Skip to main content
A
appendedAyy
Participant
December 6, 2018
Question

FlashPlayerInstaller reading LSASS memory

  • December 6, 2018
  • 5 replies
  • 4789 views

Hello,

The recent flash update appeared with a weird process chain in our antivirus, it shows the initial signed installer calling an unsigned install which then scrapes LSASS memory.  Is this normally the process that Flash should be installing with?

The antivirus shows the execution chain as:

CMD: FlashPlayerInstaller.exe -install -iv 9 VirusTotal

CMD: "C:\WINDOWS\system32\Macromed\Temp\{ED9F96DB-0F7C-4FE6-8D3E-DC481E02E23A}\InstallFlashPla yer.exe" -install -skipARPEntry -iv 9 -au 4294967295

VirusTotal (unsigned)

Reads LSASS memory VirusTotal

Thanks!

This topic has been closed for replies.

5 replies

Garr_Woof
Garr_Woof
Participant
September 15, 2019

I would like some actually responsible person from Adobe answer this question:  

 

Are ALL official updates from Adobe Flashplayer supposed to be SIGNED ?   By some CERT Organization?

Or is this an utterly useless thing that every hacker knows how to fake? 

Either way, I see some unsigned updates on my computer, and I wonder whether they ought to be deleted.

 

Likewise, I also wonder why either  Malwarebytes  or  Avast Internet Security  does not issue warnings about

unsigned updates from Adobe Flash. 

 

The whole website of Adobe.com does not show a single article about this.  So, I ask again: Is there a single

responsible person working at Adobe.com? 

    nolsen311
    nolsen311
    Participant
    January 24, 2020

    Here's a fun thread on an earlier version where the advice is that VirusTotal has all the answer and this **must** be a False Positive, rather than an unecessary read of protected memory.

     

    https://community.adobe.com/t5/flash-player/flashplayer-27-0-0-183-exe-installer-trying-to-access-lsass-exe/m-p/10878479#M205620

     

    A
    Anonymous
    April 9, 2019

    Изминить настройки региона попробу, а так же конфидециальность.

    Походу запладка как на win xp msblast.

    Уровень защиты измени

    nolsen311
    nolsen311
    Participant
    March 13, 2019

    Is there seriously no public answer to this question?

    I am getting so tired of community forums where common questions are answered "out of band".

    T
    Test Screen Name
    Legend
    March 14, 2019

    If you're installing in China, I imagine you need to go out of band.

    Q
    quocd667051
    Participant
    February 13, 2019

    I see that happening on a machine I monitor in China. Is it normal for Flashplayer to attempt to access lsass?

    _maria_
    Community Manager
    _maria_Community Manager
    Community Manager
    December 6, 2018

    Thanks for reporting.

    Is this a 32-bit or 64-bit system?

    A
    appendedAyyAuthor
    Participant
    December 6, 2018

    64-bit, I don't believe -skipARPEntry occurs when running the 32-bit version.

    _maria_
    Community Manager
    _maria_Community Manager
    Community Manager
    December 6, 2018

    Thanks for confirming.  We're investigating.

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices