E3E60F911D18CCDFEEC3F903CAD2FE97E44C5954FE4CA74FE1C30DC6E0754B71EDB83E08B4FDF1EFFAC212EEF&token=C762B21F41ED94B5C38E7FBFA9E2F488&osversion=10.0.19041.1889&time=1711629663 HTTP/1.1Host: tongji.flash.cnAccept: */*
Source: global traffic HTTP traffic detected: GET /hm4.gif?product=mini&event=show&uid={1CDACC51-0778-478e-9983-CF8CEA5837C2}&um=6F94DF17F2E10BEA5C3FC00A1C2F54B7&platform=windows&channel=10000&version=2.2.1.96&osversion=10.0.19041.1889&signature=F4D5479F05D7436FA93C605395EAFD25&key=2&data=15948E433789B8E742E357ED192DFACA1C5D7F6F92D1217A758374CDAEBBD03C3ABEC9D4684C96362684C9A670A4CF386840EC5A2AB941A6C208E37223F479B47F76B7110DDCFF1A751FE5E5972B8F11032420EFE98881CD55D3F02D41B93E33 HTTP/1.1Host: tongji.flash.cnAccept: */*
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 43.152.136.177 43.152.136.177
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 810697754393ebcebe7efd53abfbfa31
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 1_2_0091F050 recv,WSAGetLastError, 1_2_0091F050
Source: global traffic HTTP traffic detected: GET /config/powerBoot?helper=2.2.1.96& HTTP/1.1Host: api.flash.cnAccept: */*guid:{1CDACC51-0778-478e-9983-CF8CEA5837C2}helper:2.2.1.96
Source: global traffic HTTP traffic detected: GET /config/fc_check_update?helper=2.2.1.96 HTTP/1.1Host: api.flash.cnAccept: */*guid:{1CDACC51-0778-478e-9983-CF8CEA5837C2}helper:2.2.1.96
Source: global traffic HTTP traffic detected: GET /hm2.gif?msgtype=helper&data=6F76D319CE5E22BBEDDE5F7486E15839BD5C3C95456EE934AED2E7589794445E0B8D4D7CCF441E001C435D00E89E4351D683800531FF08900FC8D6C25895094AA7669F2143BD5B8DEAE44A5973CAB16B387AED7ED7EE3F45EAF963E647A4C96C9CE3FAD00ACF80EFE2E1EC094F60E964F51A70BAEF104D3D333862AE58E2DE540778D77890DA67FB2795A102530E5638D61A1267C7BB7D0ADE6D19CA2010C05D988E0347FBCB8C06744887F6AC4D16EBA725ADCEBB8876EEE74BB648603BF73DC0EF381D7CD127A96F3BB8AB3E12D06928EC61A9D692CCCBADD51AC6C16D575A9E058288CA635F19615C2C8F366C7C97BDF9F9416EADC6A0D89ACC4F27931003&token=B5ACDF4229E567BFCC1E227F41CACB42&osversion=10.0.19041.1889&time=1711629661 HTTP/1.1Host: tongji.flash.cnAccept: */*
Source: global traffic HTTP traffic detected: GET /hm2.gif?msgtype=install&data=979EA788DE83B755CE191CCC17A2E381823E74F0BBFB6633E04B4A1E29C8C57B491C3ECD2E94376CF413DBCD03A3DA7E8A0932BF78A49A6458CDEE0F7A24DF3A882EA31A747A2DCC37F9B24F94A5C8C5FB5BE656CFAFFCFC7992C03387D2C2EEDAE585B2121D3C5B6860C43C239656E544A95990485B7C48B0ED77D9919CBE660951123C0E7BA644455DE948BB3A7FB8CF3B644AF4362AFA73B718044621DB5825C54F863852F1D5E17922CCE770B7595EEAEA76BF4E76BB9C700B36209A3B6639B5392EBA3CEACB044F2A3537247E57DA7B63B5BEF558DF6D43855855DC8DA093E2C02A0DD6338235FB8E88FBD0BAE7FBB395102EF61B21CCB59D993472E71DED7B0061A83A7169036ADFA3F9FF85954FAC08A9BEFAAE8225F4F266DA99687D62C301EF66ED4CB281DF4AF2BD904F7361BE3554ED3BDF10CC6253A540971CEB41701FFAF035EDC530BD7399273E8C6EC4BF7337AF158FE558FE0F61B07268C4393AD7C8EFE2E33ECA767ECBBAF15B1E06CF85814809F4E80D6F22629B5058B8DF62819771E9FCC4403A762CA4532319FE06C2F425F0BC41A9EB65C4725C860FA0012AF5839906BCF75AC7AA22984E42D96815C9A9C70FC1066E3E821C10420B5333B5F31D03049015CF91E518DE225000FE3FF7254687661ED8A14673ACC4C8&token=72664B7DD2A5E5278E8C3C6323CEF6BE&osversion=10.0.19041.1889&time=1711629661 HTTP/1.1Host: tongji.flash.cnAccept: */*
Source: global traffic HTTP traffic detected: GET /hm2.gif?msgtype=mini&data=CDDF8FC74D3B33B2BC58AC6497635275A578D991405693D301B4C76D59C4293ED05FC25481CAD619640BC8674E985947D3ADC6D7F013C0338C95136482D16D8B6B920131A026D54E777254D3247DC5A3E1B0007F1D1EABAD078C74FC3BC4D6AE1DD0D06BD9480C61D2E4FCA06FDDD705977A60698BF212CC854832B570A70F8242FD2F48A0723CCBB0EC109C413882CD90E35D7F53420390F5C02E171ECA905459A43935B9BAE436DE3D299CC5521C5310A26A0E3E60F911D18CCDFEEC3F903CAD2FE97E44C5954FE4CA74FE1C30DC6E0754B71EDB83E08B4FDF1EFFAC212EEF&token=C762B21F41ED94B5C38E7FBFA9E2F488&osversion=10.0.19041.1889&time=1711629663 HTTP/1.1Host: tongji.flash.cnAccept: */*
Source: global traffic HTTP traffic detected: GET /hm4.gif?product=mini&event=show&uid={1CDACC51-0778-478e-9983-CF8CEA5837C2}&um=6F94DF17F2E10BEA5C3FC00A1C2F54B7&platform=windows&channel=10000&version=2.2.1.96&osversion=10.0.19041.1889&signature=F4D5479F05D7436FA93C605395EAFD25&key=2&data=15948E433789B8E742E357ED192DFACA1C5D7F6F92D1217A758374CDAEBBD03C3ABEC9D4684C96362684C9A670A4CF386840EC5A2AB941A6C208E37223F479B47F76B7110DDCFF1A751FE5E5972B8F11032420EFE98881CD55D3F02D41B93E33 HTTP/1.1Host: tongji.flash.cnAccept: */*
Source: unknown DNS traffic detected: queries for: api.flash.cn
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp, FlashHelperService.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, fpb.tmp.3.dr, FlashHelperService.exe.0.dr, FlashPlayerInstaller.exe.0.dr, fpb.tmp0.3.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp, FlashHelperService.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: FlashPlayerInstaller.exe, 00000003.00000003.1676108515.000000000403C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, fpb.tmp.3.dr, FlashPlayerInstaller.exe.0.dr, fpb.tmp0.3.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, fpb.tmp.3.dr, FlashHelperService.exe.0.dr, FlashPlayerInstaller.exe.0.dr, fpb.tmp0.3.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, fpb.tmp.3.dr, FlashHelperService.exe.0.dr, FlashPlayerInstaller.exe.0.dr, fpb.tmp0.3.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, fpb.tmp.3.dr, FlashHelperService.exe.0.dr, FlashPlayerInstaller.exe.0.dr, fpb.tmp0.3.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp, FlashHelperService.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: FlashPlayerInstaller.exe, 00000003.00000003.1676108515.000000000403C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, fpb.tmp.3.dr, FlashPlayerInstaller.exe.0.dr, fpb.tmp0.3.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, fpb.tmp.3.dr, FlashHelperService.exe.0.dr, FlashPlayerInstaller.exe.0.dr, fpb.tmp0.3.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: fpb.tmp0.3.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp, FlashHelperService.exe.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp, FlashHelperService.exe.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: FlashPlayerInstaller.exe, 00000003.00000003.1676108515.000000000403C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, fpb.tmp.3.dr, FlashPlayerInstaller.exe.0.dr, fpb.tmp0.3.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp, FlashHelperService.exe.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, FlashPlayerInstaller.exe String found in binary or memory: http://fpdownload2.macromedia.com/get/flashplayer/update/current/install/version.xml
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe String found in binary or memory: http://fpdownload2.macromedia.com/get/flashplayer/update/current/install/version.xml&playerType=full
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp, FlashHelperService.exe, 00000001.00000000.1608179840.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000001.00000002.1610208631.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000000.1609077342.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000002.2855157262.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000002.1685190433.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000000.1682216910.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000000.1684284249.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000002.2855120688.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe.0.dr String found in binary or memory: http://mini.ffnews.cn/additional/feedback/index.html?id=%sopen12clickclick1LockFeedbackLockFeedback2
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp, FlashHelperService.exe, 00000001.00000000.1608179840.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000001.00000002.1610208631.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000000.1609077342.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000002.2855157262.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000002.1685190433.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000000.1682216910.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000000.1684284249.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000002.2855120688.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe.0.dr String found in binary or memory: http://mini.ffnews.cn/index.html
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp, FlashHelperService.exe, 00000001.00000000.1608179840.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000001.00000002.1610208631.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000000.1609077342.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000002.2855157262.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000002.1685190433.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000000.1682216910.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000000.1684284249.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000002.2855120688.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe.0.dr String found in binary or memory: http://mini.ffnews.cn/index.html0http://mini.ffnews.cn/tips.htmltips_times0mini_countopen_mini_timem
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp, FlashHelperService.exe, 00000001.00000000.1608179840.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000001.00000002.1610208631.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000000.1609077342.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000002.2855157262.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000002.1685190433.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000000.1682216910.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000000.1684284249.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000002.2855120688.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe.0.dr String found in binary or memory: http://mini.ffnews.cn/index.html1http://mini.ffnews.cn/tips.htmlnext_open_interval1open_mini_time2E8
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp, FlashHelperService.exe, 00000001.00000000.1608179840.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000001.00000002.1610208631.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000000.1609077342.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000002.2855157262.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000002.1685190433.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000000.1682216910.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000000.1684284249.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000002.2855120688.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe.0.dr String found in binary or memory: http://mini.ffnews.cn/index.htmlonCountopenhttp://mini.ffnews.cn/count.htmlClientInvokeWeb30supportF
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp, FlashHelperService.exe, 00000001.00000000.1608179840.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000001.00000002.1610208631.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000000.1609077342.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000002.2855157262.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000002.1685190433.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000000.1682216910.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000000.1684284249.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000002.2855120688.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe.0.dr String found in binary or memory: http://mini.ffnews.cn/tips.html
Source: FlashPlayerInstaller.exe, 00000003.00000003.1676108515.000000000403C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, fpb.tmp.3.dr, FlashPlayerInstaller.exe.0.dr, fpb.tmp0.3.dr String found in binary or memory: http://ocsp.digicert.com0
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, fpb.tmp.3.dr, FlashHelperService.exe.0.dr, FlashPlayerInstaller.exe.0.dr, fpb.tmp0.3.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, fpb.tmp.3.dr, FlashHelperService.exe.0.dr, FlashPlayerInstaller.exe.0.dr, fpb.tmp0.3.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp, FlashHelperService.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, fpb.tmp.3.dr, FlashHelperService.exe.0.dr, FlashPlayerInstaller.exe.0.dr, fpb.tmp0.3.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, fpb.tmp.3.dr, FlashHelperService.exe.0.dr, FlashPlayerInstaller.exe.0.dr, fpb.tmp0.3.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp, FlashHelperService.exe, 00000001.00000000.1608179840.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000001.00000002.1610208631.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000000.1609077342.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000002.2855157262.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000002.1685190433.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000000.1682216910.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000000.1684284249.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000002.2855120688.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe.0.dr String found in binary or memory: http://www.openssl.org/support/faq.html
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp, FlashHelperService.exe, 00000001.00000000.1608179840.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000001.00000002.1610208631.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000000.1609077342.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000002.2855157262.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000002.1685190433.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000000.1682216910.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000000.1684284249.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000002.2855120688.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe.0.dr String found in binary or memory: http://www.openssl.org/support/faq.html....................
Source: FlashHelperService.exe.0.dr String found in binary or memory: https://api.flash.cn
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp, FlashHelperService.exe, 00000001.00000000.1608179840.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000001.00000002.1610208631.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000000.1609077342.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000002.2855157262.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000002.1685190433.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000000.1682216910.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000000.1684284249.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000002.2855120688.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe.0.dr String found in binary or memory: https://api.flash.cn%s/config/getBin?helper=%s&%sueip%s
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp, FlashHelperService.exe, 00000001.00000000.1608179840.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000001.00000002.1610208631.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000000.1609077342.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000002.2855157262.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000002.1685190433.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000000.1682216910.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000000.1684284249.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000002.2855120688.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe.0.dr String found in binary or memory: https://api.flash.cn%s/config/getCdnBin?helper=%s&%sinterface
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp, FlashHelperService.exe, 00000001.00000000.1608179840.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000001.00000002.1610208631.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000000.1609077342.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000002.2855157262.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000002.1685190433.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000000.1682216910.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000000.1684284249.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000002.2855120688.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe.0.dr String found in binary or memory: https://api.flash.cn%s/config/mini?helper=%s&guid=%s&count=%d&opentype=%s00http://mini.ffnews.cn/ind
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp, FlashHelperService.exe, 00000001.00000000.1608179840.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000001.00000002.1610208631.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000000.1609077342.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000002.2855157262.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000002.1685190433.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000000.1682216910.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000000.1684284249.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000002.2855120688.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe.0.dr String found in binary or memory: https://api.flash.cn%s/config/scanConfig?helper=%s&guid=%s4fcatuoCDMShowTimedata
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp, FlashHelperService.exe, 00000001.00000000.1608179840.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000001.00000002.1610208631.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000000.1609077342.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000002.2855157262.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000002.1685190433.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000000.1682216910.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000000.1684284249.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000002.2855120688.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe.0.dr String found in binary or memory: https://api.flash.cn%s/fp?time=%sC2&F6E5#8b1D#5AdIW)r(TIgP
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp, FlashHelperService.exe, 00000001.00000000.1608179840.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000001.00000002.1610208631.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000000.1609077342.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000002.2855157262.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000002.1685190433.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000000.1682216910.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000000.1684284249.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000002.2855120688.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe.0.dr String found in binary or memory: https://api.flash.cn%s/getfc?data=%s&token=%s&time=%s&helper=%sUninstallerPathGenerateLogsFlashPlaye
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp, FlashHelperService.exe, 00000001.00000000.1608179840.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000001.00000002.1610208631.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000000.1609077342.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000002.2855157262.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000002.1685190433.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000000.1682216910.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000000.1684284249.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000002.2855120688.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe.0.dr String found in binary or memory: https://api.flash.cn%sppv=%s&
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp, FlashHelperService.exe, 00000001.00000000.1608179840.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000001.00000002.1610208631.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000000.1609077342.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000002.2855157262.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000002.1685190433.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000000.1682216910.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000000.1684284249.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000002.2855120688.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe.0.dr String found in binary or memory: https://api.flash.cn/config/checkSign
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp, FlashHelperService.exe, 00000001.00000000.1608179840.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000001.00000002.1610208631.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000000.1609077342.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000002.2855157262.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000002.1685190433.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000000.1682216910.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000000.1684284249.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000002.2855120688.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe.0.dr String found in binary or memory: https://api.flash.cn/config/checkSignFlashPlayerPlugindev%spluginv=%s&fcdownloadcdm:Software
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp, FlashHelperService.exe, 00000001.00000000.1608179840.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000001.00000002.1610208631.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000000.1609077342.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000002.2855157262.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000002.1685190433.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000000.1682216910.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000000.1684284249.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000002.2855120688.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe.0.dr String found in binary or memory: https://api.flash.cn/config/realtime
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp, FlashHelperService.exe, 00000001.00000000.1608179840.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000001.00000002.1610208631.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000000.1609077342.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000002.2855157262.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000002.1685190433.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000000.1682216910.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000000.1684284249.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000002.2855120688.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe.0.dr String found in binary or memory: https://api.flash.cn/config/realtimeforceTips11010102tips_intervalFileVersionFileDescriptionInternal
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp, FlashHelperService.exe, 00000001.00000000.1608179840.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000001.00000002.1610208631.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000000.1609077342.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000002.2855157262.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000002.1685190433.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000000.1682216910.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000000.1684284249.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000002.2855120688.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe.0.dr String found in binary or memory: https://api.flash.cn/config/realtimeguidforceMinihelper1next_open_interval102open_mini_time102-1-110
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp, FlashHelperService.exe, 00000001.00000000.1608179840.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000001.00000002.1610208631.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000000.1609077342.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000002.2855157262.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000002.1685190433.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000000.1682216910.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000000.1684284249.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000002.2855120688.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe.0.dr String found in binary or memory: https://api.flash.cn0%s/config/powerBoot?helper=%s&%s
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp, FlashHelperService.exe, 00000001.00000000.1608179840.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000001.00000002.1610208631.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000000.1609077342.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000002.2855157262.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000002.1685190433.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000000.1682216910.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000000.1684284249.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000002.2855120688.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe.0.dr String found in binary or memory: https://api.flash.cn2.0.1.9%s/config/getCdnValue?helper=%s&%sworkflow%d0adwebsite_new
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp, FlashHelperService.exe, 00000001.00000000.1608179840.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000001.00000002.1610208631.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000000.1609077342.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000002.2855157262.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000002.1685190433.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000000.1682216910.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000000.1684284249.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000002.2855120688.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe.0.dr String found in binary or memory: https://api.flash.cnFlashPlayerPluginauthtime%s/go/getAdvertisementImage303authtimeinterface
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp, FlashHelperService.exe, 00000001.00000000.1608179840.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000001.00000002.1610208631.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000000.1609077342.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000002.2855157262.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000002.1685190433.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000000.1682216910.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000000.1684284249.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000002.2855120688.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe.0.dr String found in binary or memory: https://api.flash.cnProductVersion%s/config/fixtoolfpUpdaterServicePortcountdevCDMShowTime
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp, FlashHelperService.exe, 00000001.00000000.1608179840.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000001.00000002.1610208631.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000000.1609077342.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000002.2855157262.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000002.1685190433.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000000.1682216910.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000000.1684284249.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000002.2855120688.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe.0.dr String found in binary or memory: https://api.flash.cnfp_open_tip_time%s/config/getCdnValue?helper=%s&%sopen_mini_timeinterface
Source: FlashHelperService.exe, FlashHelperService.exe, 00000002.00000000.1609077342.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000002.2855157262.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000002.1685190433.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000000.1682216910.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000000.1684284249.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000002.2855120688.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe.0.dr String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: FlashHelperService.exe String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html#
Source: FlashPlayerInstaller.exe, 00000003.00000003.1685722671.0000000001F04000.00000004.00000020.00020000.00000000.sdmp, FlashPlayerInstaller.exe, 00000003.00000002.2856256506.0000000001EE3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fpdownload.macromedia.com/
Source: FlashPlayerInstaller.exe, 00000003.00000002.2856256506.0000000001EE3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fpdownload.macromedia.com//8
Source: FlashPlayerInstaller.exe, 00000003.00000003.1685452057.0000000001F2C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fpdownload.macromedia.com/get/flashplayer/update/current/activate/exec.xml
Source: FlashPlayerInstaller.exe, 00000003.00000002.2856256506.0000000001E68000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fpdownload.macromedia.com/get/flashplayer/update/current/activate/exec.xml0
Source: FlashPlayerInstaller.exe, 00000003.00000002.2856256506.0000000001E68000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fpdownload.macromedia.com/get/flashplayer/update/current/activate/exec.xml~
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1671202698.00000000048C9000.00000004.00000020.00020000.00000000.sdmp, FlashPlayerInstaller.exe, 00000003.00000003.1675576327.0000000003EB3000.00000004.00000020.00020000.00000000.sdmp, FlashPlayerInstaller.exe, 00000003.00000002.2854757562.0000000000EEC000.00000002.00000001.01000000.00000008.sdmp, FlashPlayerInstaller.exe, 00000003.00000000.1672334542.0000000000EEC000.00000002.00000001.01000000.00000008.sdmp, fpb.tmp.3.dr, FlashPlayerInstaller.exe.0.dr String found in binary or memory: https://fpdownload.macromedia.com/pub/flashplayer/update/current/sau/34/install/install_all_win_http
Source: FlashPlayerInstaller.exe String found in binary or memory: https://kb2.ad
Source: FlashPlayerInstaller.exe String found in binary or memory: https://kb2.adobe.
Source: FlashPlayerInstaller.exe String found in binary or memory: https://labs.a
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp, FlashHelperService.exe, 00000001.00000000.1608179840.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000001.00000002.1610208631.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000000.1609077342.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000002.2855157262.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000002.1685190433.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000000.1682216910.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000000.1684284249.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000002.2855120688.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe.0.dr String found in binary or memory: https://mini.ffnews.cn/additional/feedback/index.html?from=tips&id=%s12tipsdownloadembupdate-2Tipads
Source: FlashHelperService.exe, FlashHelperService.exe, 00000002.00000000.1609077342.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000002.2855157262.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000002.1685190433.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000000.1682216910.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000000.1684284249.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000002.2855120688.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe.0.dr String found in binary or memory: https://tongji.flash.cn
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp, FlashHelperService.exe, 00000001.00000000.1608179840.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000001.00000002.1610208631.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000000.1609077342.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000002.2855157262.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000002.1685190433.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000000.1682216910.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000000.1684284249.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000002.2855120688.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe.0.dr String found in binary or memory: https://tongji.flash.cn%s/hm2.gif?msgtype=%s&data=%s&token=%s&time=%sFCHandler
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp, FlashHelperService.exe, 00000001.00000000.1608179840.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000001.00000002.1610208631.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000000.1609077342.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000002.2855157262.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000002.1685190433.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000000.1682216910.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000000.1684284249.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000002.2855120688.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe.0.dr String found in binary or memory: https://tongji.flash.cn%s/hm2.gif?msgtype=fhsparent&data=%s&token=%s&time=%sB2&f6E5?8b1A#4C2%s&%s&cl
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp, FlashHelperService.exe, 00000001.00000000.1608179840.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000001.00000002.1610208631.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000000.1609077342.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000002.2855157262.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000002.1685190433.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000000.1682216910.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000000.1684284249.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000002.2855120688.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe.0.dr String found in binary or memory: https://tongji.flash.cn%s/hm2.gif?msgtype=lnk&data=%s&token=%s&time=%ssystray
Source: FlashHelperService.exe, 00000002.00000003.1679174122.0000000003E83000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tongji.flash.cn/hm2.gif?msgtype=helper&data=6F76D319CE5E22BBEDDE5F7486E15839BD5C3C95456EE934
Source: FlashHelperService.exe, 00000002.00000003.1678396322.0000000003E6E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tongji.flash.cn/hm2.gif?msgtype=install&data=979EA788DE83B755CE191CCC17A2E381823E74F0BBFB663
Source: FlashHelperService.exe, 00000002.00000002.2857997254.0000000003EC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tongji.flash.cn/hm2.gif?msgtype=mini&data=CDDF8FC74D3B33B2BC58AC6497635275A578D991405693D301
Source: FlashHelperService.exe String found in binary or memory: https://tongji.flash.cn/hm4.gif?product=%s&event=%s&uid=%s&um=%s&platform=windows&channel=10000&vers
Source: FlashHelperService.exe, 00000002.00000003.1654745561.0000000000E9D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tongji.flash.cn/hm4.gif?product=hs&event=fhsinstallWin10ActiveX&uid=
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp, FlashHelperService.exe, 00000001.00000000.1608179840.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000001.00000002.1610208631.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000000.1609077342.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000002.2855157262.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000002.1685190433.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000000.1682216910.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000000.1684284249.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000002.2855120688.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe.0.dr String found in binary or memory: https://tongji.flash.cnSOFTWARE
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp, FlashHelperService.exe.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp, FlashHelperService.exe, 00000001.00000000.1608179840.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000001.00000002.1610208631.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000000.1609077342.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000002.2855157262.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000002.1685190433.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000000.1682216910.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000000.1684284249.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000002.2855120688.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe.0.dr String found in binary or memory: https://www.flash.cn/cdm/latest/flashplayer_update_cn.exe
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp, FlashHelperService.exe, 00000001.00000000.1608179840.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000001.00000002.1610208631.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000000.1609077342.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000002.2855157262.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000002.1685190433.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000000.1682216910.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000000.1684284249.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000002.2855120688.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe.0.dr String found in binary or memory: https://www.flash.cn/cdm/latest/flashplayer_update_cn.exeflashplayerax_install_cn.execenter
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp, FlashHelperService.exe, 00000001.00000000.1608179840.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000001.00000002.1610208631.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000000.1609077342.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000002.2855157262.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000002.1685190433.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000000.1682216910.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000000.1684284249.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000002.2855120688.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe.0.dr String found in binary or memory: https://www.flash.cn/cdm/latest/flashplayer_update_cn.exehshttps://www.flash.cn/cdm/latest/flashplay
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp, FlashHelperService.exe, 00000001.00000000.1608179840.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000001.00000002.1610208631.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000000.1609077342.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000002.2855157262.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000002.1685190433.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000000.1682216910.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000000.1684284249.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000002.2855120688.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe.0.dr String found in binary or memory: https://www.flash.cn/cdm/latest/flashplayerax_update_cn.exe
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp, FlashHelperService.exe, 00000001.00000000.1608179840.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000001.00000002.1610208631.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000000.1609077342.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000002.2855157262.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000002.1685190433.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000000.1682216910.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000000.1684284249.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000002.2855120688.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe.0.dr String found in binary or memory: https://www.flash.cn/cdm/latest/flashplayerax_update_cn.exe.exeflash_cdm_%s
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp, FlashHelperService.exe, 00000001.00000000.1608179840.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000001.00000002.1610208631.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000000.1609077342.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000002.2855157262.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000002.1685190433.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000000.1682216910.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000000.1684284249.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000002.2855120688.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe.0.dr String found in binary or memory: https://www.flash.cn/cdm/latest/flashplayerax_update_cn.exeflash
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp, FlashHelperService.exe, 00000001.00000000.1608179840.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000001.00000002.1610208631.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000000.1609077342.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000002.2855157262.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000002.1685190433.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000000.1682216910.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000000.1684284249.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000002.2855120688.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe.0.dr String found in binary or memory: https://www.flash.cn/cdm/latest/flashplayerax_update_cn.exeminiurlexplorer.exeonCountminiurlFF
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp, FlashHelperService.exe, 00000001.00000000.1608179840.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000001.00000002.1610208631.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000000.1609077342.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000002.2855157262.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000002.1685190433.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000000.1682216910.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000000.1684284249.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000002.2855120688.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe.0.dr String found in binary or memory: https://www.flash.cn/cdm/latest/flashplayerpp_update_cn.exe
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp, FlashHelperService.exe, 00000001.00000000.1608179840.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000001.00000002.1610208631.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000000.1609077342.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000002.2855157262.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000002.1685190433.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000000.1682216910.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000000.1684284249.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000002.2855120688.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe.0.dr String found in binary or memory: https://www.flash.cn/cdm/latest/flashplayerpp_update_cn.exe1flashplayer_install_cn.exe2=flashplayerp
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp, FlashHelperService.exe, 00000001.00000000.1608179840.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000001.00000002.1610208631.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000000.1609077342.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000002.2855157262.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000002.1685190433.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000000.1682216910.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000000.1684284249.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000002.2855120688.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe.0.dr String found in binary or memory: https://www.flash.cn/ueip/index.html10ueipS1huorongFileVersionFileDescriptionInternalNameCompanyName
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown HTTPS traffic detected: 43.152.136.177:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown HTTPS traffic detected: 112.47.51.225:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 43.152.136.177:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 112.47.51.225:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 112.47.51.225:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 112.47.51.225:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown HTTPS traffic detected: 112.47.51.225:443 -> 192.168.2.4:49739 version: TLS 1.2
Creates a DirectInput object (often for capturing keystrokes)
Source: FlashPlayerInstaller.exe Binary or memory string: DirectInput8Create
Installs a global mouse hook
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Windows user hook set: 0 mouse low level C:\Windows\system32\dinput8.dll Jump to behavior
Contains functionality to communicate with device drivers
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Code function: 3_2_6C9D6130: lstrlenW,DeviceIoControl, 3_2_6C9D6130
Contains functionality to launch a process as a different user
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Code function: 3_2_6C9DB06B GetSystemDirectoryW,LoadLibraryW,GetProcAddress,CloseHandle,OpenProcess,OpenProcessToken,DuplicateTokenEx,CreateProcessAsUserW,GetLastError,CloseHandle,CloseHandle,CloseHandle,GetLastError,CloseHandle,GetLastError,CloseHandle, 3_2_6C9DB06B
Creates files inside the system directory
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe File created: C:\Windows\SysWOW64\Macromed Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe File created: C:\Windows\SysWOW64\Macromed\Flash Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe File created: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe File created: C:\Windows\SysWOW64\Macromed\Flash\flashupdater.cfg Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe File created: C:\Windows\system32\Macromed Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe File created: C:\Windows\system32\Macromed\Flash Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe File created: C:\Windows\system32\Macromed\Flash\flashupdater.cfg Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe File deleted: C:\Windows\SysWOW64\Macromed\Temp\{BEED5110-3922-4357-91FC-E2942647009F}\fpb.tmp Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Code function: 0_2_00F95118 0_2_00F95118
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Code function: 0_2_00F862C0 0_2_00F862C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Code function: 0_2_00F91FE3 0_2_00F91FE3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Code function: 0_2_00F8DFA0 0_2_00F8DFA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Code function: 0_2_00F89790 0_2_00F89790
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 1_2_00930020 1_2_00930020
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 1_2_0092E040 1_2_0092E040
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 1_2_0092F160 1_2_0092F160
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 1_2_0092F230 1_2_0092F230
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 1_2_009E4350 1_2_009E4350
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 1_2_0092F490 1_2_0092F490
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 1_2_009E0400 1_2_009E0400
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 1_2_00926470 1_2_00926470
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 1_2_00916460 1_2_00916460
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 1_2_00931580 1_2_00931580
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 1_2_0092E6C0 1_2_0092E6C0
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 1_2_0092F6E0 1_2_0092F6E0
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 1_2_0091D7A0 1_2_0091D7A0
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 1_2_0091C700 1_2_0091C700
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 1_2_009E3700 1_2_009E3700
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 1_2_009DF730 1_2_009DF730
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 1_2_0092F8E0 1_2_0092F8E0
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 1_2_009E09D7 1_2_009E09D7
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 1_2_0092E930 1_2_0092E930
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 1_2_00930940 1_2_00930940
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 1_2_00939970 1_2_00939970
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 1_2_00911B00 1_2_00911B00
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 1_2_0091DB70 1_2_0091DB70
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 1_2_0092FC80 1_2_0092FC80
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 1_2_009E1C40 1_2_009E1C40
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 1_2_009E3DC0 1_2_009E3DC0
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 1_2_00957D10 1_2_00957D10
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 1_2_009E2F1D 1_2_009E2F1D
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_00AD737C 2_2_00AD737C
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_0091D7A0 2_2_0091D7A0
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_0091DB70 2_2_0091DB70
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_009E8000 2_2_009E8000
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_00930020 2_2_00930020
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_0092E040 2_2_0092E040
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_00A18050 2_2_00A18050
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_009E806C 2_2_009E806C
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_00A0E190 2_2_00A0E190
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_00A14120 2_2_00A14120
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_00A24150 2_2_00A24150
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_00A1A390 2_2_00A1A390
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_009E4350 2_2_009E4350
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_00A26340 2_2_00A26340
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_00972490 2_2_00972490
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_009E0400 2_2_009E0400
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_00926470 2_2_00926470
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_00916460 2_2_00916460
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_0099C500 2_2_0099C500
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_0092E6C0 2_2_0092E6C0
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_00A18640 2_2_00A18640
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_0091C700 2_2_0091C700
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_00A0C840 2_2_00A0C840
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_009E09D7 2_2_009E09D7
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_0092E930 2_2_0092E930
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_00930940 2_2_00930940
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_00A1AA40 2_2_00A1AA40
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_009E2F1D 2_2_009E2F1D
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_00ADAF2B 2_2_00ADAF2B
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_00A0CF10 2_2_00A0CF10
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_00AD2F15 2_2_00AD2F15
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_00AC50A0 2_2_00AC50A0
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_00A19010 2_2_00A19010
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_009E71C0 2_2_009E71C0
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_009531E0 2_2_009531E0
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_0092F160 2_2_0092F160
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_009592A0 2_2_009592A0
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_0092F230 2_2_0092F230
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_00A1B380 2_2_00A1B380
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_0092F490 2_2_0092F490
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_00931580 2_2_00931580
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_0097D550 2_2_0097D550
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_0092F6E0 2_2_0092F6E0
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_0099B620 2_2_0099B620
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_009E3700 2_2_009E3700
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_009DF730 2_2_009DF730
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_0092F8E0 2_2_0092F8E0
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_009E78E0 2_2_009E78E0
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_00A23820 2_2_00A23820
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_00A17860 2_2_00A17860
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_00939970 2_2_00939970
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_00A19950 2_2_00A19950
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_00911B00 2_2_00911B00
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_0092FC80 2_2_0092FC80
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_00A1BC10 2_2_00A1BC10
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_009E1C40 2_2_009E1C40
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_00AD9DBB 2_2_00AD9DBB
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_009E3DC0 2_2_009E3DC0
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_00957D10 2_2_00957D10
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_0099BD50 2_2_0099BD50
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_00A1FE60 2_2_00A1FE60
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_00949F00 2_2_00949F00
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_00ACFF6F 2_2_00ACFF6F
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Code function: 3_2_6C9E8C0D 3_2_6C9E8C0D
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Code function: 3_2_6C9FCF00 3_2_6C9FCF00
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Code function: 3_2_6C9EBF2D 3_2_6C9EBF2D
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Code function: 3_2_6C9F1947 3_2_6C9F1947
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Code function: 3_2_6C9EBAF8 3_2_6C9EBAF8
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Code function: 3_2_6C9D2A42 3_2_6C9D2A42
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Code function: 3_2_6C9F1B76 3_2_6C9F1B76
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Code function: 3_2_6C9E7B73 3_2_6C9E7B73
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Code function: 3_2_6C9C1474 3_2_6C9C1474
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Code function: 3_2_6C9EB6E0 3_2_6C9EB6E0
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Code function: 3_2_6C9F1718 3_2_6C9F1718
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Code function: 3_2_6C9EB1E4 3_2_6C9EB1E4
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Code function: 3_2_6C9E7220 3_2_6C9E7220
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Code function: 3_2_6CA0138B 3_2_6CA0138B
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Code function: 3_2_6C9EC362 3_2_6C9EC362
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe FBC878D8620B85C032B918D1C038D492C877ED8396CDA5112F042E6A62AB3F8F
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Code function: String function: 6C9E2113 appears 180 times
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Code function: String function: 6C9C30C7 appears 183 times
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Code function: String function: 6C9EA470 appears 40 times
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Code function: String function: 6C9D9009 appears 53 times
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: String function: 0091B320 appears 254 times
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: String function: 00AD0900 appears 71 times
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: String function: 00AC8390 appears 101 times
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: String function: 00A235A0 appears 35 times
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: String function: 00917AC0 appears 52 times
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: String function: 00938830 appears 36 times
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: String function: 0092A600 appears 364 times
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: String function: 0091B2C0 appears 75 times
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: String function: 00911080 appears 154 times
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: String function: 0096EAF0 appears 38 times
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: String function: 0092A580 appears 262 times
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: String function: 00AC4F10 appears 315 times
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: String function: 0097F0A0 appears 94 times
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: String function: 009395A0 appears 34 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Code function: String function: 00F81070 appears 61 times
PE file contains executable resources (Code or Archives)
Source: fpb.tmp0.3.dr Static PE information: Resource name: RT_STRING type: PDP-11 overlaid separate executable not stripped
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %111122-1-3373060open_tip_time0tips_times100S1huorong0tips_timeshttps://api.flash.cn/config/realtimeforceTips11010102tips_intervalFileVersionFileDescriptionInternalNameCompanyNameLegalCopyrightOriginalFilenameProductNameProductVersiontipsopen_tip_timeSoftware\Microsoft\Windows\CurrentVersion\miniconfig60tips_intervalSoftware\Microsoft\Windows\CurrentVersion\miniconfig013open_tip_timeopen_mini_time101key=embupdate_newhttps://api.flash.cn%s/config/getCdnBin?helper=%s&%sinterface error, errorcode:%dD2&FGE5#8b1D#7JLopen_tip_timeopen_mini_timeembupdate_newSoftware\Microsoft\Windows\CurrentVersion\miniconfigembupdateSoftware\Microsoft\Windows\CurrentVersion\miniconfig:Software\Macromedia\FlashHelperembupdatemini_flashplayerSoftware\Macromedia\FlashHelpermini_bootupmini_taskschedulertips_bootuptips_taskschedulertips_flashplayer0SOFTWARE\Macromedia\FlashHelperactive011key=task_scheduler0https://api.flash.cnfp_open_tip_time%s/config/getCdnValue?helper=%s&%sopen_mini_timeinterface error, errorcode:%dtask_schedulerguidhttps://api.flash.cn%s/config/mini?helper=%s&guid=%s&count=%d&opentype=%s00http://mini.ffnews.cn/index.htmlhttp://mini.ffnews.cn/tips.htmlD2&FGE5#8b1D#7JL0mini_count,00http://mini.ffnews.cn/index.html0http://mini.ffnews.cn/tips.htmltips_times0mini_countopen_mini_timemini_countopen_tip_time00mini_countinstall1guidhttps://api.flash.cn%s/config/warning?msgtype=lnk&helper=%s&guid=%s02open_mini_timeguid3https://api.flash.cnopen_tip_time%s/config/tips?helper=%s&guid=%s&count=%d&opentimestamp=%s00http://mini.ffnews.cn/index.htmlhttp://mini.ffnews.cn/tips.htmlD2&FGE5#8b1D#7JLC2&F6E5#8b1D#5Ad,\\.\pipe\ADHelperDownPipe\\.\pipe\ADHelperDownPipe00http://mini.ffnews.cn/index.html1http://mini.ffnews.cn/tips.htmlnext_open_interval1open_mini_time2E8BD8E275C1A38BD4FEFF4F4926DDF65|F2F149F56F1D7A62C69E0665681E5CF8|A13D73DAD59D392D78547A28B4F843CF121D228927CA9C82AEF2B0D7FC4CC8CAD9EDisplayName1SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSoftware\Microsoft\Windows\CurrentVersion\miniconfigD228927CA9C82AEF2B0D7FC4CC8CAD9EDisplayNametasktimestampSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstallopen_mini_timeD228927CA9C82AEF2B0D7FC4CC8CAD9EDisplayNameD228927CA9C82AEF2B0D7FC4CC8CAD9ESOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSoftware\Microsoft\Windows\CurrentVersion\miniconfigDisplayNametasktimestampSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstallopen_tip_time6071C65D1F8644453B126AD96AB70A2Copen_mini_time0tips_times%dtips_times137%2d:%02d-1guid3060-2next_open_interval121open_mini_time101open_mini_time107https://api.flash.cn/config/realtimeguidforceMinihelper1next_open_interval102open_mini_time102-1-11050103106110 vs SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @errorLineerrorCharactererrorCodeerrorMessageerrorUrlFileVersionFileDescriptionInternalNameCompanyNameLegalCopyrightOriginalFilenameProductNameProductVersionWebInvokeClient vs SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: /`explorer.exeFileVersionFileDescriptionInternalNameCompanyNameLegalCopyrightOriginalFilenameProductNameX0`ProductVersionSeDebugPrivilegeS1huorongMicrosoft Windows XP/embwindowMicrosoft Windows XP21embnouiFlashHelperTips1embgui2embnouiunknowntipsshowtipsshowtips102D*` vs SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CompanyNameLegalCopyrightOriginalFilenameProductNameProductVersionhuorong/opengame={\"type\":\"open_game\",\"data\":{\"game_id\":%d,\"server_id\":%d,\"source_id\":%d}}{\"type\":\"open_game\",\"data\":{\"game_id\":%d,\"server_id\":%d,\"source_id\":%d}}DisplayIcon{"type":"open_game","data":{"game_id":%d,"server_id":%d,"source_id":%d}}S1DisplayIconSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FlashCenterChongqing Zhongcheng Network Technology Co. Ltd.FileVersionInternalNameSymantec Class 3 SHA256 Code Signing CAFileDescriptionJScriptwindowGlobal%D,3 vs SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: N11clickclickonCount7D5B#A39F4817829http://mini.ffnews.cn/additional/feedback/index.html?id=%sopen12clickclick1LockFeedbackLockFeedback2LockFeedbackLockFeedback3LockFeedbackLockFeedbackFileVersionFileDescriptionInternalNameCompanyNameLegalCopyrightOriginalFilenameProductNameProductVersion7 vs SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [S1huorongFileVersionFileDescriptionInternalNameCompanyNameLegalCopyrightOriginalFilenameProductNameProductVersionget production version error.encryptiondata, need decryption!3\tencent\QQPCMgr\AdBlock\userconfig.datdecryption json error!Software\Macromedia\FlashHelper%s.%s.%sencryptiondata check error!https://api.flash.cn%s/config/scanConfig?helper=%s&guid=%s4fcatuoCDMShowTimedata len error!FlashPlayerActiveXFlashPlayerPepperFlashPlayerPluginSoftware\Macromedia\%sVersionVersion11ueip12flashatuo%s\Software\Microsoft\Windows\CurrentVersion\miniconfigSoftware\Microsoft\Windows\CurrentVersion\miniconfigueipflashUninstallerPathfp_open_mini_timeueipPlayerPathfp_open_mini_timefp_open_tip_timeUpdaterServiceIdfp_open_emb_timeSOFTWARE\Macromedia\FlashPlayerActiveXPlayerPath7Software\Macromedia\%sSocketServerModule.cpp.,isScriptDebuggersecrete key:%sisScriptDebugger%s dwDebugger=%lu31,0,0,1080%shs --type=flashupdate --fp=false --hs=true --hstype=rc --updatetype=%s\Software\Microsoft\Windows\CurrentVersion\miniconfig1flashatuoack.%s.%s.%s.%sfp_open_mini_timeack.%s.%s.%sfp_open_mini_timeFlashPlayerActiveXack1fp_open_tip_timeFlashPlayerPluginfp_open_emb_timeFlashPlayerPepper%05d%ssend geo_error0CDMShowTimerbSoftware\Macromedia\FlashHelpererr.%s.%s.error_geo.%s --type=flashupdate --fp=false --hs=true --hstype=rc --updatetype=%shserrerror_geo%05d%sdownload md5 error...start OnCountScanData.............geo_error encryption dataIsFirstInstall............0GetScanInfo error.............%s%sHS&Cell file update, install flash playerlnk --type=flashupdate --updatetype=%s.%sscan data not over interval days.............HS&Cell file update ui%05d%s%shs --type=showoffers --hs=false --updatetype=ParseCMDEMBData:CDMShowTime0B2&f6E5?8b1D#4A3{"type":"ueip","value":"0"}127.0.0.1849a5ee64a63a725installC2&F6E5#8b1D#5Adcdmembupdate{"type":"geo"}OnCountTelemertyData%s&%s&%s&%shttps://tongji.flash.cn%s/hm2.gif?msgtype=lnk&data=%s&token=%s&time=%ssystray xp vs SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: {"flashtype":"%s","originalfilename":"%s","settings_path":"%s"} vs SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: S,DigiCert SHA2 Assured ID Code Signing CAFFBrowser.exeDigiCert Assured ID Code Signing CA-1UninstallerPath.FlashPlayerActiveXFlashPlayerActiveXflashplayerax_install_cn.exeFlashPlayerPlugin%s.%s,.UninstallerPathFlashPlayerPepper%05d%sFlashPlayerPepperflashplayerpp_install_cn.exeFlashPlayerPepper,.UninstallerPathFlashPlayerPlugin{"type":"inforbar", "flashversion":"%s","vertype":"release"}FlashPlayerPluginFlashPlayerActiveXflashplayer_install_cn.exeguidflashplayerax_install_cn.exe,.inforbarhsFlashPlayerPlugin --type=hsupdate --updatetype=hs --hstype=rc, --type=partialupdate --fp=false --hs=true --updatetype=hs --hstype=rc --type=hsupdate --updatetype=hs. --type=hsupdate --updatetype=hs --hstype=betaFlashPlayerPepper --type=hcupdatewithoffer --type=partialupdate --fp=false --hs=true --updatetype=hs,.%sFlash Player\%s:{"fcmini":"0", "fctips":"0"}helperFlashHelperService.exehttps://www.flash.cn/cdm/latest/flashplayerax_update_cn.exeflash type %s is debugger build, update blockfcrepairhttps://www.flash.cn/cdm/latest/flashplayer_update_cn.exehshttps://www.flash.cn/cdm/latest/flashplayerpp_update_cn.exehttps://www.flash.cn/cdm/latest/flashplayerax_update_cn.exe -https://www.flash.cn/cdm/latest/flashplayer_update_cn.exeflashplayerax_install_cn.execenter installhttps://www.flash.cn/cdm/latest/flashplayerpp_update_cn.exe1flashplayer_install_cn.exe2=flashplayerpp_install_cn.exe3OnCountFlashDataSoftware\Microsoft\Windows\CurrentVersion\Uninstall\FlashCenterDisplayVersioncenter uninstallC2&F6E5#8b1D#5AdSoftware\FlashCenter\Uninstall{"value":"1", "cdm_type":"%s"}UninstallTimecenter uninstall time emptyfhsupdatehssocketerrorfhsupdate: hours later, run updatecenter uninstall out day need update%d close fp update01explorer.exe --type=flashupdate --fp=false --hs=true --updatetype={"type":"runsoft","downurl":"%s","value":"%s","errortype":"%d","vertype":"release"}%sfpfa install{"type":"down","downurl":"%s","value":"1","vertype":"release"}%sFlash Player\%s{"type":"msg","value":"1","vertype":"release"}%d hours later run updateCDM_NAMEPIPE3Software\Microsoft\Windows\CurrentVersion\Uninstall\FlashAssistant{"value":"1", "cdm_type":"%s"}DisplayVersionupdate file error,file md5 errorfa uninstallfhsdownloadcdmhsShow FC fhsdownloadcdm:UninstallTimeSoftware\FlashAssistant\Uninstallfa uninstall time emptytruefalse --type=fcupdate --fp=false --fc=true --hs=false --updatetype=%shs --showprogress=%sCDMShowTimecount0hsActiveXTimesget.ad.%s.%s.%s.%s.%s{"type":"ShowUI_Center", "cdm_type":"%d", "run_type":"%d", "showprogress_type":"%d"}UninstallerPathFlashPlayerActiveX/Show0hsshowcdmmini%s%sfa uninstall out day need updatedevrbUninstallerPathFlashPlayerActiveXUninstallerPathSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\%sFlashPlayerPepperUninstallerPathFlashPlayerPluginSOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\%s/BootupShowminicounths/FlashShowtipsRead error/embupdateDisplayIconebmupdate/fpshowfpshowSOFTWARE\WOW6432Node\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: `count dp installOriginalFilename127.0.0.1install vs SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: `guid7D5B#A39F4817829openhttps://www.flash.cn/ueip/index.html10ueipS1huorongFileVersionFileDescriptionInternalNameCompanyNameLegalCopyrightOriginalFilenameProductNameProductVersionversiontypemd5versiontypemd5S1huorongFileVersionFileDescriptionInternalNameCompanyNameLegalCopyrightOriginalFilenameProductNameProductVersion vs SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: originalfilename vs SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: "<>%\^[]`+$,@:;/!#?=&%falsetrue012msgsyndatvergetwrtfinstschgerractrspinfor_bardesktopswfUrlrefreshConfigcontentUpdateForceUpdateforceMiniforceTipsrunTipsopenFlashMiniopenExplorershowminieolIntervaleolReqshowprogressopenrepairfopenTrayfopenFAupdateminiRulesis_open_task_schedulertimeis_open_tips_task_schedulertips_timesession_iddatachksummsg:%ssession_id:%sservice_idservice_id:%stypetype:%sversionversion:%sprocessIdprocessId:%stokentoken:%sarchparenttopLocationwindowLocationdocumentReferrerdocumentTitleswfURLswfWidthswfHeightscreenResXscreenResYuserAgentauxupdate:%sshortcutnamesigncompanyproductnameoriginalfilenameauthorlegalcopyrightSubjectNameauthornameignorestarttimestampworkflowupdatetypeueip_checkfpTypefpStatus0910fcStatusfcclickeventvalcertErrorendofferstatusisopen_miniisopen_tipstips_typetimesbootup_timeinterval_timebootup_showflash_showis_blockindex_urltips_urlskin_ad_openmini_ads_urltips_timessystray_timesystray_bootuptimetips_widthtips_highmini_ads_highmini_ads_widthmini_ads_posheader_ad_openheader_ad_contentheader_ad_urlis_create_systrayis_create_new_systrayis_systray_showcontentsystray_highsystray_widthfp_tips_intervalopen_mini_countmini_toptips_toptip_ads_content_urltip_systray_content_urltip_systray_content_txttip_systray_icon_urlsearch_textcontentssearch_switchtask_fp_toptips_bkimagefullscreen_delay_showtips_softsmini_softsmini_blockinstall_soft_methodis_disconnect_downloadtitle_download_urltitle_download_argopen_mem_tasktip_show_typetitle_webpage_urlhelperStatushelperVersioncellVersionflashVersionbetaupdateFCUpdateCellUpdateFAydescriptiontips_titletips_c_color_Rtips_c_color_Gtips_c_color_Btips_b_color_Rtips_b_color_Gtips_b_color_Breginfoembeddedintervalkeynamepathexenameisabspathurlserver_idgame_idsource_idis_open_embupdatedownloadpepdownloadocxdownloadnpswfpage_urlis_show_windowpep_flash_versionnp_flash_versionocx_flash_versionflash_version3rdPartyStatuscdm_shownhostwildcardfullmatchclsadresIdseqIdsignaturedomainsettings_pathactionShownShowdurationalphatext1URL1text2URL2show_iddigestauthnameosversionmacappNameappLinkappVersionappCopyrightappSignaturenamesubjectNameIDsuccessmd5apppathparentnameoriginalpathmsgtypeguidhelperversionumorigintypeportflashinfoflashtypegftypeflashversionshowadfpstatusfpcodehsstatushscodecellstatuscellcodefcstatusfccodeuserconfig_datlnkembeddedflashofferTypeidsoftnamesoftversionoriginalnameofferidstatus_code%s%d%s%i64d%s%u%s%I64u%s%lf%s%fNULL%s"%s"0aliasfptypetitletitle_bkreg_locationsoft_nameshow_typekey_nameembinfolocationcontentTyperunArgsgroupIdlist<T> too long"/\ vs SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameFlashHelperService.exeJ vs SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Binary or memory string: OriginalFilenameFlashUtil.exev+ vs SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Section loaded: comres.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Section loaded: cryptui.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Section loaded: ws2help.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Section loaded: xpsp2res.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Section loaded: comres.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Section loaded: cryptui.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Section loaded: ws2help.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Section loaded: xpsp2res.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Section loaded: dinput8.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Section loaded: inputhost.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Section loaded: cryptbase.dll Jump to behavior
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal60.evad.winEXE@10/6@3/2
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 1_2_009393B0 GetLastError,_strncpy,FormatMessageA,_strrchr,_strrchr,GetLastError,SetLastError, 1_2_009393B0
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Code function: 3_2_6C9DFCB5 LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 3_2_6C9DFCB5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Code function: 0_2_00F88300 GetSystemDirectoryW,CreateToolhelp32Snapshot,_memset,GetCurrentProcessId,Process32FirstW,Process32NextW,Process32FirstW,Process32NextW,FindCloseChangeNotification,OpenProcess,CloseHandle, 0_2_00F88300
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Code function: 3_2_6C9CED5E CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,VariantInit,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,VariantClear,_wprintf,VariantInit,_com_util::ConvertStringToBSTR,VariantClear,VariantClear,VariantClear,VariantClear,_wprintf,VariantInit,_com_util::ConvertStringToBSTR,VariantClear,VariantClear,VariantClear,VariantClear,CoUninitialize,CoUninitialize, 3_2_6C9CED5E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Code function: 0_2_00F8B110 LoadLibraryW,GetLastError,FindResourceW,GetLastError,LoadResource,GetLastError,SizeofResource,LockResource,GetLastError,FreeResource,FreeLibrary, 0_2_00F8B110
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Mutant created: \Sessions\1\BaseNamedObjects\FlashHelperService
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Mutant created: \BaseNamedObjects\CDM_NAMEPIPE
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Mutant created: \Sessions\1\BaseNamedObjects\{FEC7EF28-53E7-4f06-8F56-FA6D670C8D3C}
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe File created: C:\Windows\SysWOW64\Macromed\Temp\ Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Command line argument: kernel32.dll 0_2_00F88460
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Command line argument: -install 0_2_00F88460
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Command line argument: -Embedding 0_2_00F88460
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Command line argument: -uninstall 0_2_00F88460
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Command line argument: -check 0_2_00F88460
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Command line argument: -update 0_2_00F88460
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Command line argument: -maintain 0_2_00F88460
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Command line argument: -relaunched 0_2_00F88460
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Command line argument: \Macromed\Temp 0_2_00F88460
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Command line argument: \*.dll 0_2_00F88460
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Command line argument: Macromed 0_2_00F88460
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Command line argument: Flash 0_2_00F88460
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Virustotal: Detection: 28%
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe String found in binary or memory: -Start
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe String found in binary or memory: -install
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe String found in binary or memory: -install -iv
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe String found in binary or memory: http://fpdownload2.macromedia.com/get/flashplayer/update/current/install/version.xml
Source: FlashPlayerInstaller.exe String found in binary or memory: http://fpdownload2.macromedia.com/get/flashplayer/update/current/install/version.xml
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe String found in binary or memory: Player. Please log on with administrative privileges and try again.Failed to create temporary file*...err2err1err7err8en_gbenfrkojasvdeesitzh-CNzh-TWptpt_ptplcstrnlrudanbhuelfiarheskbgslrohrsruklvltthetxuGetNativeSystemInfoWininet.dllInternetOpenWInternetConnectWHttpOpenRequestWHttpSendRequestWInternetReadFileHttpQueryInfoWInternetCloseHandleInternetSetOptionWInternetOpenUrlWcomres.dllclbcatq.dllsecur32.dllnetapi32.dllsetupapi.dllversion.dllmsasn1.dllcrypt32.dllwintrust.dllriched20.dllcryptui.dllshdocvw.dllws2help.dllws2_32.dllxpsp2res.dllsfc_os.dllSetDefaultDllDirectories -install-Embedding-uninstall-check-update-maintain-refreshIEElevationPolicies-relaunchedMacromedFlashFlashInstall32.lograpmsiprevplayerbrokerundrmpluginactivexwin8AXinstpepperpluginmanifestmetaiconjoey64ncpsausandboxplvoucherAXvoucherPLvoucherPEPncpapp34.0.0.225 "-/embeddedInstallerenterpriseInstallerbetaSystemInstallerSystemInstallerSystemInstallerFixedFlashHelperService.exeHSUninstall.exeFlash Helper Service0.0.0.01-install -iv -iv svc-Uninstall-Start -dp=-fp=newFlashHelperVersioninstnewFlashPlayerVersionppapinewFlashHelperUninstallerVersion-a -p "uninst0~installVector=&previousVersion=&pProc=&lang=&cpuWordLength=6432http://fpdownload2.macromedia.com/get/flashplayer/update/current/install/version.xml&playerType=full&playerType=ax&playerType=pl&playerType=pep&playerType=unk&os=win&osVer=&isDebug=0&err=&werr=&comp=&app=Adobe Flash PlayerSoftware\Macromedia\FlashPlayerActiveXversionSoftware\Macromedia\FlashPlayerPluginSoftware\Macromedia\FlashPlayerPepperSoftware\Macromedia\FlashPlayerCurrentVersion,Software\MozillaPlugins\@adobe.com/FlashPlayerVersionSoftware\MozillaGetFileVersionInfoSizeWGetFileVersionInfoWVerQueryValueWNPSWF32.dll%d.%d.%d.%d\extensionsPlugins.-msi -prev channelCodeinvalid string positionstring too long
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe String found in binary or memory: Player. Please log on with administrative privileges and try again.Failed to create temporary file*...err2err1err7err8en_gbenfrkojasvdeesitzh-CNzh-TWptpt_ptplcstrnlrudanbhuelfiarheskbgslrohrsruklvltthetxuGetNativeSystemInfoWininet.dllInternetOpenWInternetConnectWHttpOpenRequestWHttpSendRequestWInternetReadFileHttpQueryInfoWInternetCloseHandleInternetSetOptionWInternetOpenUrlWcomres.dllclbcatq.dllsecur32.dllnetapi32.dllsetupapi.dllversion.dllmsasn1.dllcrypt32.dllwintrust.dllriched20.dllcryptui.dllshdocvw.dllws2help.dllws2_32.dllxpsp2res.dllsfc_os.dllSetDefaultDllDirectories -install-Embedding-uninstall-check-update-maintain-refreshIEElevationPolicies-relaunchedMacromedFlashFlashInstall32.lograpmsiprevplayerbrokerundrmpluginactivexwin8AXinstpepperpluginmanifestmetaiconjoey64ncpsausandboxplvoucherAXvoucherPLvoucherPEPncpapp34.0.0.225 "-/embeddedInstallerenterpriseInstallerbetaSystemInstallerSystemInstallerSystemInstallerFixedFlashHelperService.exeHSUninstall.exeFlash Helper Service0.0.0.01-install -iv -iv svc-Uninstall-Start -dp=-fp=newFlashHelperVersioninstnewFlashPlayerVersionppapinewFlashHelperUninstallerVersion-a -p "uninst0~installVector=&previousVersion=&pProc=&lang=&cpuWordLength=6432http://fpdownload2.macromedia.com/get/flashplayer/update/current/install/version.xml&playerType=full&playerType=ax&playerType=pl&playerType=pep&playerType=unk&os=win&osVer=&isDebug=0&err=&werr=&comp=&app=Adobe Flash PlayerSoftware\Macromedia\FlashPlayerActiveXversionSoftware\Macromedia\FlashPlayerPluginSoftware\Macromedia\FlashPlayerPepperSoftware\Macromedia\FlashPlayerCurrentVersion,Software\MozillaPlugins\@adobe.com/FlashPlayerVersionSoftware\MozillaGetFileVersionInfoSizeWGetFileVersionInfoWVerQueryValueWNPSWF32.dll%d.%d.%d.%d\extensionsPlugins.-msi -prev channelCodeinvalid string positionstring too long
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe String found in binary or memory: Player. Please log on with administrative privileges and try again.Failed to create temporary file*...err2err1err7err8en_gbenfrkojasvdeesitzh-CNzh-TWptpt_ptplcstrnlrudanbhuelfiarheskbgslrohrsruklvltthetxuGetNativeSystemInfoWininet.dllInternetOpenWInternetConnectWHttpOpenRequestWHttpSendRequestWInternetReadFileHttpQueryInfoWInternetCloseHandleInternetSetOptionWInternetOpenUrlWcomres.dllclbcatq.dllsecur32.dllnetapi32.dllsetupapi.dllversion.dllmsasn1.dllcrypt32.dllwintrust.dllriched20.dllcryptui.dllshdocvw.dllws2help.dllws2_32.dllxpsp2res.dllsfc_os.dllSetDefaultDllDirectories -install-Embedding-uninstall-check-update-maintain-refreshIEElevationPolicies-relaunchedMacromedFlashFlashInstall32.lograpmsiprevplayerbrokerundrmpluginactivexwin8AXinstpepperpluginmanifestmetaiconjoey64ncpsausandboxplvoucherAXvoucherPLvoucherPEPncpapp34.0.0.225 "-/embeddedInstallerenterpriseInstallerbetaSystemInstallerSystemInstallerSystemInstallerFixedFlashHelperService.exeHSUninstall.exeFlash Helper Service0.0.0.01-install -iv -iv svc-Uninstall-Start -dp=-fp=newFlashHelperVersioninstnewFlashPlayerVersionppapinewFlashHelperUninstallerVersion-a -p "uninst0~installVector=&previousVersion=&pProc=&lang=&cpuWordLength=6432http://fpdownload2.macromedia.com/get/flashplayer/update/current/install/version.xml&playerType=full&playerType=ax&playerType=pl&playerType=pep&playerType=unk&os=win&osVer=&isDebug=0&err=&werr=&comp=&app=Adobe Flash PlayerSoftware\Macromedia\FlashPlayerActiveXversionSoftware\Macromedia\FlashPlayerPluginSoftware\Macromedia\FlashPlayerPepperSoftware\Macromedia\FlashPlayerCurrentVersion,Software\MozillaPlugins\@adobe.com/FlashPlayerVersionSoftware\MozillaGetFileVersionInfoSizeWGetFileVersionInfoWVerQueryValueWNPSWF32.dll%d.%d.%d.%d\extensionsPlugins.-msi -prev channelCodeinvalid string positionstring too long
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Process created: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe "C:\Windows\system32\Macromed\Flash\FlashHelperService.exe" -Start -dp=0 -fp=ppapi
Source: unknown Process created: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe "C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe" -dp=0 -fp=ppapi
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Process created: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe "C:\Windows\system32\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe" -iv 20
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Process created: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe "C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe" /BootupShow
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Process created: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe /BootupShow2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Process created: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe "C:\Windows\system32\Macromed\Flash\FlashHelperService.exe" -Start -dp=0 -fp=ppapi Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Process created: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe "C:\Windows\system32\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe" -iv 20 Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Process created: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe "C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe" /BootupShow Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Process created: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe /BootupShow2 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FlashCenter Jump to behavior
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Static PE information: certificate valid
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Static file information: File size 13167088 > 1048576
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0xc65400
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: E:\r\ws\St_Make\code\build\win\int\FlashBroker.build\Release\Win32\FlashUtil.pdb source: FlashPlayerInstaller.exe, 00000003.00000003.1676108515.000000000403C000.00000004.00000020.00020000.00000000.sdmp, FlashPlayerInstaller.exe, 00000003.00000002.2857698640.000000006CA03000.00000002.00000001.01000000.0000000A.sdmp, fpb.tmp0.3.dr
Source: Binary string: D:\code\Flash_Helper\FlashHelper\Build\Release\FlashHelperService_release.pdb8 source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp, FlashHelperService.exe, 00000001.00000000.1608179840.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000001.00000002.1610208631.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000000.1609077342.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000002.2855157262.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000002.1685190433.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000000.1682216910.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000000.1684284249.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000002.2855120688.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe.0.dr
Source: Binary string: E:\r\ws\St_Make\code\build\win\int\FlashBroker.build\Release\Win32\FlashUtil.pdb source: FlashPlayerInstaller.exe, 00000003.00000003.1676108515.000000000403C000.00000004.00000020.00020000.00000000.sdmp, FlashPlayerInstaller.exe, 00000003.00000002.2857698640.000000006CA03000.00000002.00000001.01000000.0000000A.sdmp, fpb.tmp0.3.dr
Source: Binary string: E:\r\ws\St_Make\code\build\win\int\Morphology.build\Release\Win32\Morpheme.pdb source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1671202698.00000000048C9000.00000004.00000020.00020000.00000000.sdmp, FlashPlayerInstaller.exe, 00000003.00000003.1675576327.0000000003EB3000.00000004.00000020.00020000.00000000.sdmp, FlashPlayerInstaller.exe, 00000003.00000002.2854757562.0000000000EEC000.00000002.00000001.01000000.00000008.sdmp, FlashPlayerInstaller.exe, 00000003.00000000.1672334542.0000000000EEC000.00000002.00000001.01000000.00000008.sdmp, fpb.tmp.3.dr, FlashPlayerInstaller.exe.0.dr
Source: Binary string: D:\code\Flash_Helper\FlashHelper\Build\Release\FlashHelperService_release.pdb source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp, FlashHelperService.exe, 00000001.00000000.1608179840.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000001.00000002.1610208631.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000000.1609077342.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000002.00000002.2855157262.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000002.1685190433.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000004.00000000.1682216910.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000000.1684284249.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000005.00000002.2855120688.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe.0.dr
Source: Binary string: c:\jenkins\workspace\System_Offline_Installers_Git\2144\2144InstallerEngine\Release\2144InstallerEngine.pdb source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Code function: 0_2_00F947AA EncodePointer,EncodePointer,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_00F947AA
PE file contains sections with non-standard names
Source: FlashHelperService.exe.0.dr Static PE information: section name: Shared
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Code function: 0_2_00F91A85 push ecx; ret 0_2_00F91A98
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 1_2_00AD0945 push ecx; ret 1_2_00AD0958
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_00AD0945 push ecx; ret 2_2_00AD0958
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Code function: 3_2_6C9FD8AD push dword ptr [esp+ecx-75h]; iretd 3_2_6C9FD8B1
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Code function: 3_2_6C9E9A64 push ecx; ret 3_2_6C9E9A77
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Code function: 3_2_6C9EA4B6 push ecx; ret 3_2_6C9EA4C9

Persistence and Installation Behavior
barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Executable created and started: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Executable created and started: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe File created: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe File created: C:\Windows\SysWOW64\Macromed\Temp\{BEED5110-3922-4357-91FC-E2942647009F}\fpb.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe File created: C:\Windows\SysWOW64\Macromed\Temp\{52B705C9-43EF-40AE-B3D4-879CDCC17548}\fpb.tmp Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe File created: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe File created: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe File created: C:\Windows\SysWOW64\Macromed\Temp\{BEED5110-3922-4357-91FC-E2942647009F}\fpb.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe File created: C:\Windows\SysWOW64\Macromed\Temp\{52B705C9-43EF-40AE-B3D4-879CDCC17548}\fpb.tmp Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe File created: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Jump to dropped file
Modifies existing windows services
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Flash Helper Service Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Code function: 0_2_00F91FE3 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00F91FE3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Code function: 0_2_00F88300 GetSystemDirectoryW,CreateToolhelp32Snapshot,_memset,GetCurrentProcessId,Process32FirstW,Process32NextW,Process32FirstW,Process32NextW,FindCloseChangeNotification,OpenProcess,CloseHandle, 0_2_00F88300
Contains functionality to query network adapater information
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: GetAdaptersInfo,GetAdaptersInfo,GetAdaptersInfo,swprintf,_memset,RegOpenKeyExA,RegQueryValueExA,RegCloseKey, 2_2_009F89B0
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: GetAdaptersInfo, 2_2_00A024B0
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: GetAdaptersInfo, 2_2_00A02D60
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: GetAdaptersInfo, 2_2_00A03310
Found dropped PE file which has not been started or loaded
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Macromed\Temp\{BEED5110-3922-4357-91FC-E2942647009F}\fpb.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Macromed\Temp\{52B705C9-43EF-40AE-B3D4-879CDCC17548}\fpb.tmp Jump to dropped file
Found evasive API chain (date check)
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe API coverage: 2.4 %
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Code function: 0_2_00F88460 _memset,SetDllDirectoryW,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetCommandLineW,CommandLineToArgvW,_memset,_wcsstr,_wcsstr,_wcsstr,_wcsstr,_wcsstr,_wcsstr,_wcsstr,_wcsstr,GetModuleFileNameW,_wcsrchr,GetSystemDirectoryW,GetSystemDirectoryW,FindFirstFileW,FindClose,CopyFileW,DeleteFileW,RemoveDirectoryW,ExitProcess,GetSystemDirectoryW,FreeLibrary,FreeLibrary,ExitProcess, 0_2_00F88460
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Code function: 0_2_00F835F0 GetSystemDirectoryW,FindFirstFileW,DeleteFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 0_2_00F835F0
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_00ADE407 _wcspbrk,__getdrive,FindFirstFileExW,_wcspbrk,__wfullpath_helper,_IsRootUNCName,GetDriveTypeW,_free,___loctotime64_t,_free,__sopen_s,__fstat64i32,__close,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime64_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime64_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,GetLastError,__dosmaperr,FindClose, 2_2_00ADE407
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_009F6B80 FindFirstFileA,FindClose,FindClose,FindClose, 2_2_009F6B80
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Code function: 3_2_6C9E35E0 FindFirstFileW,FindNextFileW,FindNextFileW,_wcslen,FindNextFileW,FindClose,GetLastError, 3_2_6C9E35E0
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Code function: 3_2_6C9DEF50 GetSystemTime,SystemTimeToFileTime,_wcslen,FindFirstFileW,_wcslen,_wcslen,RemoveDirectoryW,_wcslen,_wcslen,DeleteFileW,FindNextFileW,FindClose,FindClose, 3_2_6C9DEF50
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Code function: 3_2_6C9E49AC FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 3_2_6C9E49AC
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Code function: 3_2_6C9E5955 FindFirstFileW,RemoveDirectoryW,RemoveDirectoryW,FindNextFileW,FindClose, 3_2_6C9E5955
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Code function: 3_2_6C9D6AFC new,MultiByteToWideChar,MultiByteToWideChar,_wcslen,FindFirstFileW,FindNextFileW,FindClose,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose, 3_2_6C9D6AFC
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Code function: 3_2_6C9E3A6E FindFirstFileA,GetLastError,_strstr,FindNextFileA,FindClose, 3_2_6C9E3A6E
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Code function: 3_2_6C9D34A8 FindFirstFileW,SysAllocString,GetLastError, 3_2_6C9D34A8
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Code function: 3_2_6C9E0000 GetFileAttributesW,_wcslen,FindFirstFileW,_wcslen,_wcslen,FindNextFileW,FindClose,FindClose,CreateFileW,GetFileSizeEx,CloseHandle, 3_2_6C9E0000
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Code function: 0_2_00F862C0 GetVersionExW,GetModuleHandleW,GetProcAddress,GetSystemInfo,GetSystemMetrics, 0_2_00F862C0
Source: FlashPlayerInstaller.exe, 00000003.00000002.2856256506.0000000001F1A000.00000004.00000020.00020000.00000000.sdmp, FlashPlayerInstaller.exe, 00000003.00000003.1685722671.0000000001F1A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWu
Source: FlashPlayerInstaller.exe, 00000003.00000002.2856256506.0000000001EE3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWx
Source: FlashHelperService.exe, 00000005.00000002.2855411136.0000000000D28000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll4
Source: FlashPlayerInstaller.exe, 00000003.00000002.2856256506.0000000001F1A000.00000004.00000020.00020000.00000000.sdmp, FlashPlayerInstaller.exe, 00000003.00000003.1685722671.0000000001F1A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: FlashHelperService.exe, 00000002.00000002.2855473334.0000000000DA8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllH
Source: FlashHelperService.exe, 00000001.00000002.1609893127.0000000000818000.00000004.00000020.00020000.00000000.sdmp, FlashHelperService.exe, 00000004.00000002.1685656133.00000000014F8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Code function: 0_2_00F906A2 IsDebuggerPresent, 0_2_00F906A2
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Code function: 0_2_00F947AA EncodePointer,EncodePointer,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_00F947AA
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Code function: 0_2_00F88300 GetSystemDirectoryW,CreateToolhelp32Snapshot,_memset,GetCurrentProcessId,Process32FirstW,Process32NextW,Process32FirstW,Process32NextW,FindCloseChangeNotification,OpenProcess,CloseHandle, 0_2_00F88300
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Code function: 0_2_00F947AA EncodePointer,EncodePointer,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_00F947AA
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Code function: 3_2_6C9F4DD4 mov eax, dword ptr fs:[00000030h] 3_2_6C9F4DD4
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Code function: 0_2_00F92BCC GetProcessHeap, 0_2_00F92BCC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Code function: 0_2_00F9368E SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00F9368E
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 1_2_00ACF8D7 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00ACF8D7
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_00ACF8D7 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00ACF8D7
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Code function: 3_2_6C9F2C12 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6C9F2C12
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Code function: 3_2_6C9E9AB0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_6C9E9AB0
Source: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe Code function: 3_2_6C9EA345 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6C9EA345
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Code function: 0_2_00F848F0 _wcsrchr,GetForegroundWindow,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,FindCloseChangeNotification,GetLastError, 0_2_00F848F0
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Process created: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe "C:\Windows\system32\Macromed\Flash\FlashHelperService.exe" -Start -dp=0 -fp=ppapi Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Process created: C:\Windows\SysWOW64\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe "C:\Windows\system32\Macromed\Temp\{9639F71F-08DF-4565-BCFC-52EA28C8B997}\FlashPlayerInstaller.exe" -iv 20 Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Process created: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe "C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe" /BootupShow Jump to behavior
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp, FlashHelperService.exe, 00000001.00000000.1608179840.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000001.00000002.1610208631.0000000000B10000.00000002.00000001.01000000.00000006.sdmp Binary or memory string: 0%s&%s&%s&%shttps://tongji.flash.cn%s/hm2.gif?msgtype=%s&data=%s&token=%s&time=%sFCHandler not installedIsWow64ProcessService stoppedkernel32showShell_TrayWndtipsshowTrayNotifyWndSysPagerToolbarWindow32SM107miniNotifyIconOverflowWindowDtipsToolbarWindow32BValForceRemoveNoRemoveDelete102showshowminialnumalpha102blankcntrlddigitgraphlowerprinttipsshowpuncttipsshowspacetipssupperwxdigitshowtipsshow115showtipsshowFlashHelperMiniFlashHelperTipsshowtipsshow108minitips6071C65D1F8644453B126AD96AB70A2Cshowtipsshow122minitipsunknownbootupfpshowminitaskschedulerFlashCenter.exeFlash Center()$^.*+?[]|\-{},:=!
