hxxps://www[.]mediafire[.]com/file/qiu8pkauk51ze8r/LOL[.]rar/file

Analysis

max time kernel
146s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2024, 20:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/qiu8pkauk51ze8r/LOL.rar/file

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	peazip-9.8.0.WIN64.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	peazip.exe

Executes dropped EXE 20 IoCs

pid	Process
7780	peazip-9.8.0.WIN64.exe
8172	peazip-9.8.0.WIN64.tmp
5952	peazip.exe
7516	PEAZIP.EXE
5668	7z.exe
7732	7z.exe
4456	7z.exe
6440	PEAZIP.EXE
1944	7z.exe
1896	7z.exe
3620	7z.exe
6372	PEAZIP.EXE
1420	7z.exe
6432	7z.exe
1916	7z.exe
7032	peazip.exe
6328	7z.exe
2144	Kiwi X External.exe
7800	Kiwi X External.exe
3120	Kiwi X External.exe

Loads dropped DLL 64 IoCs

pid	Process
5952	peazip.exe
7516	PEAZIP.EXE
5668	7z.exe
5668	7z.exe
5668	7z.exe
5668	7z.exe
5668	7z.exe
5668	7z.exe
5668	7z.exe
7732	7z.exe
7732	7z.exe
7732	7z.exe
7732	7z.exe
7732	7z.exe
7732	7z.exe
7732	7z.exe
4456	7z.exe
4456	7z.exe
4456	7z.exe
4456	7z.exe
4456	7z.exe
4456	7z.exe
4456	7z.exe
6440	PEAZIP.EXE
1944	7z.exe
1944	7z.exe
1944	7z.exe
1944	7z.exe
1944	7z.exe
1944	7z.exe
1944	7z.exe
1896	7z.exe
1896	7z.exe
1896	7z.exe
1896	7z.exe
1896	7z.exe
1896	7z.exe
1896	7z.exe
3620	7z.exe
3620	7z.exe
3620	7z.exe
3620	7z.exe
3620	7z.exe
3620	7z.exe
3620	7z.exe
6372	PEAZIP.EXE
1420	7z.exe
1420	7z.exe
1420	7z.exe
1420	7z.exe
1420	7z.exe
1420	7z.exe
1420	7z.exe
6432	7z.exe
6432	7z.exe
6432	7z.exe
6432	7z.exe
6432	7z.exe
6432	7z.exe
6432	7z.exe
1916	7z.exe
1916	7z.exe
1916	7z.exe
1916	7z.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\PeaZip\res\share\batch\freedesktop_integration\KDE-servicemenus\KDE3-konqueror\is-ANPKH.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\lang-wincontext\is-0L248.tmp	peazip-9.8.0.WIN64.tmp
File opened for modification	C:\Program Files\PeaZip\res\bin\brotli\brotli.exe	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\freedesktop_integration\KDE-servicemenus\KDE4-dolphin\is-VLB7O.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\macOS service menus\PeaZip, add to archive.workflow\Contents\is-FCBP7.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\sh\is-SVAKE.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\lang\is-L8S1R.tmp	peazip-9.8.0.WIN64.tmp
File opened for modification	C:\Program Files\PeaZip\res\bin\quad\bcm.exe	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\freedesktop_integration\is-E97S2.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\icons\is-I3M70.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\lang\is-AN39G.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\freedesktop_integration\is-7MBNA.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\lang\is-Q07ND.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\bat\is-36SQT.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\Windows\SendTo\SendTo_Program Files\is-TRVF0.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\Windows\SendTo\SendTo_Program Files (x86)\is-QV9R1.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\presets\is-JCSFV.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\Windows\SendTo\SendTo_Program Files\is-DVNQ8.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\presets\alt\is-N48I9.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\Extract here (smart new folder).lnk	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\freedesktop_integration\is-J37TN.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\sh\is-099TG.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\is-EI4DQ.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\freedesktop_integration\KDE-servicemenus\KDE4-dolphin\is-MQPP4.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\lang\is-UNEUA.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\lang-wincontext\is-ND9HP.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\macOS service menus\PeaZip, extract to Desktop.workflow\Contents\is-PCS84.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\icons\is-SL6T5.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\lang-wincontext\is-V52UA.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\bat\is-SNDDF.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\macOS service menus\PeaZip, open file or folder.workflow\Contents\QuickLook\is-G2K85.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\Windows\SendTo\SendTo_Program Files\is-RRR5A.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\Windows\SendTo\SendTo_Program Files (x86)\is-MQQ3F.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\icons\is-V87K3.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\icons\is-40MV3.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\themes\is-2RM0U.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\freedesktop_integration\is-DM56L.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\bin\lpaq\is-GPL8J.tmp	peazip-9.8.0.WIN64.tmp
File opened for modification	C:\Program Files\PeaZip\dragdropfilesdll.dll	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\presets\is-1AMGJ.tmp	peazip-9.8.0.WIN64.tmp
File opened for modification	C:\Program Files\PeaZip\res\bin\paq\paq8o.exe	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\freedesktop_integration\is-SOCA1.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\icons\is-KO11I.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\macOS service menus\PeaZip, add to TAR.workflow\Contents\is-GKMI0.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\Windows\SendTo\SendTo_Program Files (x86)\is-OQVLL.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\Windows\SendTo\SendTo_Program Files (x86)\is-V3H63.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\themes\nographic-embedded\is-JKS8E.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\freedesktop_integration\Nautilus-scripts\Archiving\PeaZip\is-522K5.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\sh\is-BQJ5D.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\lang-wincontext\is-O8RD4.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\readme\is-LE7PT.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\freedesktop_integration\KDE-servicemenus\KDE5-dolphin\is-I7RNB.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\macOS service menus\PeaZip, add to Brotli.workflow\Contents\is-HM945.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\macOS service menus\PeaZip, extract to Downloads.workflow\Contents\is-T8NT8.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\copying\third-parties\is-1IJV8.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\bin\7z\is-4NSEJ.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\Windows\SendTo\SendTo_Program Files (x86)\is-PVRI9.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\lang-wincontext\is-KNGS8.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\lang-wincontext\is-QHII0.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\copying\third-parties\is-V1KH5.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\icons\is-4F7PF.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\sh\is-TJETI.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\Windows\SendTo\SendTo_Program Files\is-SSSA4.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\Windows\SendTo\SendTo_Program Files\is-FFUCV.tmp	peazip-9.8.0.WIN64.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.PAQ8JD\shell\open\command\ = "\"C:\\Program Files\\PeaZip\\PEAZIP.EXE\" \"%1\""	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.ZPAQ\shell\open	peazip-9.8.0.WIN64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.CAB\shell\open\command\ = "\"C:\\Program Files\\PeaZip\\PEAZIP.EXE\" \"%1\""	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.CPIO	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\PeaZip_additional\linux	peazip-9.8.0.WIN64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.DEB\ = "DEB package"	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.ZST\shell\open\command	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.BALZ	peazip-9.8.0.WIN64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.7Z\shell\open\command\ = "\"C:\\Program Files\\PeaZip\\PEAZIP.EXE\" \"%1\""	peazip-9.8.0.WIN64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\PeaZip\PAQ\ = "Associated PeaZip with file type(s)"	peazip-9.8.0.WIN64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.paq8jd\ = "PeaZip.PAQ8JD"	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.ZIPX\shell\open	peazip-9.8.0.WIN64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bz\ = "PeaZip.BZ"	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.LHA	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.TBZ2\shell\open	peazip-9.8.0.WIN64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.PET\ = "PeaZip.PET"	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.XZ\DefaultIcon	peazip-9.8.0.WIN64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.TGZ\ = "GZip compressed TAR archive"	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.CAB	peazip-9.8.0.WIN64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.LZH\shell\open\command\ = "\"C:\\Program Files\\PeaZip\\PEAZIP.EXE\" \"%1\""	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.BZ2\shell\open	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tgz	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.TGZ\shell\open\command	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.ZIP\DefaultIcon	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.ARJ\shell\open\command	peazip-9.8.0.WIN64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.ARC\DefaultIcon\ = "C:\\Program Files\\PeaZip\\RES\\SHARE\\ICONS\\PEAZIP.ICO,0"	peazip-9.8.0.WIN64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.LPAQ5\ = "LPAQ5 compressed file"	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.TBZ\DefaultIcon	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\PeaZip_additional\ACE	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.ARJ	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.TZST\shell\open\command	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.PAQ8L\shell\open\command	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.ZPAQ	peazip-9.8.0.WIN64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bcm\ = "PeaZip.BCM"	peazip-9.8.0.WIN64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ACE\ = "PeaZip.ACE"	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.ACE\shell\open	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.SLP\shell	peazip-9.8.0.WIN64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.CPIO\ = "CPIO archive"	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.WRC\shell\open\command	peazip-9.8.0.WIN64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.LPAQ8\DefaultIcon\ = "C:\\Program Files\\PeaZip\\RES\\SHARE\\ICONS\\PEAZIP.ICO,0"	peazip-9.8.0.WIN64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.CPIO\shell\open\command\ = "\"C:\\Program Files\\PeaZip\\PEAZIP.EXE\" \"%1\""	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.DEB\DefaultIcon	peazip-9.8.0.WIN64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.ZST\DefaultIcon\ = "C:\\Program Files\\PeaZip\\RES\\SHARE\\ICONS\\PEAZIP.ICO,0"	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.LPAQ5	peazip-9.8.0.WIN64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.paq8o\ = "PeaZip.PAQ8O"	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.TBZ2\shell	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ARJ	peazip-9.8.0.WIN64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.LHA\ = "PeaZip.LHA"	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AllFileSystemObjects\shell\PeaZip	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.CPIO\shell\open	peazip-9.8.0.WIN64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.PET\ = "PET package (Puppy Linux)"	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.PUP	peazip-9.8.0.WIN64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.SLP\DefaultIcon\ = "C:\\Program Files\\PeaZip\\RES\\SHARE\\ICONS\\PEAZIP_PACKAGE.ICO,0"	peazip-9.8.0.WIN64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ = "PeaZip.RAR"	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.PAQ8JD\shell\open\command	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.BZ\shell	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.TAZ\shell\open	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\PeaZip_additional\RAR	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.paq8f	peazip-9.8.0.WIN64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.RPM\shell\open\command\ = "\"C:\\Program Files\\PeaZip\\PEAZIP.EXE\" \"%1\""	peazip-9.8.0.WIN64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.paq8l\ = "PeaZip.PAQ8L"	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.PAQ8O\shell	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.QUAD\shell\open	peazip-9.8.0.WIN64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.BZ\DefaultIcon\ = "C:\\Program Files\\PeaZip\\RES\\SHARE\\ICONS\\PEAZIP.ICO,0"	peazip-9.8.0.WIN64.tmp

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 668894.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
380	msedge.exe
380	msedge.exe
1448	msedge.exe
1448	msedge.exe
5720	identity_helper.exe
5720	identity_helper.exe
7764	msedge.exe
7764	msedge.exe
5948	msedge.exe
5948	msedge.exe
6672	msedge.exe
6672	msedge.exe
8172	peazip-9.8.0.WIN64.tmp
8172	peazip-9.8.0.WIN64.tmp
5624	msedge.exe
5624	msedge.exe
5624	msedge.exe
5624	msedge.exe
2144	Kiwi X External.exe
7800	Kiwi X External.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 48 IoCs

pid	Process
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeRestorePrivilege	5668	7z.exe
Token: 35	5668	7z.exe
Token: SeSecurityPrivilege	5668	7z.exe
Token: SeRestorePrivilege	7732	7z.exe
Token: 35	7732	7z.exe
Token: SeSecurityPrivilege	7732	7z.exe
Token: SeRestorePrivilege	4456	7z.exe
Token: 35	4456	7z.exe
Token: SeSecurityPrivilege	4456	7z.exe
Token: SeRestorePrivilege	1944	7z.exe
Token: 35	1944	7z.exe
Token: SeSecurityPrivilege	1944	7z.exe
Token: SeRestorePrivilege	1896	7z.exe
Token: 35	1896	7z.exe
Token: SeSecurityPrivilege	1896	7z.exe
Token: SeRestorePrivilege	3620	7z.exe
Token: 35	3620	7z.exe
Token: SeSecurityPrivilege	3620	7z.exe
Token: SeRestorePrivilege	1420	7z.exe
Token: 35	1420	7z.exe
Token: SeSecurityPrivilege	1420	7z.exe
Token: SeRestorePrivilege	6432	7z.exe
Token: 35	6432	7z.exe
Token: SeSecurityPrivilege	6432	7z.exe
Token: SeRestorePrivilege	1916	7z.exe
Token: 35	1916	7z.exe
Token: SeSecurityPrivilege	1916	7z.exe
Token: SeRestorePrivilege	6328	7z.exe
Token: 35	6328	7z.exe
Token: SeSecurityPrivilege	6328	7z.exe
Token: SeSecurityPrivilege	6328	7z.exe
Token: SeDebugPrivilege	2144	Kiwi X External.exe
Token: SeDebugPrivilege	7800	Kiwi X External.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 5108	1448	msedge.exe	83
PID 1448 wrote to memory of 5108	1448	msedge.exe	83
PID 1448 wrote to memory of 1196	1448	msedge.exe	84
PID 1448 wrote to memory of 1196	1448	msedge.exe	84
PID 1448 wrote to memory of 1196	1448	msedge.exe	84
PID 1448 wrote to memory of 1196	1448	msedge.exe	84
PID 1448 wrote to memory of 1196	1448	msedge.exe	84
PID 1448 wrote to memory of 1196	1448	msedge.exe	84
PID 1448 wrote to memory of 1196	1448	msedge.exe	84
PID 1448 wrote to memory of 1196	1448	msedge.exe	84
PID 1448 wrote to memory of 1196	1448	msedge.exe	84
PID 1448 wrote to memory of 1196	1448	msedge.exe	84
PID 1448 wrote to memory of 1196	1448	msedge.exe	84
PID 1448 wrote to memory of 1196	1448	msedge.exe	84
PID 1448 wrote to memory of 1196	1448	msedge.exe	84
PID 1448 wrote to memory of 1196	1448	msedge.exe	84
PID 1448 wrote to memory of 1196	1448	msedge.exe	84
PID 1448 wrote to memory of 1196	1448	msedge.exe	84
PID 1448 wrote to memory of 1196	1448	msedge.exe	84
PID 1448 wrote to memory of 1196	1448	msedge.exe	84
PID 1448 wrote to memory of 1196	1448	msedge.exe	84
PID 1448 wrote to memory of 1196	1448	msedge.exe	84
PID 1448 wrote to memory of 1196	1448	msedge.exe	84
PID 1448 wrote to memory of 1196	1448	msedge.exe	84
PID 1448 wrote to memory of 1196	1448	msedge.exe	84
PID 1448 wrote to memory of 1196	1448	msedge.exe	84
PID 1448 wrote to memory of 1196	1448	msedge.exe	84
PID 1448 wrote to memory of 1196	1448	msedge.exe	84
PID 1448 wrote to memory of 1196	1448	msedge.exe	84
PID 1448 wrote to memory of 1196	1448	msedge.exe	84
PID 1448 wrote to memory of 1196	1448	msedge.exe	84
PID 1448 wrote to memory of 1196	1448	msedge.exe	84
PID 1448 wrote to memory of 1196	1448	msedge.exe	84
PID 1448 wrote to memory of 1196	1448	msedge.exe	84
PID 1448 wrote to memory of 1196	1448	msedge.exe	84
PID 1448 wrote to memory of 1196	1448	msedge.exe	84
PID 1448 wrote to memory of 1196	1448	msedge.exe	84
PID 1448 wrote to memory of 1196	1448	msedge.exe	84
PID 1448 wrote to memory of 1196	1448	msedge.exe	84
PID 1448 wrote to memory of 1196	1448	msedge.exe	84
PID 1448 wrote to memory of 1196	1448	msedge.exe	84
PID 1448 wrote to memory of 1196	1448	msedge.exe	84
PID 1448 wrote to memory of 380	1448	msedge.exe	85
PID 1448 wrote to memory of 380	1448	msedge.exe	85
PID 1448 wrote to memory of 3556	1448	msedge.exe	86
PID 1448 wrote to memory of 3556	1448	msedge.exe	86
PID 1448 wrote to memory of 3556	1448	msedge.exe	86
PID 1448 wrote to memory of 3556	1448	msedge.exe	86
PID 1448 wrote to memory of 3556	1448	msedge.exe	86
PID 1448 wrote to memory of 3556	1448	msedge.exe	86
PID 1448 wrote to memory of 3556	1448	msedge.exe	86
PID 1448 wrote to memory of 3556	1448	msedge.exe	86
PID 1448 wrote to memory of 3556	1448	msedge.exe	86
PID 1448 wrote to memory of 3556	1448	msedge.exe	86
PID 1448 wrote to memory of 3556	1448	msedge.exe	86
PID 1448 wrote to memory of 3556	1448	msedge.exe	86
PID 1448 wrote to memory of 3556	1448	msedge.exe	86
PID 1448 wrote to memory of 3556	1448	msedge.exe	86
PID 1448 wrote to memory of 3556	1448	msedge.exe	86
PID 1448 wrote to memory of 3556	1448	msedge.exe	86
PID 1448 wrote to memory of 3556	1448	msedge.exe	86
PID 1448 wrote to memory of 3556	1448	msedge.exe	86
PID 1448 wrote to memory of 3556	1448	msedge.exe	86
PID 1448 wrote to memory of 3556	1448	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/qiu8pkauk51ze8r/LOL.rar/file
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9a1dd46f8,0x7ff9a1dd4708,0x7ff9a1dd4718
  2⤵
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
  2⤵
  PID:1196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8
  2⤵
  PID:3556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:3808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:1772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:1
  2⤵
  PID:1520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
  2⤵
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
  2⤵
  PID:4344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
  2⤵
  PID:4316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:1
  2⤵
  PID:4900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:1
  2⤵
  PID:4672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6524 /prefetch:1
  2⤵
  PID:5204
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6780 /prefetch:8
  2⤵
  PID:5520
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6780 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6784 /prefetch:1
  2⤵
  PID:6004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6740 /prefetch:1
  2⤵
  PID:6012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
  2⤵
  PID:6020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7104 /prefetch:1
  2⤵
  PID:6028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7256 /prefetch:1
  2⤵
  PID:6036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7528 /prefetch:1
  2⤵
  PID:5716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7548 /prefetch:1
  2⤵
  PID:5796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7592 /prefetch:1
  2⤵
  PID:5804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7692 /prefetch:1
  2⤵
  PID:5812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8272 /prefetch:1
  2⤵
  PID:6288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8488 /prefetch:1
  2⤵
  PID:6392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8972 /prefetch:1
  2⤵
  PID:6592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8844 /prefetch:1
  2⤵
  PID:6712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9060 /prefetch:1
  2⤵
  PID:6808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9548 /prefetch:1
  2⤵
  PID:6880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9616 /prefetch:1
  2⤵
  PID:6952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9760 /prefetch:1
  2⤵
  PID:6960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7112 /prefetch:1
  2⤵
  PID:6640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7360 /prefetch:1
  2⤵
  PID:6688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7520 /prefetch:1
  2⤵
  PID:6036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10076 /prefetch:1
  2⤵
  PID:6612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7244 /prefetch:1
  2⤵
  PID:7256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8180 /prefetch:1
  2⤵
  PID:7392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10276 /prefetch:1
  2⤵
  PID:7400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=10628 /prefetch:8
  2⤵
  PID:7528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9204 /prefetch:1
  2⤵
  PID:7536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10620 /prefetch:1
  2⤵
  PID:7740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11036 /prefetch:1
  2⤵
  PID:7820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6704 /prefetch:1
  2⤵
  PID:7976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9400 /prefetch:1
  2⤵
  PID:8144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10908 /prefetch:1
  2⤵
  PID:6416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=9948 /prefetch:8
  2⤵
  PID:7652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=9608 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:7764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11024 /prefetch:1
  2⤵
  PID:7108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=10196 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9448 /prefetch:1
  2⤵
  PID:3284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9624 /prefetch:1
  2⤵
  PID:1156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10856 /prefetch:1
  2⤵
  PID:2420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10276 /prefetch:1
  2⤵
  PID:3208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=11224 /prefetch:8
  2⤵
  PID:6484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4808 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6672
- C:\Users\Admin\Downloads\peazip-9.8.0.WIN64.exe
  "C:\Users\Admin\Downloads\peazip-9.8.0.WIN64.exe"
  2⤵
  - Executes dropped EXE
  PID:7780
- - C:\Users\Admin\AppData\Local\Temp\is-19BAH.tmp\peazip-9.8.0.WIN64.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-19BAH.tmp\peazip-9.8.0.WIN64.tmp" /SL5="$150048,9108104,151552,C:\Users\Admin\Downloads\peazip-9.8.0.WIN64.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:8172
  - - C:\Program Files\PeaZip\peazip.exe
      "C:\Program Files\PeaZip\peazip.exe" -peaziplanguage *nochange
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:5952
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" import "C:\Program Files\PeaZip\res\share\lang-wincontext\default.reg"
        5⤵
        
        PID:4880
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd /c rmdir "C:\Users\Admin\AppData\Local\Temp\peazip-tmp\.pztmp\" /s /q
        5⤵
        
        PID:5432
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd /c rmdir "C:\Users\Admin\AppData\Local\Temp\peazip-tmp\" /s /q
        5⤵
        
        PID:5788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10676 /prefetch:1
  2⤵
  PID:5812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10768 /prefetch:1
  2⤵
  PID:7608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11108 /prefetch:1
  2⤵
  PID:6852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8076 /prefetch:1
  2⤵
  PID:6860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,17536590265908248029,9772298296078682031,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5116 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5624

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1780

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3520

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:7376

C:\Program Files\PeaZip\PEAZIP.EXE
"C:\Program Files\PeaZip\PEAZIP.EXE" "C:\Users\Admin\Downloads\LOL.rar"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:7516
- C:\Program Files\PeaZip\res\bin\7z\7z.exe
  "C:\Program Files\PeaZip\res\bin\7z\7z.exe" l -sccUTF-8 -bb0 -bse0 -bsp0 -pdefault "C:\Users\Admin\Downloads\LOL.rar" "-ir!*"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:5668
- C:\Program Files\PeaZip\res\bin\7z\7z.exe
  "C:\Program Files\PeaZip\res\bin\7z\7z.exe" l -sccUTF-8 -slt -bb0 -bse0 -bsp0 -pdefault "C:\Users\Admin\Downloads\LOL.rar" "-x!*\*" "-ir!*"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:7732
- C:\Program Files\PeaZip\res\bin\7z\7z.exe
  "C:\Program Files\PeaZip\res\bin\7z\7z.exe" l -bb0 -bse0 -bsp2 -pdefault -sccUTF-8 -snz -slt "C:\Users\Admin\Downloads\LOL.rar"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:4456
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c rmdir "C:\Users\Admin\AppData\Local\Temp\peazip-tmp\.pztmp\" /s /q
  2⤵
  PID:7776
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c rmdir "C:\Users\Admin\AppData\Local\Temp\peazip-tmp\" /s /q
  2⤵
  PID:5552

C:\Program Files\PeaZip\PEAZIP.EXE
"C:\Program Files\PeaZip\PEAZIP.EXE" "C:\Users\Admin\Downloads\LOL.rar"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6440
- C:\Program Files\PeaZip\res\bin\7z\7z.exe
  "C:\Program Files\PeaZip\res\bin\7z\7z.exe" l -sccUTF-8 -bb0 -bse0 -bsp0 -pdefault "C:\Users\Admin\Downloads\LOL.rar" "-ir!*"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1944
- C:\Program Files\PeaZip\res\bin\7z\7z.exe
  "C:\Program Files\PeaZip\res\bin\7z\7z.exe" l -sccUTF-8 -slt -bb0 -bse0 -bsp0 -pdefault "C:\Users\Admin\Downloads\LOL.rar" "-x!*\*" "-ir!*"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1896
- C:\Program Files\PeaZip\res\bin\7z\7z.exe
  "C:\Program Files\PeaZip\res\bin\7z\7z.exe" l -bb0 -bse0 -bsp2 -pdefault -sccUTF-8 -snz -slt "C:\Users\Admin\Downloads\LOL.rar"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:3620

C:\Program Files\PeaZip\PEAZIP.EXE
"C:\Program Files\PeaZip\PEAZIP.EXE" "C:\Users\Admin\Downloads\LOL.rar"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6372
- C:\Program Files\PeaZip\res\bin\7z\7z.exe
  "C:\Program Files\PeaZip\res\bin\7z\7z.exe" l -sccUTF-8 -bb0 -bse0 -bsp0 -pdefault "C:\Users\Admin\Downloads\LOL.rar" "-ir!*"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1420
- C:\Program Files\PeaZip\res\bin\7z\7z.exe
  "C:\Program Files\PeaZip\res\bin\7z\7z.exe" l -sccUTF-8 -slt -bb0 -bse0 -bsp0 -pdefault "C:\Users\Admin\Downloads\LOL.rar" "-x!*\*" "-ir!*"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:6432
- C:\Program Files\PeaZip\res\bin\7z\7z.exe
  "C:\Program Files\PeaZip\res\bin\7z\7z.exe" l -bb0 -bse0 -bsp2 -pdefault -sccUTF-8 -snz -slt "C:\Users\Admin\Downloads\LOL.rar"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1916
- C:\Program Files\PeaZip\peazip.exe
  "C:\Program Files\PeaZip\peazip.exe" -pdrop UN7Z 0 32785217 "C:\Users\Admin\Downloads\LOL.rar" "C:\Program Files\PeaZip\res\bin\7z\7z.exe" x -aos "-oC:\Users\Admin\Downloads\.pdtmpEE55D8\virtual\" -bb0 -bse0 -bsp2 -pdefault -sccUTF-8 -snz "C:\Users\Admin\Downloads\LOL.rar" "-i!LOL"
  2⤵
  - Executes dropped EXE
  PID:7032
- - C:\Program Files\PeaZip\res\bin\7z\7z.exe
    "C:\Program Files\PeaZip\res\bin\7z\7z.exe" "x" "-aos" "-oC:\Users\Admin\Downloads\.pdtmpEE55D8\virtual\" "-bb0" "-bse0" "-bsp2" "-pdefault" "-sccUTF-8" "-snz" "C:\Users\Admin\Downloads\LOL.rar" "-i!LOL"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:6328
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c rmdir "C:\Users\Admin\Downloads\.pdtmpEE55D8\source\" /s /q
  2⤵
  PID:6652
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c rmdir "C:\Users\Admin\Downloads\.pdtmpEE55D8\" /s /q
  2⤵
  PID:2312
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c rmdir "C:\Users\Admin\AppData\Local\Temp\peazip-tmp\.pztmp\.pdtmpEE55D8\virtual\" /s /q
  2⤵
  PID:7988
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c rmdir "C:\Users\Admin\AppData\Local\Temp\peazip-tmp\.pztmp\.pdtmpEE55D8\source\" /s /q
  2⤵
  PID:3308
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c rmdir "C:\Users\Admin\AppData\Local\Temp\peazip-tmp\.pztmp\.pdtmpEE55D8\" /s /q
  2⤵
  PID:6060

C:\Users\Admin\Downloads\LOL\Kiwi X External.exe
"C:\Users\Admin\Downloads\LOL\Kiwi X External.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2144

C:\Users\Admin\Downloads\LOL\Kiwi X External.exe
"C:\Users\Admin\Downloads\LOL\Kiwi X External.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:7800

C:\Users\Admin\Downloads\LOL\Kiwi X External.exe
"C:\Users\Admin\Downloads\LOL\Kiwi X External.exe"
1⤵
- Executes dropped EXE
PID:3120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\PeaZip\dragdropfilesdll.dll

