rhadamanthys | hxxps://www[.]dropbox[.]com/scl/fi/84aaoddpxlr3zz78hvwul/Revocation-of-copyright-for-The-Music-School[.]zip?rlkey=dapi9fh3bhwsdbg34c9ek7l44&st=9hrxlndc&dl=1

Analysis

max time kernel
353s
max time network
347s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27-09-2024 06:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.dropbox.com/scl/fi/84aaoddpxlr3zz78hvwul/Revocation-of-copyright-for-The-Music-School.zip?rlkey=dapi9fh3bhwsdbg34c9ek7l44&st=9hrxlndc&dl=1

Score

10^/10

rhadamanthys discovery persistence stealer

Malware Config

Extracted

Family

rhadamanthys

https://147.124.220.233:7843/0a493f164c8de167e156e/s2u8lic7.93tn6

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

Revocation of copyright for The Music School.exe

description	pid	Process	procid_target
PID 4124 created 2760	4124	Revocation of copyright for The Music School.exe	49

Executes dropped EXE 2 IoCs

Processes:

Revocation of copyright for The Music School.exeRevocation of copyright for The Music School.exe

pid	Process
408	Revocation of copyright for The Music School.exe
4124	Revocation of copyright for The Music School.exe

Loads dropped DLL 1 IoCs

Processes:

Revocation of copyright for The Music School.exe

pid	Process
408	Revocation of copyright for The Music School.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*UpdaterCisco = "rundll32.exe C:\\Users\\Admin\\Documents\\CiscoUpdater000_PARTIAL.dll,EntryPoint"	reg.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
3788	4124	WerFault.exe	108
4480	4124	WerFault.exe	108

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

RdrCEF.exeRdrCEF.exeRevocation of copyright for The Music School.exeRdrCEF.exeRdrCEF.exeRevocation of copyright for The Music School.exeRdrCEF.execmd.exeRdrCEF.exeRdrCEF.exeDllHost.exereg.exeAcroRd32.exeopenwith.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Revocation of copyright for The Music School.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Revocation of copyright for The Music School.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133718907815293805"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 3 IoCs

Processes:

chrome.exeOpenWith.exeOpenWith.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

chrome.exeRevocation of copyright for The Music School.exeopenwith.exeAcroRd32.exechrome.exe

pid	Process
2960	chrome.exe
2960	chrome.exe
4124	Revocation of copyright for The Music School.exe
4124	Revocation of copyright for The Music School.exe
4300	openwith.exe
4300	openwith.exe
4300	openwith.exe
4300	openwith.exe
3840	AcroRd32.exe
3840	AcroRd32.exe
3840	AcroRd32.exe
3840	AcroRd32.exe
3840	AcroRd32.exe
3840	AcroRd32.exe
3840	AcroRd32.exe
3840	AcroRd32.exe
3840	AcroRd32.exe
3840	AcroRd32.exe
3840	AcroRd32.exe
3840	AcroRd32.exe
3840	AcroRd32.exe
3840	AcroRd32.exe
3840	AcroRd32.exe
3840	AcroRd32.exe
3840	AcroRd32.exe
3840	AcroRd32.exe
3840	AcroRd32.exe
3840	AcroRd32.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid	Process
224	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid	Process
2960	chrome.exe
2960	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe7zG.exe

description	pid	Process
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeRestorePrivilege	1148	7zG.exe
Token: 35	1148	7zG.exe
Token: SeSecurityPrivilege	1148	7zG.exe
Token: SeSecurityPrivilege	1148	7zG.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe

Suspicious use of FindShellTrayWindow 53 IoCs

Processes:

chrome.exe7zG.exeAcroRd32.exe

pid	Process
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
1148	7zG.exe
3840	AcroRd32.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	Process
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe

Suspicious use of SetWindowsHookEx 31 IoCs

Processes:

