bazarloader | 97bf913d6017cb86c893aea40352a8494e3f91fd49c71bad4238d0d8a494bb4e

Analysis

max time kernel
415s
max time network
416s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
23-04-2024 09:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FlexStarter.jar
Size

209KB
MD5

891c86b9a742b72abed25d0dec570f12
SHA1

9839cfe7e6792b6438166fbda580468646576fc0
SHA256

97bf913d6017cb86c893aea40352a8494e3f91fd49c71bad4238d0d8a494bb4e
SHA512

0a8b345e7d65ea913d61924439833e1dbcee96e60b76a67a7ced9da6791de970209fd24dc1104a73d07dd51f019aa8f1adfeee317543e0dd209c958d7e9d91e8
SSDEEP

6144:qHkhB29WQ6Yvf2WPaqwDFwdEFwXkSUbRUK:qEA6YvOWSFwdZXkp

Score

10^/10

bazarloader discovery dropper loader

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3040-571-0x0000021300000000-0x0000021301000000-memory.dmp	BazarLoaderVar5

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

3236 icacls.exe

pid	process
3236	icacls.exe

Drops file in Program Files directory 24 IoCs

Processes:

javaw.exejavaw.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb	javaw.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133583369382177748"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exetaskmgr.exe

pid	process
3692	chrome.exe
3692	chrome.exe
2844	chrome.exe
2844	chrome.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

4060 taskmgr.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

chrome.exe

pid process

3692 chrome.exe
3692 chrome.exe
3692 chrome.exe
3692 chrome.exe
3692 chrome.exe
3692 chrome.exe
3692 chrome.exe
3692 chrome.exe
3692 chrome.exe

pid	process
4060	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe
4060	taskmgr.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

java.exejavaw.exejavaw.exe

pid process

4500 java.exe
4500 java.exe
3796 javaw.exe
3796 javaw.exe
3040 javaw.exe
3040 javaw.exe

pid	process
4500	java.exe
4500	java.exe
3796	javaw.exe
3796	javaw.exe
3040	javaw.exe
3040	javaw.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

java.exechrome.exechrome.exe

description	pid	process	target process
PID 4500 wrote to memory of 3236	4500	java.exe	icacls.exe
PID 4500 wrote to memory of 3236	4500	java.exe	icacls.exe
PID 3692 wrote to memory of 4888	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 4888	3692	chrome.exe	chrome.exe
PID 2116 wrote to memory of 3432	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 3432	2116	chrome.exe	chrome.exe
PID 3692 wrote to memory of 3688	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 3688	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 3688	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 3688	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 3688	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 3688	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 3688	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 3688	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 3688	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 3688	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 3688	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 3688	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 3688	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 3688	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 3688	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 3688	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 3688	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 3688	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 3688	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 3688	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 3688	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 3688	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 3688	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 3688	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 3688	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 3688	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 3688	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 3688	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 3688	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 3688	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 3688	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 864	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 864	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 4652	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 4652	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 4652	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 4652	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 4652	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 4652	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 4652	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 4652	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 4652	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 4652	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 4652	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 4652	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 4652	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 4652	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 4652	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 4652	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 4652	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 4652	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 4652	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 4652	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 4652	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 4652	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 4652	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 4652	3692	chrome.exe	chrome.exe
PID 3692 wrote to memory of 4652	3692	chrome.exe	chrome.exe

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\FlexStarter.jar
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4500

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
2⤵
- Modifies file permissions
PID:3236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb0581ab58,0x7ffb0581ab68,0x7ffb0581ab78
2⤵
PID:4888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1588 --field-trial-handle=1904,i,15416048844855485939,17259740325705418543,131072 /prefetch:2
2⤵
PID:3688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1904,i,15416048844855485939,17259740325705418543,131072 /prefetch:8
2⤵
PID:864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2200 --field-trial-handle=1904,i,15416048844855485939,17259740325705418543,131072 /prefetch:8
2⤵
PID:4652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=1904,i,15416048844855485939,17259740325705418543,131072 /prefetch:1
2⤵
PID:2348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3068 --field-trial-handle=1904,i,15416048844855485939,17259740325705418543,131072 /prefetch:1
2⤵
PID:5076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4328 --field-trial-handle=1904,i,15416048844855485939,17259740325705418543,131072 /prefetch:1
2⤵
PID:3092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4180 --field-trial-handle=1904,i,15416048844855485939,17259740325705418543,131072 /prefetch:8
2⤵
PID:884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4564 --field-trial-handle=1904,i,15416048844855485939,17259740325705418543,131072 /prefetch:8
2⤵
PID:1552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4816 --field-trial-handle=1904,i,15416048844855485939,17259740325705418543,131072 /prefetch:8
2⤵
PID:5116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5080 --field-trial-handle=1904,i,15416048844855485939,17259740325705418543,131072 /prefetch:8
2⤵
PID:4416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4512 --field-trial-handle=1904,i,15416048844855485939,17259740325705418543,131072 /prefetch:8
2⤵
PID:2892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4168 --field-trial-handle=1904,i,15416048844855485939,17259740325705418543,131072 /prefetch:1
2⤵
PID:3888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4952 --field-trial-handle=1904,i,15416048844855485939,17259740325705418543,131072 /prefetch:1
2⤵
PID:372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4996 --field-trial-handle=1904,i,15416048844855485939,17259740325705418543,131072 /prefetch:1
2⤵
PID:5256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4324 --field-trial-handle=1904,i,15416048844855485939,17259740325705418543,131072 /prefetch:1
2⤵
PID:5336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 --field-trial-handle=1904,i,15416048844855485939,17259740325705418543,131072 /prefetch:8
2⤵
PID:5480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5468 --field-trial-handle=1904,i,15416048844855485939,17259740325705418543,131072 /prefetch:1
2⤵
PID:5776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=2536 --field-trial-handle=1904,i,15416048844855485939,17259740325705418543,131072 /prefetch:1
2⤵
PID:5972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3992 --field-trial-handle=1904,i,15416048844855485939,17259740325705418543,131072 /prefetch:8
2⤵
PID:6088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5956 --field-trial-handle=1904,i,15416048844855485939,17259740325705418543,131072 /prefetch:8
2⤵
PID:5480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\start_flex.bat" "
2⤵
PID:5368

C:\Windows\system32\curl.exe
curl -o "C:\Users\Admin\AppData\Roaming\.flex\bootstrap.jar" "https://launcher.flexmc.wtf/bootstrap/bootstrap.jar"
3⤵
PID:372

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
javaw -jar "C:\Users\Admin\AppData\Roaming\.flex\bootstrap.jar"
3⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:3796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4368 --field-trial-handle=1904,i,15416048844855485939,17259740325705418543,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb0581ab58,0x7ffb0581ab68,0x7ffb0581ab78
2⤵
PID:3432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1608 --field-trial-handle=1936,i,16685398875077309238,11063309328838788079,131072 /prefetch:2
2⤵
PID:4820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 --field-trial-handle=1936,i,16685398875077309238,11063309328838788079,131072 /prefetch:8
2⤵
PID:860

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2848

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
PID:4060

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4440

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\.flex\hs_err_pid3796.log
1⤵
PID:2320

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\.flex\bootstrap.jar"
1⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:3040

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
Filesize
46B

MD5
36c6890fd1b1c483fe51b2fa9a8c3f73

SHA1
ca1bbffc05a1f1d0374570c7a2cf6274b9bff1b2

SHA256
0ce447f2c59ac62e70d397b11d9a9dd57f8ae58855ab017cac4a0dc79994b08d

SHA512
cc36b02e35ec4b47e6b01fc3ed658323293716f089f070582c535bf001e8f68a4bbeb637a3bf0f0c28cc557e99cf6319ef4d2c0ae68779a2df1370d259885363

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
Filesize
46B

MD5
8370d99564c2443e7bbe68ffd496c655

SHA1
1c7a3be57112f25d667cb4607a1879bc8199a34f

SHA256
0032ab7e6e0cb76d2a0ff6e7a905bdd2918ef6fef4328bf580b6192d982ae3f9

SHA512
d3507350dc4ded6acc2c409d7adf08658edb5d5de302d78350d60b7497913e1858dc0eb079ee3fdab4f511d9f11aedcd540539a28c04a17c8cb7fd8d84f6b1c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
5b232f2ec5e33f7709f554291a0582c7

SHA1
8e09d16cdefd7434b6626535778c4d6aaa94502a

SHA256
539b48bb8997ee07f386d39e50b64b6a7f14ae24e0fd7c49a5d72e387860d5b5

SHA512
570f3bde7f527c8af2cefc04c0bb7d9024c2836b328a25dd50546cffc192d8256a276c6e8e07c0ca5afe06af86b819569f25ac6213e006588fc7edcc95e24d81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
768B

MD5
c073e0a9102655e56ab2e0c65f575080

SHA1
f5d07b95f2073fde0debec7d6d24c22511f3998e

SHA256
a81a26fe07f447aaa6ff672201d67faf34c2c9997bf37f310904216af3f68ffb

SHA512
bc669669d2ae92211aede1253c35213a4e35d9a97bb55f3491aa8e5176b99fe1bbb40d95fe0375f81331a38e5e256d30afba58c92721206202013b97a4ca189f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
4KB

MD5
c61a71904c67665a924b1500d5bcc11a

SHA1
94e62a2604f0647dd3a90ec0e8b85f2817d80e09

SHA256
542d746b9a1151cda34d68536f9a74e8dcd7b6599a8efb143591325fba095c69

SHA512
49a3b7693850e3d937ad9aaf9356de94d3da86bbe08065cecbd658ebba216389ef20bee2ea5eae00b5a3826dcec9eee4755e626048640c48d6e2558367680f32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
4KB

MD5
0dc805d982d3dfcb0704c34a6f57d280

SHA1
13a9c27a4448216e3ba5729adb20c332f65797bc

SHA256
a8e9221faf9a10531242930e68c1f7c6be43bd17010347fd329dcf8409d4f700

SHA512
09b270244bb2ca535fb140cdcb737f77d78d10c6884aa04305a662b4229d38d343dcdc76731e0fcc6e8e931e254ea9e13a61f49f0d2706c5de72971fe7be6868

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
b5ae13b5e33556feeb7b7594d3b4b9a4

SHA1
9597b13a5ebbd09a53e3684388cf3006254988f0

SHA256
15b4e5eb3766c5f773ffe8501531cd23d278bde3507ec4ba88ab7b685c14697f

SHA512
c31546e7f39fbb8b12a0ff0c149ee10db83555a380edf64cba5367addcb91c5720d14111e696e9201bc849c4bbdc1bd28e5afd85abc6f2d84638033ba0610920

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
859B

MD5
8afad84d7734f62e765f72383a49327c

SHA1
3f29a01419007eda14be42876624636a6589b8ac

SHA256
ddc2f74e538814e3dba8b9037d2068901259b26fe218a6fcd2abc8166b5663e4

SHA512
7ce3367b3d2db3d1b96ae63748c8668cb7e324d9b8d433097740eb6320bc1bfb02b144476635c2403fee8f21f33734fd0b50c71c07399df3258c3f8416460e55

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
859B

MD5
0a14ac5c2132be64237ac9dd80f6b588

SHA1
ed7b207389b5afd25d5c5c05fcf8170560fe29c5

SHA256
c6feb82588f1b7ccb3d6eb8d101c4b01001ef2a1ea0d3e2cbbf23e72c1c7a1f5

SHA512
a72465ec9e4b21f307ad2be897da53bb9e8a3cfa63ff70d18043e1a7ce0aa451f62cf138f68194622f510da2d3917812208784190543e0b9b48c997c51b68aa2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\c440991a-0a28-40b4-9773-adc9dfdee1a1.tmp
Filesize
4KB

MD5
bbb0116b3080314735fde7b40a33efd9

SHA1
956d6b5f5212e30d958304cd86c3f87b219d2c4a

SHA256
a77c139d134056b43c22fb4ba7370843f4cbba8da34e0e613bde9c36f2fc3345

SHA512
6cc14ba5ce475159cefa96e34a10a848e9dbf9718e4e1f9b9bdd82d6a4f1e6e6107fd9ac5b135c328cf8d337e1cd8a11477da4078462e4679796f195510e4c60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
6f6d3c7fbe92e2fcbad0b38a57a4987a

SHA1
ac7425e3627c285c4111b6e971775fe83401817a

SHA256
440845dfbc240a53c67bc8d116dd13a29a95043c00d694045f3f34852a3b48d1

SHA512
06a08aaaa6901b4edd26ca5bca2902f5c1d25e79756768342272778a6e2e9880d741f538480bef50344b82962d230d4aba55c18dc448764d7f57a70d0e3547c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
87542b0a19deb8be34c3c6196c62e18f

SHA1
725717590c6f197356680dc1e9b5549cebedf74b

SHA256
36be94c5acaa99989ea5d0f4576e93d9c8fa64407d19faba6995f8ae270336f7

SHA512
5295f4a9307339368805d38d18322d5ad11020e89ddc3b6e8a7fc3277ff9a74e739d86ebeb22e5a852ca9baf674a6a0e377661c6bde7653e1bf44e583ca1de6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
ded1a0b48aee03019cabba1caa4a1449

SHA1
4988218152aad927372685b1c216624c48c73ce6

SHA256
7ad8fdaa28f3fcbdd95c8923cc35bc179be31ba3f3fe557c7be642e9d6d98e9a

SHA512
6a2035cca9e7d96a60168c963849df0068de5b66a7a376098c2fb9843e5126061522a86a89e8b141350770576fec889590547645240d605f5ff6882a68b18912

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
bd211ca5445b3d0bd6cd71134c6462ce

SHA1
b41391f73cfa06a7e7347c81f47949a4b161af6a

SHA256
3499317b8c6269b3fed1643bfea4b66faa7c131a5ac7bc1237cbf30c059669aa

SHA512
21a7e4d484133b0fc0c966221518219264a4d783bad3f034b3f23527863a170f4315f424fd551b76d154a5b7265fd361c0dc65af5582baee32b9e723907e14f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
a4b610574b2852f19d55bb0980241cb1

SHA1
57fc52ce6a7d0f1790b18de90d16a697c6cc87ed

SHA256
8254d9ee89c7b48484e9792795cc91e0ef7c002e3818ff45c2deacc37f23768b

SHA512
bd4b5660cd36e17e7c0c60f6630ddcfaf98742f31bb2f8928d84d7e386021fe37628fa8c70eba7f1014d4a96901ff1a5b029a386191c45a0f84d3bf770556e8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
252KB

MD5
e0067b1f3c69a9316e9176d5b3db6f2b

SHA1
7cc7389d401e897693ccfd0803fbca4010be85f7

SHA256
ff23b9248bed944b4278b1a3cc3b88bb6c069f2410d427832c0c4d7ef838f707

SHA512
b113d9119e885e5e07bac552cb26cdac7f4f3d23a1bc64914229907d6a9b57ae3267bed1eefc8a51043b320a6cf20f5e62049441130fb25f0f4c110baa00ca81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
252KB

MD5
e0ebd63b1e03faf5910d78c84268214b

SHA1
f0100fa49a195ba1cac936690e17706c170fe891

SHA256
736f75fd26adde5b93f159ad130803cf87cf461c8fc91a79522fcd671dbd5910

SHA512
59c889fffba1988093ab5518f03b4aecfcb1bd0c5860a0aa78ef2528425c774497674d5374a08a2f50b316e091b1e68b637570291221a5d118e7a9f63f33f1d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
250KB

MD5
cb5ffb9c78d8723f009480181bd3da32

SHA1
ba7e8d51ed355825e13cc3eaf34402560b048306

SHA256
af978754678e3a51db2a7067ddebb686f85c06561a7b918f42134463a6e71bcb

SHA512
072462858b94173f4c3a3bde7e80c1e6133abb9e485c35ef0f3a873966c48055ff08d85d3a1639acd1090a641fcacb81db35e70ab0e9b81c77ae16014907c29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
252KB