Source: SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe, 00000000.00000003.1604514797.000000000431E000.00000004.00000020.00020000.00000000.sdmp, FlashHelperService.exe, 00000001.00000000.1608179840.0000000000B10000.00000002.00000001.01000000.00000006.sdmp, FlashHelperService.exe, 00000001.00000002.1610208631.0000000000B10000.00000002.00000001.01000000.00000006.sdmp Binary or memory string: .exeFlashHelperService%s%s%s.lnk/shortcut5fullscreenminitaskschedulerfullscreenfpshowSoftware\LiveUpdate360shortshowbootup638mini638638Shell_TrayWnd{"type":"%s","opentype":"%s","value":"%s","version":"%s","times":"%s","extra":"%s"}2showonCountshow:huorong12fullscreenfullscreen1fullscreenfullscreen2fullscreenfullscreenS1huorong1fullscreenfullscreen&-2showonCountshow3fullscreenfullscreen4fullscreenfullscreen-8click"starttime":"%s", "endtime":"%s"3{"type":"%s","opentype":"%s","value":"%s","version":"%s","times":"%s","extra":{%s}}clickclickclickonCountonCount7click60-27click7111click7clickclickonCount-1click7-20-1click60112click-1clickclickonCountSoftware\LiveUpdate360638sQ
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 1_2_009DDC00 cpuid 1_2_009DDC00
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_00AA28A0 WaitForSingleObject,_memset,CreateNamedPipeW,CreateEventW,_memset,ConnectNamedPipe,CloseHandle,CloseHandle,GetLastError,CloseHandle,CloseHandle,WaitForSingleObject,CloseHandle,ReadFile,_memset,DisconnectNamedPipe,CloseHandle,CloseHandle,ReleaseMutex, 2_2_00AA28A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Code function: 0_2_00F8BC30 GetSystemTime, 0_2_00F8BC30
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_009F50E0 ImpersonateLoggedOnUser,_memset,GetUserNameW,RevertToSelf,ConvertSidToStringSidW, 2_2_009F50E0
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_00ADD195 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 2_2_00ADD195
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe Code function: 0_2_00F87950 GetVersionExA, 0_2_00F87950
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION Jump to behavior
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 1_2_0092CBC0 _memset,_memset,_strncmp,_strncmp,htons,bind,htons,bind,_memset,getsockname,WSAGetLastError,htons,WSAGetLastError, 1_2_0092CBC0
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 1_2_0092CEA9 htons,bind,_memset,getsockname,WSAGetLastError, 1_2_0092CEA9
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_0092CBC0 _memset,_memset,_strncmp,_strncmp,htons,bind,htons,bind,_memset,getsockname,WSAGetLastError,htons,WSAGetLastError, 2_2_0092CBC0
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_0092CEA9 htons,bind,_memset,getsockname,WSAGetLastError, 2_2_0092CEA9
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_00945CC0 bind,WSAGetLastError, 2_2_00945CC0
Source: C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe Code function: 2_2_00949F00 _memset,___from_strstr_to_strchr,_strtoul,___from_strstr_to_strchr,_strtoul,getsockname,WSAGetLastError,___from_strstr_to_strchr,_strncpy,WSAGetLastError,_memmove,htons,bind,WSAGetLastError,getsockname,WSAGetLastError,getsockname,WSAGetLastError,listen,WSAGetLastError,htons, 2_2_00949F00
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1417005 Sample: SecuriteInfo.com.Win32.Adwa... Startdate: 28/03/2024 Architecture: WINDOWS Score: 60 33 u966.v.trpcdn.net 2->33 35 u9551.v.trpcdn.net 2->35 37 6 other IPs or domains 2->37 43 Multi AV Scanner detection for domain / URL 2->43 45 Antivirus detection for URL or domain 2->45 47 Multi AV Scanner detection for submitted file 2->47 8 SecuriteInfo.com.Win32.Adware-gen.4351.30579.exe 9 2->8         started        12 FlashHelperService.exe 14 11 2->12         started        signatures3 process4 dnsIp5 29 C:\Windows\...\FlashPlayerInstaller.exe, PE32 8->29 dropped 31 C:\Windows\...\FlashHelperService.exe, PE32 8->31 dropped 49 Drops executables to the windows directory (C:\Windows) and starts them 8->49 15 FlashHelperService.exe 1 8->15         started        18 FlashPlayerInstaller.exe 18 8->18         started        39 36d6250f.ovslegodl.sched.ovscdns.com 43.152.136.177, 443, 49731, 49733 LILLY-ASUS Japan 12->39 41 u9551.v.trpcdn.net 112.47.51.225, 443, 49732, 49734 CMNET-GDGuangdongMobileCommunicationCoLtdCN China 12->41 21 FlashHelperService.exe 12->21         started        file6 signatures7 process8 file9 51 Multi AV Scanner detection for dropped file 15->51 53 Machine Learning detection for dropped file 15->53 25 C:\Windows\SysWOW64\Macromed\Temp\...\fpb.tmp, PE32 18->25 dropped 27 C:\Windows\SysWOW64\Macromed\Temp\...\fpb.tmp, PE32 18->27 dropped 55 Drops executables to the windows directory (C:\Windows) and starts them 21->55 23 FlashHelperService.exe 2 21->23         started        signatures10 process11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
43.152.136.177
 36d6250f.ovslegodl.sched.ovscdns.com Japan 4249 LILLY-ASUS false
112.47.51.225
 u9551.v.trpcdn.net China
9808 CMNET-GDGuangdongMobileCommunicationCoLtdCN false

Contacted Domains

Name IP Active
36d6250f.ovslegodl.sched.ovscdns.com 43.152.136.177 true
u9551.v.trpcdn.net 112.47.51.225 true
api.flash.cn unknown unknown
tongji.flash.cn unknown unknown
fpdownload.macromedia.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://tongji.flash.cn/hm4.gif?product=mini&event=show&uid={1CDACC51-0778-478e-9983-CF8CEA5837C2}&um=6F94DF17F2E10BEA5C3FC00A1C2F54B7&platform=windows&channel=10000&version=2.2.1.96&osversion=10.0.19041.1889&signature=F4D5479F05D7436FA93C605395EAFD25&key=2&data=15948E433789B8E742E357ED192DFACA1C5D7F6F92D1217A758374CDAEBBD03C3ABEC9D4684C96362684C9A670A4CF386840EC5A2AB941A6C208E37223F479B47F76B7110DDCFF1A751FE5E5972B8F11032420EFE98881CD55D3F02D41B93E33 false
  • Avira URL Cloud: phishing
 unknown
https://tongji.flash.cn/hm2.gif?msgtype=mini&data=CDDF8FC74D3B33B2BC58AC6497635275A578D991405693D301B4C76D59C4293ED05FC25481CAD619640BC8674E985947D3ADC6D7F013C0338C95136482D16D8B6B920131A026D54E777254D3247DC5A3E1B0007F1D1EABAD078C74FC3BC4D6AE1DD0D06BD9480C61D2E4FCA06FDDD705977A60698BF212CC854832B570A70F8242FD2F48A0723CCBB0EC109C413882CD90E35D7F53420390F5C02E171ECA905459A43935B9BAE436DE3D299CC5521C5310A26A0E3E60F911D18CCDFEEC3F903CAD2FE97E44C5954FE4CA74FE1C30DC6E0754B71EDB83E08B4FDF1EFFAC212EEF&token=C762B21F41ED94B5C38E7FBFA9E2F488&osversion=10.0.19041.1889&time=1711629663 false
  • Avira URL Cloud: safe
 unknown
https://api.flash.cn/config/powerBoot?helper=2.2.1.96& false
  • Avira URL Cloud: safe
 unknown
https://tongji.flash.cn/hm2.gif?msgtype=helper&data=6F76D319CE5E22BBEDDE5F7486E15839BD5C3C95456EE934AED2E7589794445E0B8D4D7CCF441E001C435D00E89E4351D683800531FF08900FC8D6C25895094AA7669F2143BD5B8DEAE44A5973CAB16B387AED7ED7EE3F45EAF963E647A4C96C9CE3FAD00ACF80EFE2E1EC094F60E964F51A70BAEF104D3D333862AE58E2DE540778D77890DA67FB2795A102530E5638D61A1267C7BB7D0ADE6D19CA2010C05D988E0347FBCB8C06744887F6AC4D16EBA725ADCEBB8876EEE74BB648603BF73DC0EF381D7CD127A96F3BB8AB3E12D06928EC61A9D692CCCBADD51AC6C16D575A9E058288CA635F19615C2C8F366C7C97BDF9F9416EADC6A0D89ACC4F27931003&token=B5ACDF4229E567BFCC1E227F41CACB42&osversion=10.0.19041.1889&time=1711629661 false
  • Avira URL Cloud: safe
 unknown
https://tongji.flash.cn/hm2.gif?msgtype=install&data=979EA788DE83B755CE191CCC17A2E381823E74F0BBFB6633E04B4A1E29C8C57B491C3ECD2E94376CF413DBCD03A3DA7E8A0932BF78A49A6458CDEE0F7A24DF3A882EA31A747A2DCC37F9B24F94A5C8C5FB5BE656CFAFFCFC7992C03387D2C2EEDAE585B2121D3C5B6860C43C239656E544A95990485B7C48B0ED77D9919CBE660951123C0E7BA644455DE948BB3A7FB8CF3B644AF4362AFA73B718044621DB5825C54F863852F1D5E17922CCE770B7595EEAEA76BF4E76BB9C700B36209A3B6639B5392EBA3CEACB044F2A3537247E57DA7B63B5BEF558DF6D43855855DC8DA093E2C02A0DD6338235FB8E88FBD0BAE7FBB395102EF61B21CCB59D993472E71DED7B0061A83A7169036ADFA3F9FF85954FAC08A9BEFAAE8225F4F266DA99687D62C301EF66ED4CB281DF4AF2BD904F7361BE3554ED3BDF10CC6253A540971CEB41701FFAF035EDC530BD7399273E8C6EC4BF7337AF158FE558FE0F61B07268C4393AD7C8EFE2E33ECA767ECBBAF15B1E06CF85814809F4E80D6F22629B5058B8DF62819771E9FCC4403A762CA4532319FE06C2F425F0BC41A9EB65C4725C860FA0012AF5839906BCF75AC7AA22984E42D96815C9A9C70FC1066E3E821C10420B5333B5F31D03049015CF91E518DE225000FE3FF7254687661ED8A14673ACC4C8&token=72664B7DD2A5E5278E8C3C6323CEF6BE&osversion=10.0.19041.1889&time=1711629661 false
  • Avira URL Cloud: safe
 unknown
https://api.flash.cn/config/fc_check_update?helper=2.2.1.96 false
  • Avira URL Cloud: safe
 unknown