OpenWith.exeAcroRd32.exeOpenWith.exe

pid	Process
224	OpenWith.exe
224	OpenWith.exe
224	OpenWith.exe
224	OpenWith.exe
224	OpenWith.exe
224	OpenWith.exe
224	OpenWith.exe
224	OpenWith.exe
224	OpenWith.exe
224	OpenWith.exe
224	OpenWith.exe
3840	AcroRd32.exe
3840	AcroRd32.exe
3840	AcroRd32.exe
3840	AcroRd32.exe
3840	AcroRd32.exe
3840	AcroRd32.exe
3840	AcroRd32.exe
1552	OpenWith.exe
1552	OpenWith.exe
1552	OpenWith.exe
1552	OpenWith.exe
1552	OpenWith.exe
1552	OpenWith.exe
1552	OpenWith.exe
1552	OpenWith.exe
1552	OpenWith.exe
1552	OpenWith.exe
1552	OpenWith.exe
1552	OpenWith.exe
1552	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	Process	procid_target
PID 2960 wrote to memory of 2040	2960	chrome.exe	82
PID 2960 wrote to memory of 2040	2960	chrome.exe	82
PID 2960 wrote to memory of 1136	2960	chrome.exe	83
PID 2960 wrote to memory of 1136	2960	chrome.exe	83
PID 2960 wrote to memory of 1136	2960	chrome.exe	83
PID 2960 wrote to memory of 1136	2960	chrome.exe	83
PID 2960 wrote to memory of 1136	2960	chrome.exe	83
PID 2960 wrote to memory of 1136	2960	chrome.exe	83
PID 2960 wrote to memory of 1136	2960	chrome.exe	83
PID 2960 wrote to memory of 1136	2960	chrome.exe	83
PID 2960 wrote to memory of 1136	2960	chrome.exe	83
PID 2960 wrote to memory of 1136	2960	chrome.exe	83
PID 2960 wrote to memory of 1136	2960	chrome.exe	83
PID 2960 wrote to memory of 1136	2960	chrome.exe	83
PID 2960 wrote to memory of 1136	2960	chrome.exe	83
PID 2960 wrote to memory of 1136	2960	chrome.exe	83
PID 2960 wrote to memory of 1136	2960	chrome.exe	83
PID 2960 wrote to memory of 1136	2960	chrome.exe	83
PID 2960 wrote to memory of 1136	2960	chrome.exe	83
PID 2960 wrote to memory of 1136	2960	chrome.exe	83
PID 2960 wrote to memory of 1136	2960	chrome.exe	83
PID 2960 wrote to memory of 1136	2960	chrome.exe	83
PID 2960 wrote to memory of 1136	2960	chrome.exe	83
PID 2960 wrote to memory of 1136	2960	chrome.exe	83
PID 2960 wrote to memory of 1136	2960	chrome.exe	83
PID 2960 wrote to memory of 1136	2960	chrome.exe	83
PID 2960 wrote to memory of 1136	2960	chrome.exe	83
PID 2960 wrote to memory of 1136	2960	chrome.exe	83
PID 2960 wrote to memory of 1136	2960	chrome.exe	83
PID 2960 wrote to memory of 1136	2960	chrome.exe	83
PID 2960 wrote to memory of 1136	2960	chrome.exe	83
PID 2960 wrote to memory of 1136	2960	chrome.exe	83
PID 2960 wrote to memory of 3084	2960	chrome.exe	84
PID 2960 wrote to memory of 3084	2960	chrome.exe	84
PID 2960 wrote to memory of 2352	2960	chrome.exe	85
PID 2960 wrote to memory of 2352	2960	chrome.exe	85
PID 2960 wrote to memory of 2352	2960	chrome.exe	85
PID 2960 wrote to memory of 2352	2960	chrome.exe	85
PID 2960 wrote to memory of 2352	2960	chrome.exe	85
PID 2960 wrote to memory of 2352	2960	chrome.exe	85
PID 2960 wrote to memory of 2352	2960	chrome.exe	85
PID 2960 wrote to memory of 2352	2960	chrome.exe	85
PID 2960 wrote to memory of 2352	2960	chrome.exe	85
PID 2960 wrote to memory of 2352	2960	chrome.exe	85
PID 2960 wrote to memory of 2352	2960	chrome.exe	85
PID 2960 wrote to memory of 2352	2960	chrome.exe	85
PID 2960 wrote to memory of 2352	2960	chrome.exe	85
PID 2960 wrote to memory of 2352	2960	chrome.exe	85
PID 2960 wrote to memory of 2352	2960	chrome.exe	85
PID 2960 wrote to memory of 2352	2960	chrome.exe	85
PID 2960 wrote to memory of 2352	2960	chrome.exe	85
PID 2960 wrote to memory of 2352	2960	chrome.exe	85
PID 2960 wrote to memory of 2352	2960	chrome.exe	85
PID 2960 wrote to memory of 2352	2960	chrome.exe	85
PID 2960 wrote to memory of 2352	2960	chrome.exe	85
PID 2960 wrote to memory of 2352	2960	chrome.exe	85
PID 2960 wrote to memory of 2352	2960	chrome.exe	85
PID 2960 wrote to memory of 2352	2960	chrome.exe	85
PID 2960 wrote to memory of 2352	2960	chrome.exe	85
PID 2960 wrote to memory of 2352	2960	chrome.exe	85
PID 2960 wrote to memory of 2352	2960	chrome.exe	85
PID 2960 wrote to memory of 2352	2960	chrome.exe	85
PID 2960 wrote to memory of 2352	2960	chrome.exe	85
PID 2960 wrote to memory of 2352	2960	chrome.exe	85

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2760
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.dropbox.com/scl/fi/84aaoddpxlr3zz78hvwul/Revocation-of-copyright-for-The-Music-School.zip?rlkey=dapi9fh3bhwsdbg34c9ek7l44&st=9hrxlndc&dl=1
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff849edcc40,0x7ff849edcc4c,0x7ff849edcc58
  2⤵
  PID:2040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1584,i,5784051829624890734,9667946550727621032,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1876 /prefetch:2
  2⤵
  PID:1136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2140,i,5784051829624890734,9667946550727621032,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2148 /prefetch:3
  2⤵
  PID:3084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2236,i,5784051829624890734,9667946550727621032,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2404 /prefetch:8
  2⤵
  PID:2352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3100,i,5784051829624890734,9667946550727621032,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:3148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3108,i,5784051829624890734,9667946550727621032,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4756,i,5784051829624890734,9667946550727621032,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4772 /prefetch:8
  2⤵
  PID:1812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3992,i,5784051829624890734,9667946550727621032,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4960 /prefetch:8
  2⤵
  PID:3064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4576,i,5784051829624890734,9667946550727621032,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3512 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:816

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1000

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2788

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Revocation of copyright for The Music School\" -spe -an -ai#7zMap2317:150:7zEvent4761
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1148

C:\Users\Admin\Downloads\Revocation of copyright for The Music School\Revocation of copyright for The Music School.exe
"C:\Users\Admin\Downloads\Revocation of copyright for The Music School\Revocation of copyright for The Music School.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:408
- C:\Users\Admin\Downloads\Revocation of copyright for The Music School\Revocation of copyright for The Music School.exe
  "C:\Users\Admin\Downloads\Revocation of copyright for The Music School\Revocation of copyright for The Music School.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4124
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 500
    3⤵
    - Program crash
    PID:3788
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 508
    3⤵
    - Program crash
    PID:4480
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f & exit
  2⤵
  - System Location Discovery: System Language Discovery
  PID:436
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:380

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:224
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\Revocation of copyright for The Music School\rename_me.rename_me"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:3840
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4508
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=538CD8DF22621C9EA217764A690FA588 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=538CD8DF22621C9EA217764A690FA588 --renderer-client-id=2 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:5100
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A66C43215CCB6D75A3AF65EACCE0E918 --mojo-platform-channel-handle=2004 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:3412
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=101D5CB9543405E91381EC628BBA25DC --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=101D5CB9543405E91381EC628BBA25DC --renderer-client-id=4 --mojo-platform-channel-handle=2336 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:3120
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=ED2B014BF044329CBFEB0D348276061F --mojo-platform-channel-handle=2748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:2752
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=961A0E2E5561B864FDD54F796144066E --mojo-platform-channel-handle=2124 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:4236
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4C9609F6373CD9BC77E38CB9AF990EA9 --mojo-platform-channel-handle=2984 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:1372

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2072

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{5AAABB05-F91B-4BCE-AB18-D8319DEDABA8}
1⤵
- System Location Discovery: System Language Discovery
PID:4224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4124 -ip 4124
1⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4124 -ip 4124
1⤵
PID:2104

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1552
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Revocation of copyright for The Music School\msimg32.dll
  2⤵
  PID:380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
e8aa18e4ac0ad9ff7291469e82eaa105

SHA1
2e1a5965a618e77eb88d4cd47e761a3021d53cbd

SHA256
8d91d3d890428db04c2b92c9145e1e5f1b463fb8ac010f0b733089859ea3f520

SHA512
53b168815ff617e32e8955d3df5ba4a6c3af6d28b6e8cedae62ff3e566377b26a39b5b43213bbb1394938f1a28fd2154ec267cc8c47ac2ae9b7ce2606b79ac1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
1f31b4cf4e3cdfd1c88009f5fadac08a

SHA1
0a8f83faf9e983cdcf982e311cae0a211d8b0f3f

SHA256
c5fdf996ae40f2ebce7e74972d1d6e937b9c0b54aa59589a6ea1a1ee7f0150c5

SHA512
2f7284d0e14bcaeeaf1b38bcb6297704f29c6fc3e84660e1955012182ed372a84571595360b13881cfda8bd22e8dd4f9e99f67ca9ce0148a4ed6053caa921701

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
c10a4f7f781dcf221ebc529ed1513d59

SHA1
899b4face1cbf308be5800ed023e3147f8e3e13c

SHA256
625cc2459a6f314dede0cee0f149a992b0e3d24a84487a5fbeb9e64352948aef

SHA512
1845031a9afe53cbd1a4b9bb1714d61253a5c42fe9730b33624a9e7980b084f57b66b333359e2cc31211400bccc8490f7422b7c143d035c36245835a124e2ecd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
3d8f99318f66e603831887a41654bcbd

SHA1
a1fd228d268066930a47aca06c6490c9d9693290

SHA256
65eb45d8fca7592fc5ad8eed53c160369611ea3d6250490b3e0e56db680536e8

SHA512
55064ae95d4dde0270de362cc7e5862283b7451b28a37cea5b9956655a70069cc0752953858fac814c2deb66bb419cbe662442c0ea72ed18b5b2de9ba3d1cd27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
b0da32bc56584b7f08b344961502f36d

SHA1
99b9498a5f58f70f31bab0402c40fc8a43d02d59

SHA256
ab47357288de902de1563c5486debd46b31091d9c48e2e66fac1b2b338c898fe

SHA512
a3f3d03dbfc0c6edb0a0ce7972c6c5837a9811157c4e5a8aa7cff004c8ff701ce10ebff723876751db2f6a697aa751902dbb9f02ec0cddab95f441f8b3e90457

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
ab676028e3cd6b6dfc65e40edc124a45

SHA1
5944e0ae88a34c6016c3d90b0dd7ca44df85ba60

SHA256
8c797de3b1df6a2be46f2701457a1b2459c438ec3a843eefddf6526c3695544e

SHA512
44d465293ad3c9af257ef3eec0458f3b7ab098651483a7bfc7a2713a94e5c306aeedd49f924c466765f723df5ca9dbd4784c64f8698450d2f605f437571f3c99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1d22e0a9d3bf2f05dcdb9fd80b2fff70

SHA1
d6e3be2bdca67061ba01ed0bee25eaff3da29c3a

SHA256
8ab8e1179d42d6c2fe8b4dd66e581f979f7ec2ac705a4f9b8568466de84af962

SHA512
14783d373769e7e6316b2b6f34208d67688ee01315d15dd39772408d607089b3b5bb33a10d18ed7133abe50044b0fbddc8d1850817b42d59dc0821f592ab7bdb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ec8e3631aa0d6b550ad7ded879b14996

SHA1
fe38e18e2e2aa2d8279a7a03a9c576a3ab7c1831

SHA256
a615f9e9c61a0baebe08c33cdd29dc8aa7c0819a78fd68530431991db7295616

SHA512
fedf8fbb6e4da3ee973d924cbcb6c0f6de3528f72223db3d0394a529347325d24133a5714bab1adc96cf15fb3b72dc5e7d7b443c6bf8035ea6c84ae84736f906

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3c4d4259cc0f2ac655a4a3d7b96e5a81

SHA1
af968f503d32ba0320da9050fadce652f5611d16

SHA256
1b30dd00ac324d7778f289fdc546151b1be5c9f3ad4b1d6d3f7f89ca535e3c14

SHA512
597f29e43a8ff91a98aa617f6f7928b2b3989c7350c5db5a4310be3fd1b2ffe2778bfa1c6147da31e6ab49bc57ff60db5bbf1b5facc4fcacde68e3af068c92e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f18a7ef8df977a4994c83589d7c5b31d

SHA1
b248c0d042fb8e38c4494e88d8756b14b8f64173

SHA256
18580fa994abb0fb9078abb4abc35d51fd3b545cb163a03ca99b94bc9366b589

SHA512
50fceabdac9f29d0d2a3a976b5e34e50a328d2b37bc536ebf206a553a5c585728f79d34198cc60f2f57a2c91e745e5919b669f64519eed9ab772eef8a5a97781

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bf2ec7a6a00df5b9a98071c09e858501

SHA1
cdbf7dfe3668a79544af18322dc6f5ee5225c33e

SHA256
5b75fd04c475eb806b5bda934e726028ce10e7c96f26e48321c7e47dc363bc4f

SHA512
711c12a7f115da89b301bb3e42f1fbb69f847f602d6202b1cd300901aa5c12da97c65dc3dda042780f9228dcee77e5be80d6137cace76a7144aba441949caa13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7dbc861acb5db62f643f50db7776b12f

SHA1
0c6c3521a7194bfd49063d0e61aed3b7844f45be

SHA256
232500e108cd594043084d553127dde15d696344e2a4d3036a4ff4dc700e310a

SHA512
b29fd3cccf4857e60dca93edf44a4882813798fbcba735f4cbbcf7d774ae4b3361ca2b98c05b7c29e6b9068f5aa8dc74d1ebdbe8a46feb46078a68023f3e63eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a58dcff143d71b45989534904416258c

SHA1
d6c8827955e43821004ee75f9a2e3f2bd3add186

SHA256
0544825a6fa87d46c6b49cc347c324197a436f836c1fde9598d825ba485dfeca

SHA512
eab451779b36d2062b3670fd96c3b549003eb8425eee48c9cfbf2d52ab9083f428a7c62e4b41935fdc5c3774a02347d7e5aaf7efa64485b7fde30f1a9b88f848

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3583bc3ae6e382ee192b864302351e80

SHA1
1c21bb23b5b2469fc2ad49fb26184d4884fb6f79

SHA256
d3352a3c6effb60c5dee6ec13a757df80c8def02150478701526b467b804828b

SHA512
966d79b5c150f1531b3c1631b36378e3af102dfb506315a02c490b6aec4e8442dc618a45cdb91fbd4b8bd65194e98608824408b7ec8287933f1649a222299644

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9c53bbc3e032dcc7ef4502c78e2b07a1

SHA1
09f0ff3d3d1dc82f1b7a4a69ec5804b63c03227c

SHA256
db9e99150901ad973b2ac6b6b52a0e53c810bbcd6711d8435a7d485af68ac4b5

SHA512
3f5ed2ad80553293d6f24e8e50ea7e4fbb315a5b6c310c66aff03808b6998bd8fd8b0597df883903e31e4b63b4882e4076228e7b94a60e8bf13cb423514cafb8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a5aacebfb2f4f9998be72068741b0f0c

SHA1
ea028548c97c174fe75e2014938db1960e325fe5

SHA256
4b7c1fabc4bbd08758447d8ae8fb305a830dd0688adea2f8da3ffb7ebd79b3a0

SHA512
4263e94507c62d02b1a85ec312c07eaf6a264ed20a2806a8066a517a6d463acbd014b5f04dbd129486b4a7278703c2b130a781d56118441326f677668d3d6419

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
278a55c32f3fe6033cf7a391ea2e5de2

SHA1
eefe6181417805e92337ff9b7feb81c0dc4676aa

SHA256
fadca56339cce946e0177e26b608152c99290d9862e15334977b481b36873fce

SHA512
c6f54df688e74d187a2fea9784ce2ffe9b2e6618af1e2393d1d18caa8b8588b7ec8faed3185792c2f49959507c87f2fe1d268852540e21baebd1792554fd65a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d8530f2d0c9925366ba33c5be680068b

SHA1
39dcff87d2ae11fb4a9390c6a4e1b850e77a9ca4

SHA256
c98d176173d96a6a0fc96208e367242d810cafab836ae6a4780a8c61b2ad95de

SHA512
a953f40a9438a042663e232547c9ffa2036edc8e894384faa52fd8f8fe081a4aabdf60ad9f38d2d201f757bfc11403c56879971e88bf32c25cc1de1bdb363ad5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
22d8d450c7e5033379c30a0c9d3be095

SHA1
dd293b29c086df1f4fed34d82c951676685b4bbc

SHA256
9f2ad6c75269f842b48c7c6af19ed8093ff847f17908ba445ab9e78534a41e26

SHA512
18fbfd54845012e1acb1bc105adf63b1851d887641b1473168be49106b4dbff9c37dc8abd87d10064231d4b888298394e09af907c78873568a14f63a9cda0f8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ec67977d4e19002e6ed518e7e31fc2c2

SHA1
35aec47852a54aaa813e304331359b37c8fdfcd9

SHA256
0ef24ec0191578adfa0d2ad0b978e73bc41c5f793011131dcafd2d8617056bd4

SHA512
d5ddf7d05d035bd4bbd64420a912e6b40103e44c3449c6d957ecde79f66a962933970a2f92995b09589a6fcb2b2fddff5b9699310a25593b65f71af5989d3680

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
051c82d7787de6fe5293ba30a60fa69e

SHA1
a2c9a1859be4974255cc6cc864c2bcaa6fac25af

SHA256
4741208900c05754cb3e5ff53f159ba7717ea02fe33a14b2e1656aa81d70a614

SHA512
4fb6c28a5181c7de19efb3ef345f204137f861112e70c6a2d6ad76fe36aee9c5dbde23681d16cf78470fe21713fc5bc1863bd489a7a4106bbc3dbc0ccefd706e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bdff2dbe7bd6a8b85df3ca191e1a3a7e

SHA1
d16cf9772a3a6378ac4b688a724aaeaef0b61d45

SHA256
6a7cff8d6db9590832e9de32f3b37b50b6a12783783d0f9633443ea363fb469e

SHA512
76efffecaa85bbe6a56986fca1b3d7988cd8d4a86c9f3480df79be8364c2d50f7598bd10e911add92420cb73404adf28f9f8bf61024df4050774c4e38880751e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
ad03d7c1c75da85b0735b00c92c91568

SHA1
86338611f218de5f2f3c7c0c720a2d6e195c3e0a

SHA256
0b06be9b65c7cf826d1535fa211f24885e2f2c8aa826e67945b3ba581822b6fe

SHA512
758da25eb1856c9f6062a02d7214134b5acf2ac3628041a6b64fa6e1a1f9deb756572d0917cfe2d238dbb4702daff5d15c8ee6d4d04520f4d6b0511cab5be101

