Parent Child flashp...
 
Notifications
Clear all

Parent Child flashplayer32au_ce_install.exe -> Explorer.exe

5 Posts
3 Users
0 Likes
993 Views
(@mabel)
Posts: 3
New Member
Topic starter
 

HI,

Can someone explain me the logic behind this? Please see event description below.

It is my understanding that the windows shell (explorer.exe) has no parent, or has UserInit.exe for a brief period of time *https://www.andreafortuna.org/2017/06/15/standard-windows-processes-a-brief-reference/) . Also, notice the location of the explorer.exe it is signed by Microsoft.

EVENT

<13>Aug 19 220654 SERVERNAME AgentDevice=WindowsLog AgentLogFile=Security PluginVersion=xxxxxx Source=Microsoft-Windows-Security-Auditing Computer=SERVER.domain.name OriginatingComputer=xxxxxx User= Domain= EventID=4688 EventIDCode=4688 EventType=8 EventCategory=13312 RecordNumber=4067801 TimeGenerated=1566266753 TimeWritten=1566266753 Level=Log Always Keywords=Audit Success Task=SE_ADT_DETAILEDTRACKING_PROCESSCREATION Opcode=Info Message=A new process has been created. Creator Subject Security ID DOMAIN\username Account Name username Account Domain DOMAIN Logon ID 0x1414ED4 Target Subject Security ID NULL SID Account Name - Account Domain - Logon ID 0x0 Process Information New Process ID 0x1bcc New Process Name C\Windows\SysWOW64\explorer.exe Token Elevation Type %%1938 Mandatory Label Mandatory Label\Medium Mandatory Level Creator Process ID 0x221c Creator Process Name C\Users\USERNAME\AppData\Local\Microsoft\Windows\INetCache\IE\IHLV4XCT\flashplayer32au_ce_install.exe Process Command Line explorer.exe

 
Posted : 30/08/2019 7:47 pm
Igor_Michailov
(@igor_michailov)
Posts: 529
Honorable Member
 

Could you share results of checking the file 'flashplayer32au_ce_install.exe' by Virustotal?

 
Posted : 30/08/2019 8:30 pm
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

HI,

Can someone explain me the logic behind this?

Yes. That is malware, for sure.
The Windows OS usually uses C\Windows\explorer.exe and usually it is explorer.exe which starts other GUI apps on the desktop interactively. "flashplayer32au_ce_install.exe" was launched from the IE/ Edge cache folder and was downloaded from the Internet.

Try to get a hold on this file, check it at VT and let it explode at hybrid-analysis.com for a dynamic analysis. Come back to this forum if you have more questions, please.

regards, Robin

 
Posted : 31/08/2019 12:31 pm
(@mabel)
Posts: 3
New Member
Topic starter
 

The file is gone. But thanks for confirming my suspicions.

 
Posted : 03/09/2019 2:50 pm
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

The file is gone. But thanks for confirming my suspicions.

Gone? It could have been renamed and still active! Or was is deleted/ quarantined by your antivirus product? You should have the answer how it went gone.

regards,
Robin

 
Posted : 03/09/2019 2:54 pm
Share: