rhadamanthys | hxxps://dl[.]dropbox[.]com/scl/fi/hqtl599agsvsab9ijb6k4/YG[.]pdf?rlkey=3gohs0awn0aw8e1ugsjirw54e&st=myg4ma8u&dl=0

Analysis

max time kernel
266s
max time network
267s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09-09-2024 04:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://dl.dropbox.com/scl/fi/hqtl599agsvsab9ijb6k4/YG.pdf?rlkey=3gohs0awn0aw8e1ugsjirw54e&st=myg4ma8u&dl=0

Score

10^/10

rhadamanthys discovery execution persistence stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

AddInProcess32.exe

description pid process target process

PID 4432 created 2772 4432 AddInProcess32.exe sihost.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

3916 powershell.exe
5744 powershell.exe
3776 powershell.exe
4080 powershell.exe

description	pid	process	target process
PID 4432 created 2772	4432	AddInProcess32.exe	sihost.exe

pid	process
3916	powershell.exe
5744	powershell.exe
3776	powershell.exe
4080	powershell.exe

Executes dropped EXE 16 IoCs

Processes:

위반된 이미지를 삭제해야 합니다.exeAmericanLowest_Launcher.exejavaw.exesistercompetitivepro.exesistercompetitive.exe위반된 이미지를 삭제해야 합니다.exeAmericanLowest_Launcher.exejavaw.exesistercompetitivepro.exesistercompetitive.exe위반된 이미지를 삭제해야 합니다.exeAmericanLowest_Launcher.exejavaw.exe위반된 이미지를 삭제해야 합니다.exeAmericanLowest_Launcher.exejavaw.exe

pid	process
5444	위반된 이미지를 삭제해야 합니다.exe
4012	AmericanLowest_Launcher.exe
1264	javaw.exe
5808	sistercompetitivepro.exe
6092	sistercompetitive.exe
4080	위반된 이미지를 삭제해야 합니다.exe
4204	AmericanLowest_Launcher.exe
860	javaw.exe
5444	sistercompetitivepro.exe
3724	sistercompetitive.exe
5420	위반된 이미지를 삭제해야 합니다.exe
5576	AmericanLowest_Launcher.exe
3964	javaw.exe
2460	위반된 이미지를 삭제해야 합니다.exe
4832	AmericanLowest_Launcher.exe
5324	javaw.exe

Loads dropped DLL 60 IoCs

Processes:

위반된 이미지를 삭제해야 합니다.exejavaw.exe위반된 이미지를 삭제해야 합니다.exejavaw.exe위반된 이미지를 삭제해야 합니다.exejavaw.exe위반된 이미지를 삭제해야 합니다.exejavaw.exe

pid	process
5444	위반된 이미지를 삭제해야 합니다.exe
5444	위반된 이미지를 삭제해야 합니다.exe
1264	javaw.exe
1264	javaw.exe
1264	javaw.exe
1264	javaw.exe
1264	javaw.exe
1264	javaw.exe
1264	javaw.exe
1264	javaw.exe
1264	javaw.exe
1264	javaw.exe
1264	javaw.exe
1264	javaw.exe
1264	javaw.exe
4080	위반된 이미지를 삭제해야 합니다.exe
4080	위반된 이미지를 삭제해야 합니다.exe
860	javaw.exe
860	javaw.exe
860	javaw.exe
860	javaw.exe
860	javaw.exe
860	javaw.exe
860	javaw.exe
860	javaw.exe
860	javaw.exe
860	javaw.exe
860	javaw.exe
860	javaw.exe
860	javaw.exe
5420	위반된 이미지를 삭제해야 합니다.exe
5420	위반된 이미지를 삭제해야 합니다.exe
3964	javaw.exe
3964	javaw.exe
3964	javaw.exe
3964	javaw.exe
3964	javaw.exe
3964	javaw.exe
3964	javaw.exe
3964	javaw.exe
3964	javaw.exe
3964	javaw.exe
3964	javaw.exe
3964	javaw.exe
3964	javaw.exe
2460	위반된 이미지를 삭제해야 합니다.exe
2460	위반된 이미지를 삭제해야 합니다.exe
5324	javaw.exe
5324	javaw.exe
5324	javaw.exe
5324	javaw.exe
5324	javaw.exe
5324	javaw.exe
5324	javaw.exe
5324	javaw.exe
5324	javaw.exe
5324	javaw.exe
5324	javaw.exe
5324	javaw.exe
5324	javaw.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

sistercompetitivepro.exesistercompetitivepro.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	sistercompetitivepro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	sistercompetitivepro.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

sistercompetitive.exe

description pid process target process

PID 6092 set thread context of 4432 6092 sistercompetitive.exe AddInProcess32.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

5372 4432 WerFault.exe AddInProcess32.exe
3300 4432 WerFault.exe AddInProcess32.exe

description	pid	process	target process
PID 6092 set thread context of 4432	6092	sistercompetitive.exe	AddInProcess32.exe

pid	pid_target	process	target process
5372	4432	WerFault.exe	AddInProcess32.exe
3300	4432	WerFault.exe	AddInProcess32.exe