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
9a0e6d16f1f89a923ecfc06b1806759e

SHA1
a7997e0739ab104e0d5ebb341fda1bd3de0b721e

SHA256
322017f0b48833d2bee7335de48d10eb0837f4943ae3a2ccabf95c5e431e599a

SHA512
5ebdcbe4ea24c1798ebe14f95ae6db84f7eae3c5de36c9426c4fa8240cd4ff80c4694c5a471d28b0b83e596eee4ab20663e5341ac71bc63955ec9d4eab674e54

Download Submit
C:\Users\Admin\Downloads\Revocation of copyright for The Music School\MSIMG32.dll

Filesize
15.0MB

MD5
e29bbcc3dc9ac5bdfbca71244215a4f5

SHA1
4b97f6ccebb6f188def1640e1311500eeaf6e65a

SHA256
155b4e58c22533bee1ada6310498b54d031c7234f3dd54e9ab04d12c29d5497c

SHA512
618777b4a6605047f2dc2bcdd2c63a569165172a1244e3bba70769efc1a29b6bf544bd58223a8c1d3d023f20c8663e765c725e76dd3b882421ddd677162e8bc8

Download Submit
C:\Users\Admin\Downloads\Revocation of copyright for The Music School\Revocation of copyright for The Music School.exe

Filesize
6.1MB

MD5
4864a55cff27f686023456a22371e790

SHA1
6ed30c0371fe167d38411bfa6d720fcdcacc4f4c

SHA256
08c7fb6067acc8ac207d28ab616c9ea5bc0d394956455d6a3eecb73f8010f7a2

SHA512
4bd3a16435cca6ce7a7aa829eb967619a8b7c02598474e634442cffc55935870d54d844a04496bf9c7e8c29c40fae59ac6eb39c8550c091d06a28211491d0bfb

Download Submit
\??\pipe\crashpad_2960_YVDCRVPYTNOBNMRQ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/408-83-0x0000000010000000-0x00000000101E3000-memory.dmp

Filesize
1.9MB

Download
memory/408-81-0x0000000010000000-0x00000000101E3000-memory.dmp

Filesize
1.9MB

Download
memory/408-80-0x0000000010000000-0x00000000101E3000-memory.dmp

Filesize
1.9MB

Download
memory/408-88-0x0000000010000000-0x00000000101E3000-memory.dmp

Filesize
1.9MB

Download
memory/408-86-0x0000000010000000-0x00000000101E3000-memory.dmp

Filesize
1.9MB

Download
memory/408-82-0x0000000010000000-0x00000000101E3000-memory.dmp

Filesize
1.9MB

Download
memory/4124-125-0x0000000076BF0000-0x0000000076E05000-memory.dmp

Filesize
2.1MB

Download
memory/4124-122-0x00000000037B0000-0x0000000003BB0000-memory.dmp

Filesize
4.0MB

Download
memory/4124-121-0x00000000037B0000-0x0000000003BB0000-memory.dmp

Filesize
4.0MB

Download
memory/4124-123-0x00007FF857F10000-0x00007FF858105000-memory.dmp

Filesize
2.0MB

Download
memory/4124-85-0x0000000000A30000-0x0000000000AAE000-memory.dmp

Filesize
504KB

Download
memory/4124-91-0x0000000000A30000-0x0000000000AAE000-memory.dmp

Filesize
504KB

Download
memory/4300-126-0x0000000000ED0000-0x0000000000ED9000-memory.dmp

Filesize
36KB

Download
memory/4300-128-0x0000000002A50000-0x0000000002E50000-memory.dmp

Filesize
4.0MB

Download
memory/4300-129-0x00007FF857F10000-0x00007FF858105000-memory.dmp

Filesize
2.0MB

Download
memory/4300-131-0x0000000076BF0000-0x0000000076E05000-memory.dmp

Filesize
2.1MB

Download