MD5
65674f82f6b0178cd55767363cdb7030

SHA1
2299793b45e3cd208664187cb8b6382dc5ca6d20

SHA256
a77862d11c7727565afa92302d11b4f508a718152eff0a2742ca69058c616a6c

SHA512
55b81787f10b18c2cfb2dff3c616d6e4d884e7e4a93036b7c72fabf296385ac5519d8642023edb901e4811344546fca008422e2c7eaec619c39a6216508c96da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
91KB

MD5
16426a5d5076cfc5a11ced26e130f6cc

SHA1
e703aab591f1989ea43499697aa7c713fde91bc8

SHA256
ecde7ad3b11ed0acc7cf104d6e1502932ae76decbebec0fd506af3bc44b750a6

SHA512
4f146ad992003560bf5f18561827a40a91fb215c14c21bafb9d37d4d8dbba401e13dd32bbc5ffbd24c50bd9953bc6765246bd2754386b8fa00c9cfc3c79699e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
103KB

MD5
c4b8ca6e3abd24c734b0aa246468b784

SHA1
7ad5889dc0c6238e36f274036b69c3c6a0e9bc1d

SHA256
dc2366f3c7c505629e85887ef899a93bc4086ed4165dac06e9ef5c02dc8b3668

SHA512
fc52a7738aba5a4fa96ddcd6e038975b3fe640ca4717709d28495874ef54e8c6f46c26bcb295dc86aade08b1bf90c117fc66e875974a428f1a164afc713d1615

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57c5b1.TMP
Filesize
88KB

MD5
0c785249fd3dc30bc8d5a705e7d30bf8

SHA1
96b756af4cf204dc0859bc084a9715709c7d4356

SHA256
d76736ed20b22352543d5b43466729187ca977859f8bdcc2369349cc3cc48d33

SHA512
1eddb599135bf2c2f1bf322c5fb61080d495674351a433560add99af6962e3b08d54431b5e578fbfa186a61d8551fb649e136a6672551bb150cc29ef86c9a05b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations
Filesize
86B

MD5
f732dbed9289177d15e236d0f8f2ddd3

SHA1
53f822af51b014bc3d4b575865d9c3ef0e4debde

SHA256
2741df9ee9e9d9883397078f94480e9bc1d9c76996eec5cfe4e77929337cbe93

SHA512
b64e5021f32e26c752fcba15a139815894309b25644e74ceca46a9aa97070bca3b77ded569a9bfd694193d035ba75b61a8d6262c8e6d5c4d76b452b38f5150a4

Download Submit
C:\Users\Admin\AppData\Roaming\.flex\bootstrap.jar
Filesize
7.0MB

MD5
ef30f1ff249ccb123366b3c74d516e15

SHA1
bf81e46b7da82d142455fe400c5941dac30abe94

SHA256
0f5193cda385538d75791b6b2d37dd5361b382e09314c66af44c111a71b50412

SHA512
8215a40b7b3277f2241634130091631c3958f11aab307ff919c6fbea1d409c99b3725cb228c91a072eb069a0c25ad56eb65e848f46acda75f90308fc0bd040cd

Download Submit
C:\Users\Admin\AppData\Roaming\.flex\hs_err_pid3796.log
Filesize
19KB

MD5
24cb83ba0653e2fd67a6cad334726dc6

SHA1
62b421ed0db43821d362cf95cd34bee8a792dfea

SHA256
d9cada2596827736b6e76aa468a7e4d9bb719aa2841f64296089f945d056e908

SHA512
51f7d3a3f441ce05b43c59b73d53ee4ae3855f5860f9393b9b86ba7fe0a4935cf4e436d2ecf22d52b22057d1751a54192797cf44dd8a4aec151f826010cfaed6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2177723727-746291240-1644359950-1000\83aa4cc77f591dfc2374580bbd95f6ba_83f067b2-4236-4e0d-83e4-ef79b7da67b0
Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\Downloads\start_flex.bat
Filesize
471B

MD5
ae3f8392342ba5bf972003537bd86589

SHA1
d0a01513146966557737f8514786ea87c605b0a9

SHA256
60c1fe154bfa443b9a71adcce5b684d6496b8111233837bae02e68efcb8459aa

SHA512
9902d3d778311b8b9e3e3837b5c4e00bbf18f2ff08623c28b76c746b4171a0fa0f9405a5a8555a720bf9ca771b099e214b8598e0be4f1807f3ed0f9ed0ccf345

Download Submit
\??\pipe\crashpad_3692_GPGRGZAGXVJLATQW
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3040-557-0x0000021300000000-0x0000021301000000-memory.dmp

Filesize
16.0MB

Download
memory/3040-560-0x0000021300000000-0x0000021301000000-memory.dmp

Filesize
16.0MB

Download
memory/3040-563-0x0000021300000000-0x0000021301000000-memory.dmp

Filesize
16.0MB

Download
memory/3040-555-0x0000021300000000-0x0000021301000000-memory.dmp

Filesize
16.0MB

Download
memory/3040-539-0x0000021300000000-0x0000021301000000-memory.dmp

Filesize
16.0MB

Download
memory/3040-535-0x0000021300000000-0x0000021301000000-memory.dmp

Filesize
16.0MB

Download
memory/3040-531-0x0000021300000000-0x0000021301000000-memory.dmp

Filesize
16.0MB

Download
memory/3040-566-0x0000021300000000-0x0000021301000000-memory.dmp

Filesize
16.0MB

Download
memory/3040-571-0x0000021300000000-0x0000021301000000-memory.dmp

Filesize
16.0MB

Download
memory/3040-497-0x0000021300000000-0x0000021301000000-memory.dmp

Filesize
16.0MB

Download
memory/3040-575-0x0000021300000000-0x0000021301000000-memory.dmp

Filesize
16.0MB

Download
memory/3796-307-0x000001A307270000-0x000001A307271000-memory.dmp

Filesize
4KB

Download
memory/3796-424-0x000001A308B70000-0x000001A309B70000-memory.dmp

Filesize
16.0MB

Download
memory/3796-441-0x000001A308F10000-0x000001A308F20000-memory.dmp

Filesize
64KB

Download
memory/3796-268-0x000001A308B70000-0x000001A309B70000-memory.dmp

Filesize
16.0MB

Download
memory/3796-282-0x000001A307270000-0x000001A307271000-memory.dmp

Filesize
4KB

Download
memory/3796-442-0x000001A308F20000-0x000001A308F30000-memory.dmp

Filesize
64KB

Download
memory/3796-440-0x000001A308B70000-0x000001A309B70000-memory.dmp

Filesize
16.0MB

Download
memory/3796-438-0x000001A308B70000-0x000001A309B70000-memory.dmp

Filesize
16.0MB

Download
memory/3796-429-0x000001A308B70000-0x000001A309B70000-memory.dmp

Filesize
16.0MB

Download
memory/3796-283-0x000001A307270000-0x000001A307271000-memory.dmp

Filesize
4KB

Download
memory/3796-416-0x000001A308B70000-0x000001A309B70000-memory.dmp

Filesize
16.0MB

Download
memory/3796-381-0x000001A307270000-0x000001A307271000-memory.dmp

Filesize
4KB

Download
memory/3796-302-0x000001A307270000-0x000001A307271000-memory.dmp

Filesize
4KB

Download
memory/3796-305-0x000001A307270000-0x000001A307271000-memory.dmp

Filesize
4KB

Download
memory/4060-469-0x0000025B259E0000-0x0000025B259E1000-memory.dmp

Filesize
4KB

Download
memory/4500-4-0x000002464DCB0000-0x000002464ECB0000-memory.dmp

Filesize
16.0MB

Download
memory/4500-220-0x000002464DCB0000-0x000002464ECB0000-memory.dmp

Filesize
16.0MB

Download
memory/4500-57-0x000002464DC90000-0x000002464DC91000-memory.dmp

Filesize
4KB

Download
memory/4500-25-0x000002464DC90000-0x000002464DC91000-memory.dmp

Filesize
4KB

Download