System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

javaw.exe위반된 이미지를 삭제해야 합니다.exe위반된 이미지를 삭제해야 합니다.exeAmericanLowest_Launcher.exejavaw.execmd.exejavaw.exeopenwith.exeAmericanLowest_Launcher.exepowershell.exe위반된 이미지를 삭제해야 합니다.exepowershell.exepowershell.exejavaw.exepowershell.exesistercompetitive.execmd.exeAmericanLowest_Launcher.exe위반된 이미지를 삭제해야 합니다.execmd.exesistercompetitive.exeAmericanLowest_Launcher.exeexplorer.exeAddInProcess32.execmd.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	위반된 이미지를 삭제해야 합니다.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	위반된 이미지를 삭제해야 합니다.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmericanLowest_Launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmericanLowest_Launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	위반된 이미지를 삭제해야 합니다.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sistercompetitive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmericanLowest_Launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	위반된 이미지를 삭제해야 합니다.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sistercompetitive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmericanLowest_Launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exepowershell.exesistercompetitive.exemsedge.exeAddInProcess32.exeopenwith.exepowershell.exetaskmgr.exesistercompetitive.exe

pid	process
3920	msedge.exe
3920	msedge.exe
4232	msedge.exe
4232	msedge.exe
5104	identity_helper.exe
5104	identity_helper.exe
2492	msedge.exe
2492	msedge.exe
5920	msedge.exe
5920	msedge.exe
5744	powershell.exe
5744	powershell.exe
5744	powershell.exe
6092	sistercompetitive.exe
6092	sistercompetitive.exe
6092	sistercompetitive.exe
6092	sistercompetitive.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
4432	AddInProcess32.exe
4432	AddInProcess32.exe
5312	openwith.exe
5312	openwith.exe
5312	openwith.exe
5312	openwith.exe
3776	powershell.exe
3776	powershell.exe
3776	powershell.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
3724	sistercompetitive.exe
3724	sistercompetitive.exe
5596	taskmgr.exe
5596	taskmgr.exe
3724	sistercompetitive.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
3724	sistercompetitive.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

Processes:

msedge.exe

pid	process
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

7zG.exe7zG.exepowershell.exesistercompetitive.exepowershell.exetaskmgr.exesistercompetitive.exepowershell.exepowershell.exe

description	pid	process
Token: SeRestorePrivilege	4744	7zG.exe
Token: 35	4744	7zG.exe
Token: SeSecurityPrivilege	4744	7zG.exe
Token: SeSecurityPrivilege	4744	7zG.exe
Token: SeRestorePrivilege	5156	7zG.exe
Token: 35	5156	7zG.exe
Token: SeSecurityPrivilege	5156	7zG.exe
Token: SeSecurityPrivilege	5156	7zG.exe
Token: SeDebugPrivilege	5744	powershell.exe
Token: SeDebugPrivilege	6092	sistercompetitive.exe
Token: SeDebugPrivilege	3776	powershell.exe
Token: SeDebugPrivilege	5596	taskmgr.exe
Token: SeSystemProfilePrivilege	5596	taskmgr.exe
Token: SeCreateGlobalPrivilege	5596	taskmgr.exe
Token: SeDebugPrivilege	3724	sistercompetitive.exe
Token: SeDebugPrivilege	4080	powershell.exe
Token: SeDebugPrivilege	3916	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe7zG.exe7zG.exetaskmgr.exe

pid	process
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4744	7zG.exe
5156	7zG.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exetaskmgr.exe

pid	process
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe
5596	taskmgr.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

javaw.exejavaw.exejavaw.exejavaw.exe

pid process

1264 javaw.exe
1264 javaw.exe
860 javaw.exe
860 javaw.exe
3964 javaw.exe
3964 javaw.exe
5324 javaw.exe
5324 javaw.exe

pid	process
1264	javaw.exe
1264	javaw.exe
860	javaw.exe
860	javaw.exe
3964	javaw.exe
3964	javaw.exe
5324	javaw.exe
5324	javaw.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4232 wrote to memory of 2096	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 2096	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 3092	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 3092	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 3092	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 3092	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 3092	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 3092	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 3092	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 3092	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 3092	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 3092	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 3092	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 3092	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 3092	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 3092	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 3092	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 3092	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 3092	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 3092	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 3092	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 3092	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 3092	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 3092	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 3092	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 3092	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 3092	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 3092	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 3092	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 3092	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 3092	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 3092	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 3092	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 3092	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 3092	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 3092	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 3092	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 3092	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 3092	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 3092	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 3092	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 3092	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 3920	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 3920	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 1096	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 1096	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 1096	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 1096	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 1096	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 1096	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 1096	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 1096	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 1096	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 1096	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 1096	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 1096	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 1096	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 1096	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 1096	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 1096	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 1096	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 1096	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 1096	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 1096	4232	msedge.exe	msedge.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2772
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://dl.dropbox.com/scl/fi/hqtl599agsvsab9ijb6k4/YG.pdf?rlkey=3gohs0awn0aw8e1ugsjirw54e&st=myg4ma8u&dl=0
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xe4,0x100,0x104,0xd8,0x108,0x7ffe074446f8,0x7ffe07444708,0x7ffe07444718
  2⤵
  PID:2096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,8471356555698545797,10506297832537589642,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
  2⤵
  PID:3092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,8471356555698545797,10506297832537589642,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,8471356555698545797,10506297832537589642,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
  2⤵
  PID:1096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,8471356555698545797,10506297832537589642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,8471356555698545797,10506297832537589642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:2196
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,8471356555698545797,10506297832537589642,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  PID:2264
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,8471356555698545797,10506297832537589642,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,8471356555698545797,10506297832537589642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
  2⤵
  PID:1784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,8471356555698545797,10506297832537589642,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
  2⤵
  PID:828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2172,8471356555698545797,10506297832537589642,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5776 /prefetch:8
  2⤵
  PID:4184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,8471356555698545797,10506297832537589642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:1256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2172,8471356555698545797,10506297832537589642,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5936 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,8471356555698545797,10506297832537589642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6148 /prefetch:1
  2⤵
  PID:4100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,8471356555698545797,10506297832537589642,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
  2⤵
  PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,8471356555698545797,10506297832537589642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,8471356555698545797,10506297832537589642,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4212 /prefetch:1
  2⤵
  PID:2740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --field-trial-handle=2172,8471356555698545797,10506297832537589642,131072 --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=5684 /prefetch:6
  2⤵
  PID:2544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,8471356555698545797,10506297832537589642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6476 /prefetch:1
  2⤵
  PID:5208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,8471356555698545797,10506297832537589642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
  2⤵
  PID:5284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,8471356555698545797,10506297832537589642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:5396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,8471356555698545797,10506297832537589642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6292 /prefetch:1
  2⤵
  PID:5476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,8471356555698545797,10506297832537589642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
  2⤵
  PID:5632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2172,8471356555698545797,10506297832537589642,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6284 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,8471356555698545797,10506297832537589642,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3968 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5056

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1280

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2024

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6096

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\YG 엔터테인먼트의 지적 재산권에 속하는 이미지\" -spe -an -ai#7zMap28625:114:7zEvent18891
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4744

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\YG 엔터테인먼트의 지적 재산권에 속하는 이미지\Privacy Policy.txt
1⤵
PID:2156

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\YG 엔터테인먼트의 지적 재산권에 속하는 이미지\위반된 이미지를 삭제해야 합니다\" -spe -an -ai#7zMap13144:150:7zEvent12960
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5156

C:\Users\Admin\Downloads\YG 엔터테인먼트의 지적 재산권에 속하는 이미지\위반된 이미지를 삭제해야 합니다\위반된 이미지를 삭제해야 합니다.exe
"C:\Users\Admin\Downloads\YG 엔터테인먼트의 지적 재산권에 속하는 이미지\위반된 이미지를 삭제해야 합니다\위반된 이미지를 삭제해야 합니다.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5444
- C:\Users\Admin\AppData\Local\Temp\AmericanLowest\AmericanLowest_Launcher.exe
  C:\Users\Admin\AppData\Local\Temp\AmericanLowest\AmericanLowest_Launcher.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4012
- - C:\Users\Admin\AppData\Local\Temp\AmericanLowest\mac\bin\javaw.exe
    "C:\Users\Admin\AppData\Local\Temp\AmericanLowest\mac\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "C:\Users\Admin\AppData\Local\Temp\AmericanLowest\AmericanLowest_Launcher.exe" org.develnext.jphp.ext.javafx.FXLauncher
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1264
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\291e5c44ca4c1dc5f078291eb09e1cad.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:1148
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath $env:USERPROFILE
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5744
  - - C:\Windows\SysWOW64\explorer.exe
      explorer C:\Users\Admin\AppData\Local\Temp\sistercompetitivepro\sistercompetitivepro.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:6012

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6028
- C:\Users\Admin\AppData\Local\Temp\sistercompetitivepro\sistercompetitivepro.exe
  "C:\Users\Admin\AppData\Local\Temp\sistercompetitivepro\sistercompetitivepro.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5808
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sistercompetitive.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sistercompetitive.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:6092
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4432
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 480
        5⤵
        Program crash
        
        PID:5372
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 472
        5⤵
        Program crash
        
        PID:3300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4432 -ip 4432
1⤵
PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4432 -ip 4432
1⤵
PID:5564

C:\Users\Admin\Downloads\YG 엔터테인먼트의 지적 재산권에 속하는 이미지\위반된 이미지를 삭제해야 합니다\위반된 이미지를 삭제해야 합니다.exe
"C:\Users\Admin\Downloads\YG 엔터테인먼트의 지적 재산권에 속하는 이미지\위반된 이미지를 삭제해야 합니다\위반된 이미지를 삭제해야 합니다.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4080
- C:\Users\Admin\AppData\Local\Temp\AmericanLowest\AmericanLowest_Launcher.exe
  C:\Users\Admin\AppData\Local\Temp\AmericanLowest\AmericanLowest_Launcher.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4204
- - C:\Users\Admin\AppData\Local\Temp\AmericanLowest\mac\bin\javaw.exe
    "C:\Users\Admin\AppData\Local\Temp\AmericanLowest\mac\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "C:\Users\Admin\AppData\Local\Temp\AmericanLowest\AmericanLowest_Launcher.exe" org.develnext.jphp.ext.javafx.FXLauncher
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:860
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\a872e2f6e30329bd47ed06700edd5eee.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:6044
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath $env:USERPROFILE
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3776
  - - C:\Windows\SysWOW64\explorer.exe
      explorer C:\Users\Admin\AppData\Local\Temp\sistercompetitivepro\sistercompetitivepro.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4840

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5596

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5872
- C:\Users\Admin\AppData\Local\Temp\sistercompetitivepro\sistercompetitivepro.exe
  "C:\Users\Admin\AppData\Local\Temp\sistercompetitivepro\sistercompetitivepro.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5444
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sistercompetitive.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sistercompetitive.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3724
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      PID:5820

C:\Users\Admin\Downloads\YG 엔터테인먼트의 지적 재산권에 속하는 이미지\위반된 이미지를 삭제해야 합니다\위반된 이미지를 삭제해야 합니다.exe
"C:\Users\Admin\Downloads\YG 엔터테인먼트의 지적 재산권에 속하는 이미지\위반된 이미지를 삭제해야 합니다\위반된 이미지를 삭제해야 합니다.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5420
- C:\Users\Admin\AppData\Local\Temp\AmericanLowest\AmericanLowest_Launcher.exe
  C:\Users\Admin\AppData\Local\Temp\AmericanLowest\AmericanLowest_Launcher.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5576
- - C:\Users\Admin\AppData\Local\Temp\AmericanLowest\mac\bin\javaw.exe
    "C:\Users\Admin\AppData\Local\Temp\AmericanLowest\mac\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "C:\Users\Admin\AppData\Local\Temp\AmericanLowest\AmericanLowest_Launcher.exe" org.develnext.jphp.ext.javafx.FXLauncher
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3964
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\e1341aefbe0f9b7d4eb3c2cb71796999.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:5556
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath $env:USERPROFILE
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4080

C:\Users\Admin\Downloads\YG 엔터테인먼트의 지적 재산권에 속하는 이미지\위반된 이미지를 삭제해야 합니다\위반된 이미지를 삭제해야 합니다.exe
"C:\Users\Admin\Downloads\YG 엔터테인먼트의 지적 재산권에 속하는 이미지\위반된 이미지를 삭제해야 합니다\위반된 이미지를 삭제해야 합니다.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2460
- C:\Users\Admin\AppData\Local\Temp\AmericanLowest\AmericanLowest_Launcher.exe
  C:\Users\Admin\AppData\Local\Temp\AmericanLowest\AmericanLowest_Launcher.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4832
- - C:\Users\Admin\AppData\Local\Temp\AmericanLowest\mac\bin\javaw.exe
    "C:\Users\Admin\AppData\Local\Temp\AmericanLowest\mac\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "C:\Users\Admin\AppData\Local\Temp\AmericanLowest\AmericanLowest_Launcher.exe" org.develnext.jphp.ext.javafx.FXLauncher
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5324
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\0c13786de30cc5fc3016c7e5cbcece04.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:3212
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath $env:USERPROFILE
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\AmericanLowest\uninst.exe

Filesize
113KB

MD5
39b21d55f557b539cfe31bab1cbb8777

SHA1
9ffbf1557700e10ee88b26e4694abb37582231fd

SHA256
eb8d5fea0eb6714b3747443200f9e077a80b19cafd76c5e54cdc34f8173b7ce9

SHA512
79d14310fb7c95bd3a84cb84921807fb2c796f717bb8c53be71da41db3648c79f5a5ea69ebb8d7850243c113806c807ab11838262f4896c24547a0647e640ce3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9e3fc58a8fb86c93d19e1500b873ef6f

SHA1
c6aae5f4e26f5570db5e14bba8d5061867a33b56

SHA256
828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4

SHA512
e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
27304926d60324abe74d7a4b571c35ea

SHA1
78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1

SHA256
7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de

SHA512
f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
4246a54ce145992462e0e61b2b461f92

SHA1
86eb2b08ec0d36e2a5063df08ed0690aedc6be00

SHA256
06798015ec8801673edf2aab75462a6b14b0c5598f4d97102aa0141e37d09514

SHA512
b69f9c7170f46c0ca8dbab162ae55cb9c8383781bb9a82e3be38ccc703c9281d83d8650683096262087d5ecffd3c03653f4e9db52f6d5b9b09a15351320188f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
617B

MD5
3b824f3231dcae0c67e6069b9da33c90

SHA1
1110280f49374a6011ca7df2c1c1e15bba79ccdc

SHA256
0fe42605bab5500a83e1769263e67dc8ed4d360f45dd68daa187fe9430678454

SHA512
f945684771cce7dd04bb4a476d78331a269da691696e6ecc77c66fa7055e1746a37de810a370533d59d53054460a7765e55a476afa354b5194f49d2f0912bff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
617B

MD5
a04c5260b0c8727d3863e8b09fb07900

SHA1
bdbb9b72be81ec17657ba3551b78063668c925a3

SHA256
f82491154a5d9a8b5baf4f1cd3353f72f4653eb0718e8e29520d498c8414a55f

SHA512
7ac763d029582464bece8ed524d16c60b931f28a896e4e0cefdfa5777db20fd4071024d0d322b0cac653e59af5068dc9cf1b9db650c0ca196ed7125f414c55c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
260e2f14e3a1ab4a3ce01452ea4083bf

SHA1
53e91277e818d4f78a0c6ddebe2e5b377789d934

SHA256
5899c4b24d972ab2e0c68ed280a0b05f80f22084b9a58a234b1dedb469ce351f

SHA512
2412c6e31f790988a600669557fced291490aefe33551adfcb18c01368e9aa029e5a46811affc805bb73f0c22523fa9ff6832c0b3e6781839e891df10de8e2fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1d85bb544f650fae5ec332554098a126

SHA1
bd83ea5d80ccc96fb859971a9903ad14d4ebd8a3

SHA256
891e353f6e8ebdf9a961a8e19ef73c8b85e6c9da7eedc5b4dc03725f6de655e0

SHA512
fd6bcc844ca63204a45c0fd3d5f04548a281638bc7ffa1e95d18fbe5ab14af677f1b05418fe886f26933f4211cfaabc3725289c5b999b9b926916aa626d71043

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
779abe9fcb92105ecbffebe791d946e7

SHA1
598b04a63a437429f8df0ce10484485c35e86d25

SHA256
dec334a95b1df9f9298809a670b67a1268002fd8d878f2db37f391fee346d98f

SHA512
12f9b7bbb45c2469a21c2cdce697bd20d31ed5f7b3034c6b72e1686f9ed6cabfb89894ec063138918a9a82535e421d096e27d118f5ff99254870c9f09a939567

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a033503990918c86c2a9b02cb9fbad3f

SHA1
0544097b377d590303a987db3c98205ff0cb8d38

SHA256
b5f792870d4f49cbcb5b37de1c7c3ddff8456c44866cc8a65454ef1db45ad861

SHA512
2a3b86764183605f095ab60ed70c8208cfa0288471d5d0b71f65cd4def8914b0413c57b1e8246c27917a19cd6ee88c48cc32e323ebc703760bada15fde7f5b45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
537B

MD5
6885a13af8f2c025fd3bc6ad583076fa

SHA1
d9a702900d9ae5184abd25e0e4b9629cbfe306c4

SHA256
d524ba8672f9346bc7bcfa657791c7f3fc80aeee87c902ac0f125f5cf80f6ce8

SHA512
806b0e92eb7110b2213febfc70b39a045c2b6737b643a2c91925ae139ee439579107b787665df0647abf1501d01709d2c52c999e082d5b05a6091e128589efc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ebe6.TMP

Filesize
370B

MD5
fcb6dabba93d0cc926fc6b7f6bbed098

SHA1
5dc020a20e40b0030b4d28ff83fad416b61cbb68

SHA256
bc4232dd8b0f6b4434189eef07882afe7cbe8d0489e585b3d5c45e31d8a917d7

SHA512
07ca7e14bb7aab05eedf417e67ddb4ea9d265efc289b4e71647aae6bde11f6b124015f75f6b368769b80eab0f2ecaf94d9a75a4a418001379f9cd9f50d5f05f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1abac4d07b849cfd1b8f7755d83c02a2

SHA1
a4616f6bc9fc88b9982a0bbccf1b63531b31d396

SHA256
5ca0f6475b5617be346180b6a31e4e1b5f4f8d73b78d8bab1df77029b8654767

SHA512
f6226dac0efe694c88d55480337c146cea82a903e4de2c7fdb3d8a5294ec4a0ed3202d0f1a0320709d1ca735235e8dff181bf761866c14c439a7464d2505ee68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0d4194802fcd7d09100e955cce4f4625

SHA1
82fb81cd9e2ebc6c511ced0ac4e66cbedb31a104

SHA256
b44bf1fa3c3c1f77cc97ed334c2e3887789462b147ba4e6584598d570d72bf93

SHA512
ec3dde1bdd5b918b2891d2630563a4d6af9f0b6ba89c09d2c27809e085bbc0e214f71dca31ca1ce848c99d79909dd2092666da499efe65d09c4dc3c16932bc2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b090f7f11be5d17de4a90575480da7d3

SHA1
62ff72ca0b9f93a6d0a9ff2034877f781e4817b0

SHA256
e150a45e2b1b1ec39722f7bf627d43de0ed04e2c78feb4ec734ae87e98a7c3dc

SHA512
4cff511a08616eb56d669d703dde11d7ce3b61ccf5c4c7872df19520d4692099bee4a976c95b40e9d2fe1e519b39dea2bb16e01e76b33b047eb03baf51f4c3dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AmericanLowest\AmericanLowest_Launcher.exe

Filesize
10.3MB

MD5
925a9491fe610f943e418685dcfc4122

SHA1
0b49be1b98a2b52b194dded3a64c4383868a2f5d

SHA256
192e05f11f9ad5575766732105668a7a81aff690af079f610c73a8cfd928a88e

SHA512
160fb6f6aaf5c9835d00c0141e1f3f333418918b621923b0ba79e74d67e57934114747f08a92c12e7b1e9584bfd8f75b444a0563505fd01bec0085d21102d667

Download Submit
C:\Users\Admin\AppData\Local\Temp\AmericanLowest\mac\bin\client\jvm.dll

Filesize
3.7MB

MD5
39c302fe0781e5af6d007e55f509606a

SHA1
23690a52e8c6578de6a7980bb78aae69d0f31780

SHA256
b1fbdbb1e4c692b34d3b9f28f8188fc6105b05d311c266d59aa5e5ec531966bc

SHA512
67f91a75e16c02ca245233b820df985bd8290a2a50480dff4b2fd2695e3cf0b4534eb1bf0d357d0b14f15ce8bd13c82d2748b5edd9cc38dc9e713f5dc383ed77

Download Submit
C:\Users\Admin\AppData\Local\Temp\AmericanLowest\mac\bin\glass.dll

Filesize
196KB

MD5
434cbb561d7f326bbeffa2271ecc1446

SHA1
3d9639f6da2bc8ac5a536c150474b659d0177207

SHA256
1edd9022c10c27bbba2ad843310458edaead37a9767c6fc8fddaaf1adfcbc143

SHA512
9e37b985ecf0b2fef262f183c1cd26d437c8c7be97aa4ec4cd8c75c044336cc69a56a4614ea6d33dc252fe0da8e1bbadc193ff61b87be5dce6610525f321b6dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AmericanLowest\mac\bin\java.dll

Filesize
123KB

MD5
73bd0b62b158c5a8d0ce92064600620d

SHA1
63c74250c17f75fe6356b649c484ad5936c3e871

SHA256
e7b870deb08bc864fa7fd4dec67cef15896fe802fafb3009e1b7724625d7da30

SHA512
eba1cf977365446b35740471882c5209773a313de653404a8d603245417d32a4e9f23e3b6cd85721143d2f9a0e46ed330c3d8ba8c24aee390d137f9b5cd68d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AmericanLowest\mac\bin\javaw.exe

Filesize
187KB

MD5
48c96771106dbdd5d42bba3772e4b414

SHA1
e84749b99eb491e40a62ed2e92e4d7a790d09273

SHA256
a96d26428942065411b1b32811afd4c5557c21f1d9430f3696aa2ba4c4ac5f22

SHA512
9f891c787eb8ceed30a4e16d8e54208fa9b19f72eeec55b9f12d30dc8b63e5a798a16b1ccc8cea3e986191822c4d37aedb556e534d2eb24e4a02259555d56a2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AmericanLowest\mac\bin\msvcp120.dll

Filesize
444KB

MD5
fd5cabbe52272bd76007b68186ebaf00

SHA1
efd1e306c1092c17f6944cc6bf9a1bfad4d14613

SHA256
87c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608

SHA512
1563c8257d85274267089cd4aeac0884a2a300ff17f84bdb64d567300543aa9cd57101d8408d0077b01a600ddf2e804f7890902c2590af103d2c53ff03d9e4a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AmericanLowest\mac\bin\msvcr100.dll

Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\AmericanLowest\mac\bin\msvcr120.dll

Filesize
948KB

MD5
034ccadc1c073e4216e9466b720f9849

SHA1
f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1

SHA256
86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f

SHA512
5f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\AmericanLowest\mac\bin\net.dll

Filesize
78KB

MD5
691b937a898271ee2cffab20518b310b

SHA1
abedfcd32c3022326bc593ab392dea433fcf667c

SHA256
2f5f1199d277850a009458edb5202688c26dd993f68fe86ca1b946dc74a36d61

SHA512
1c09f4e35a75b336170f64b5c7254a51461dc1997b5862b62208063c6cf84a7cb2d66a67e947cbbf27e1cf34ccd68ba4e91c71c236104070ef3beb85570213ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\AmericanLowest\mac\bin\nio.dll

Filesize
50KB

MD5
95edb3cb2e2333c146a4dd489ce67cbd

SHA1
79013586a6e65e2e1f80e5caf9e2aa15b7363f9a

SHA256
96cf590bddfd90086476e012d9f48a9a696efc054852ef626b43d6d62e72af31

SHA512
ab671f1bce915d748ee49518cc2a666a2715b329cab4ab8f6b9a975c99c146bb095f7a4284cd2aaf4a5b4fcf4f939f54853af3b3acc4205f89ed2ba8a33bb553

Download Submit
C:\Users\Admin\AppData\Local\Temp\AmericanLowest\mac\bin\prism_d3d.dll

Filesize
113KB

MD5
5aadadf700c7771f208dda7ce60de120

SHA1
e9cf7e7d1790dc63a58106c416944fd6717363a5

SHA256
89dac9792c884b70055566564aa12a8626c3aa127a89303730e66aba3c045f79

SHA512
624431a908c2a835f980391a869623ee1fa1f5a1a41f3ee08040e6395b8c11734f76fe401c4b9415f2055e46f60a7f9f2ac0a674604e5743ab8301dbadf279f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\AmericanLowest\mac\bin\verify.dll

Filesize
38KB

MD5
de2167a880207bbf7464bcd1f8bc8657

SHA1
0ff7a5ea29c0364a1162a090dffc13d29bc3d3c7

SHA256
fd856ea783ad60215ce2f920fcb6bb4e416562d3c037c06d047f1ec103cd10b3

SHA512
bb83377c5cff6117cec6fbadf6d40989ce1ee3f37e4ceba17562a59ea903d8962091146e2aa5cc44cfdddf280da7928001eea98abf0c0942d69819b2433f1322

Download Submit
C:\Users\Admin\AppData\Local\Temp\AmericanLowest\mac\bin\zip.dll

Filesize
68KB

MD5
cb99b83bbc19cd0e1c2ec6031d0a80bc

SHA1
927e1e24fd19f9ca8b5191ef3cc746b74ab68bcd

SHA256
68148243e3a03a3a1aaf4637f054993cb174c04f6bd77894fe84d74af5833bec

SHA512
29c4978fa56f15025355ce26a52bdf8197b8d8073a441425df3dfc93c7d80d36755cc05b6485dd2e1f168df2941315f883960b81368e742c4ea8e69dd82fa2ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\AmericanLowest\mac\lib\currency.data

Filesize
4KB

MD5
f6258230b51220609a60aa6ba70d68f3

SHA1
b5b95dd1ddcd3a433db14976e3b7f92664043536

SHA256
22458853da2415f7775652a7f57bb6665f83a9ae9fb8bd3cf05e29aac24c8441

SHA512
b2dfcfdebf9596f2bb05f021a24335f1eb2a094dca02b2d7dd1b7c871d5eecda7d50da7943b9f85edb5e92d9be6b6adfd24673ce816df3960e4d68c7f894563f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AmericanLowest\mac\lib\deploy\messages_zh_HK.properties

Filesize
3KB

MD5
4287d97616f708e0a258be0141504beb

SHA1
5d2110cabbbc0f83a89aec60a6b37f5f5ad3163e

SHA256
479dc754bd7bff2c9c35d2e308b138eef2a1a94cf4f0fc6ccd529df02c877dc7

SHA512
f273f8d501c5d29422257733624b5193234635bd24b444874e38d8d823d728d935b176579d5d1203451c0ce377c57ed7eb3a9ce9adcb3bb591024c3b7ee78dcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\AmericanLowest\mac\lib\ext\jfxrt.jar

Filesize
17.3MB

MD5
042b3675517d6a637b95014523b1fd7d

SHA1
82161caf5f0a4112686e4889a9e207c7ba62a880

SHA256
a570f20f8410f9b1b7e093957bf0ae53cae4731afaea624339aa2a897a635f22

SHA512
7672d0b50a92e854d3bd3724d01084cc10a90678b768e9a627baf761993e56a0c6c62c19155649fe9a8ceeabf845d86cbbb606554872ae789018a8b66e5a2b35

Download Submit
C:\Users\Admin\AppData\Local\Temp\AmericanLowest\mac\lib\ext\meta-index

Filesize
1KB

MD5
77abe2551c7a5931b70f78962ac5a3c7

SHA1
a8bb53a505d7002def70c7a8788b9a2ea8a1d7bc

SHA256
c557f0c9053301703798e01dc0f65e290b0ae69075fb49fcc0e68c14b21d87f4

SHA512
9fe671380335804d4416e26c1e00cded200687db484f770ebbdb8631a9c769f0a449c661cb38f49c41463e822beb5248e69fd63562c3d8c508154c5d64421935

Download Submit
C:\Users\Admin\AppData\Local\Temp\AmericanLowest\mac\lib\i386\jvm.cfg

Filesize
657B

MD5
9fd47c1a487b79a12e90e7506469477b

SHA1
7814df0ff2ea1827c75dcd73844ca7f025998cc6

SHA256
a73aea3074360cf62adedc0c82bc9c0c36c6a777c70da6c544d0fba7b2d8529e

SHA512
97b9d4c68ac4b534f86efa9af947763ee61aee6086581d96cbf7b3dbd6fd5d9db4b4d16772dce6f347b44085cef8a6ea3bfd3b84fbd9d4ef763cef39255fbce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AmericanLowest\mac\lib\images\cursors\invalid32x32.gif

Filesize
153B

MD5
1e9d8f133a442da6b0c74d49bc84a341

SHA1
259edc45b4569427e8319895a444f4295d54348f

SHA256
1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b

SHA512
63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37

Download Submit
C:\Users\Admin\AppData\Local\Temp\AmericanLowest\mac\lib\jsse.jar

Filesize
619KB

MD5
fd1434c81219c385f30b07e33cef9f30

SHA1
0b5ee897864c8605ef69f66dfe1e15729cfcbc59

SHA256
bc3a736e08e68ace28c68b0621dccfb76c1063bd28d7bd8fce7b20e7b7526cc5

SHA512
9a778a3843744f1fabad960aa22880d37c30b1cab29e123170d853c9469dc54a81e81a9070e1de1bf63ba527c332bb2b1f1d872907f3bdce33a6898a02fef22d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AmericanLowest\mac\lib\meta-index

Filesize
2KB

MD5
91aa6ea7320140f30379f758d626e59d

SHA1
3be2febe28723b1033ccdaa110eaf59bbd6d1f96

SHA256
4af21954cdf398d1eae795b6886ca2581dac9f2f1d41c98c6ed9b5dbc3e3c1d4

SHA512
03428803f1d644d89eb4c0dcbdea93acaac366d35fc1356ccabf83473f4fef7924edb771e44c721103cec22d94a179f092d1bfd1c0a62130f076eb82a826d7cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\AmericanLowest\mac\lib\resources.jar

Filesize
3.3MB

MD5
9a084b91667e7437574236cd27b7c688

SHA1
d8926cc4aa12d6fe9abe64c8c3cb8bc0f594c5b1

SHA256
a1366a75454fc0f1ca5a14ea03b4927bb8584d6d5b402dfa453122ae16dbf22d

SHA512
d603aa29e1f6eefff4b15c7ebc8a0fa18e090d2e1147d56fd80581c7404ee1cb9d6972fcf2bd0cb24926b3af4dfc5be9bce1fe018681f22a38adaa278bf22d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\AmericanLowest\mac\lib\security\java.security

Filesize
26KB

MD5
409c132fe4ea4abe9e5eb5a48a385b61

SHA1
446d68298be43eb657934552d656fa9ae240f2a2

SHA256
4d9e5a12b8cac8b36ecd88468b1c4018bc83c97eb467141901f90358d146a583

SHA512
7fed286ac9aed03e2dae24c3864edbbf812b65965c7173cc56ce622179eb5f872f77116275e96e1d52d1c58d3cdebe4e82b540b968e95d5da656aa74ad17400d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AmericanLowest\mac\lib\tzdb.dat

Filesize
101KB

MD5
5a7f416bd764e4a0c2deb976b1d04b7b

SHA1
e12754541a58d7687deda517cdda14b897ff4400

SHA256
a636afa5edba8aa0944836793537d9c5b5ca0091ccc3741fc0823edae8697c9d

SHA512
3ab2ad86832b98f8e5e1ce1c1b3ffefa3c3d00b592eb1858e4a10fff88d1a74da81ad24c7ec82615c398192f976a1c15358fce9451aa0af9e65fb566731d6d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AmericanLowest\mac\lib\tzmappings

Filesize
8KB

MD5
b8dd8953b143685b5e91abeb13ff24f0

SHA1
b5ceb39061fce39bb9d7a0176049a6e2600c419c

SHA256
3d49b3f2761c70f15057da48abe35a59b43d91fa4922be137c0022851b1ca272

SHA512
c9cd0eb1ba203c170f8196cbab1aaa067bcc86f2e52d0baf979aad370edf9f773e19f430777a5a1c66efe1ec3046f9bc82165acce3e3d1b8ae5879bd92f09c90

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sistercompetitive.exe

Filesize
7.3MB

MD5
b6798b22a6a137c247daa62fe852d953

SHA1
597e7265d7918556c1d019d58ceadd504f48a854

SHA256
471c981c11df004b941dad0175bc435f9c901bcb968ba9582f1a2181443d9ef4

SHA512
a31b751173dbf50ec728d7f031c1d22de5e66120e8852110253071669f58a36b28c8769f9e8cebc88aa317348069bc7122842f428ccc643758a6e082218019b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ktn4uiba.012.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\e1341aefbe0f9b7d4eb3c2cb71796999.bat

Filesize
155B

MD5
2658dfc63032f1c8c59c0233c1cc9769

SHA1
7aad97674e967259ead769fe60f8e40b30a9edd8

SHA256
ccfa651cc1c739b06adca460daea6a1fbf871457e23bd7bca52b6a7f0ee767c1

SHA512
e37e43bb9fceadd01758d4e6e21ac173f70d3120307a99d9b4a0292ecc0a341322fc77ab9f6765343371a70d1591488d294f9d536d372e372eba94f02294558a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss969F.tmp\NAct.dll

Filesize
206KB

MD5
069dc472ad36c38b3a529a6b77511c18

SHA1
cab8f04f1de0a337a6197158452a7dfd718cf136

SHA256
07e5bb56ad4f8bb4dd5d13da222c61baa714fcb0e6320c2eb99e4407e65780af

SHA512
bb98a7d59acc103f8f046c880974b817743663b22a8a9a5296643b02bf0fa97a54907acaa4079a9606ee2f6e5c90e7e3439e5f316731707fb783e0f3dac64a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss969F.tmp\UAC.dll

Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
C:\Users\Admin\AppData\Local\Temp\sistercompetitivepro.zip

Filesize
6.7MB

MD5
78288263f6463ef4e59452efcd41024f

SHA1
323a6b36a7d7e314b7b7a8765b0c71c918d9fb51

SHA256
3fdc5b151441f5a70be8ffb703eaffbe25721ca081aeb3d06f9d692ad215ebae

SHA512
21133366139f2dd898f2759d94a1fc04ef173537bd07f346c6b7d1b9107ac1ab42790f351ea8acf9a12beeb72441bf3959d0629032926f5a688ddd693ad0dfa9

Download Submit
C:\Users\Admin\Downloads\YG 엔터테인먼트의 지적 재산권에 속하는 이미지 사용에 대한 공지.pdf

Filesize
174KB

MD5
a265a2645a0510b3c08ddf25d1436468

SHA1
fa995e5b4cbeeb4b0eb48b89390feac11eafcb16

SHA256
18f2aaa6b155ba7e58a241265b6567806a758c6e3f7160102773961728a4d666

SHA512
afa68b49b68b218260c5b596aec62a705807ae66773bbdc9194a01735e2705f22624f26005c385513de84c9f7372675455ed677beaf5a2cfca85191f38eb01a6

Download Submit
C:\Users\Admin\Downloads\YG 엔터테인먼트의 지적 재산권에 속하는 이미지\Privacy Policy.txt

Filesize
15KB

MD5
a944d6d7a1e68350db26112c873d2be5

SHA1
90a80a26fa5f079de40f1c1cceeada8f42cf0a0c

SHA256
6fe3d78e34ff41725e34d0dec6d660fd96e0af50619404e435c00abadb75b1f4

SHA512
aed088051362f0e8c6b49c728ae033dfac68fd294066c4913ae51bd405b55e14cc00aa5ce39cba30e1b91ae820def41c2b32829541955899b300e78552260582

Download Submit
\??\pipe\LOCAL\crashpad_4232_CSLIYDZZLSLFSXCT

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1264-592-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/1264-537-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/1264-532-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/1264-512-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/1264-505-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/1264-450-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/1264-497-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/3724-1075-0x00000000009C0000-0x0000000001108000-memory.dmp

Filesize
7.3MB

Download
memory/3776-1035-0x0000000006780000-0x0000000006794000-memory.dmp

Filesize
80KB

Download
memory/3776-1020-0x00000000062E0000-0x0000000006634000-memory.dmp

Filesize
3.3MB

Download
memory/3776-1023-0x000000006E3E0000-0x000000006E42C000-memory.dmp

Filesize
304KB

Download
memory/3776-1033-0x0000000007B80000-0x0000000007C23000-memory.dmp

Filesize
652KB

Download
memory/3776-1034-0x0000000006740000-0x0000000006751000-memory.dmp

Filesize
68KB

Download
memory/3916-1748-0x0000000005B10000-0x0000000005E64000-memory.dmp

Filesize
3.3MB

Download
memory/3916-1760-0x000000006E1E0000-0x000000006E22C000-memory.dmp

Filesize
304KB

Download
memory/4012-405-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4080-1401-0x0000000005B80000-0x0000000005ED4000-memory.dmp

Filesize
3.3MB

Download
memory/4080-1402-0x0000000006750000-0x000000000679C000-memory.dmp

Filesize
304KB

Download
memory/4080-1403-0x000000006E1E0000-0x000000006E22C000-memory.dmp

Filesize
304KB

Download
memory/4080-1413-0x00000000072C0000-0x0000000007363000-memory.dmp

Filesize
652KB

Download
memory/4080-1415-0x0000000006060000-0x0000000006071000-memory.dmp

Filesize
68KB

Download
memory/4080-1416-0x00000000060A0000-0x00000000060B4000-memory.dmp

Filesize
80KB

Download
memory/5744-544-0x0000000005C40000-0x0000000005CA6000-memory.dmp

Filesize
408KB

Download
memory/5744-556-0x00000000062B0000-0x00000000062FC000-memory.dmp

Filesize
304KB

Download
memory/5744-540-0x0000000004CB0000-0x0000000004CE6000-memory.dmp

Filesize
216KB

Download
memory/5744-541-0x0000000005330000-0x0000000005958000-memory.dmp

Filesize
6.2MB

Download
memory/5744-542-0x00000000052D0000-0x00000000052F2000-memory.dmp

Filesize
136KB

Download
memory/5744-543-0x0000000005BD0000-0x0000000005C36000-memory.dmp

Filesize
408KB

Download
memory/5744-554-0x0000000005CB0000-0x0000000006004000-memory.dmp

Filesize
3.3MB

Download
memory/5744-555-0x0000000006280000-0x000000000629E000-memory.dmp

Filesize
120KB

Download
memory/5744-564-0x000000006E3E0000-0x000000006E42C000-memory.dmp

Filesize
304KB

Download
memory/5744-584-0x00000000078D0000-0x00000000078D8000-memory.dmp

Filesize
32KB

Download
memory/5744-583-0x00000000078F0000-0x000000000790A000-memory.dmp

Filesize
104KB

Download
memory/5744-582-0x0000000007800000-0x0000000007814000-memory.dmp

Filesize
80KB

Download
memory/5744-581-0x00000000077F0000-0x00000000077FE000-memory.dmp

Filesize
56KB

Download
memory/5744-580-0x00000000077C0000-0x00000000077D1000-memory.dmp

Filesize
68KB

Download
memory/5744-579-0x0000000007830000-0x00000000078C6000-memory.dmp

Filesize
600KB

Download
memory/5744-578-0x0000000007640000-0x000000000764A000-memory.dmp

Filesize
40KB

Download
memory/5744-577-0x00000000075D0000-0x00000000075EA000-memory.dmp

Filesize
104KB

Download
memory/5744-576-0x0000000007BF0000-0x000000000826A000-memory.dmp

Filesize
6.5MB

Download
memory/5744-575-0x0000000007470000-0x0000000007513000-memory.dmp

Filesize
652KB

Download
memory/5744-574-0x00000000068A0000-0x00000000068BE000-memory.dmp

Filesize
120KB

Download
memory/5744-563-0x0000000006840000-0x0000000006872000-memory.dmp

Filesize
200KB

Download
memory/6092-614-0x00000000009F0000-0x0000000001138000-memory.dmp

Filesize
7.3MB

Download
memory/6092-618-0x0000000005A40000-0x0000000005FE4000-memory.dmp

Filesize
5.6MB

Download
memory/6092-615-0x0000000002E90000-0x0000000002F2C000-memory.dmp

Filesize
624KB

Download
memory/6092-616-0x00000000052D0000-0x000000000536E000-memory.dmp

Filesize
632KB

Download
memory/6092-642-0x0000000007660000-0x0000000007666000-memory.dmp

Filesize
24KB

Download
memory/6092-641-0x0000000007600000-0x000000000761A000-memory.dmp

Filesize
104KB

Download
memory/6092-620-0x0000000005520000-0x000000000552A000-memory.dmp

Filesize
40KB

Download
memory/6092-619-0x0000000005530000-0x00000000055C2000-memory.dmp

Filesize
584KB

Download