Filesize
2.8MB

MD5
31799d3d9a34028cd107f4d89371817e

SHA1
162233528440107339c05031efc2ca73cf50a21f

SHA256
b8e60f5dd754b406363fcd6658cdb55ceb48256ae88d30dee7180a3706a1a34c

SHA512
de0c167a65005ab84ce9ea9ae446a6bcd742edd1803ec2c0abc798fb7d15d7f09aa410f5bd4a4449feedb5ec9ac9703b8dde0fa5366d97070ab5d4c4c1595239

Download Submit
C:\Program Files\PeaZip\peazip.exe

Filesize
6.9MB

MD5
2337e0d7f47ae59e849357a01cf61e92

SHA1
9a444109518c4404a46451cfb23e48a4b1390a4b

SHA256
6bcf062fbe670498365fdbf560d834c54e0b21b165a13679f70763ef5aa542aa

SHA512
bc0fe5053004f1b1a0678e953b4774eae45bbe13a71773469a569a9125abc564cc43ab34e4390da04dba1a4a0837fe5fad230a471115de928bd7de5deccc7eb1

Download Submit
C:\Program Files\PeaZip\res\share\batch\macOS service menus\PeaZip, add to GZ.workflow\Contents\QuickLook\is-8J5O0.tmp

Filesize
3KB

MD5
e1e1070acdc6d9fe210a430f91fb2d14

SHA1
94e6f543d2d7511dd36e5d72b5e2f3c460d0a720

SHA256
d1075536f6b2b7dc5f5baeb44324db9508bedbec5c36b08864c97c8de647e549

SHA512
ca1c1acd595eab368d1a2cf8f82204db71d8ef43ccfb738512b61ac16df7a4d8c7d31de892975e19e7955b874d7e5a0abef278d6088b6adabca73c297c9c6410

Download Submit
C:\Program Files\PeaZip\res\share\icons\is-PMIG9.tmp

Filesize
1KB

MD5
87dde3772d4324ccfed2ed6e5d9b0ed5

SHA1
1e4b20441da280aeb6b6242a7a992933fe3703fd

SHA256
e995334de54eb1a206235ede2494fc20fbc6f1da8999dde987e465ab7ef96f82

SHA512
7e520a3391104ae6cd0b212864164909d938cb1a2931fabfca4376c4cdc2721de490bbdbf93c2b4b535f543e37a5ceafc8044ba56ff7255888f3c629cf1e631a

Download Submit
C:\Program Files\PeaZip\res\share\lang-wincontext\is-KCG9O.tmp

Filesize
6KB

MD5
9be5cb203bfaf9b217d0767e6b2cb41c

SHA1
eb9cde55ed3d1c50e8536d5f3c984b4aa9e1e6f2

SHA256
79e61ffdcbca1c3f30a9ed245bf68cd2505e447e18555fa8dac9eef18fd4d461

SHA512
eb7912c5c32c2a96556ff535f267d37d9a5cb702fd6c0b0081151b277b004069bdc78f72cd6224d4a6156881b31977ebf44865ab878eb0a934c1963d1353930b

Download Submit
C:\Program Files\PeaZip\res\share\themes\main-embedded\fm-theme.bmp

Filesize
70B

MD5
e57040134b77ae54df14121c793aff53

SHA1
0abd2098e6aae2e647d15de10f6e4d5f28f8fc4f

SHA256
3958ecc97b63508f01dee5636b247820b812aa933b75725db30e9f4eaf58f703

SHA512
f299c65c30e2a39a76c0feefe5decf7bcf321e2799662e38d0e6e350b71a3a346ec5bfe633cce9fb0e73320163829f2b5d174b738995b03596524feca7dc4a48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
537815e7cc5c694912ac0308147852e4

SHA1
2ccdd9d9dc637db5462fe8119c0df261146c363c

SHA256
b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f

SHA512
63969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8b167567021ccb1a9fdf073fa9112ef0

SHA1
3baf293fbfaa7c1e7cdacb5f2975737f4ef69898

SHA256
26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513

SHA512
726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
9b09d99dee09276464f4c3aa6b817ba3

SHA1
e198162bfd9f4dae6930aa06f265109fb4be2d3d

SHA256
dda04522143636b1c81d5e6ff98cc6b2e56ba79e145539bbad75f266526e8199

SHA512
d82e89bc637b77272942812848e3055adee66995ea103dec457943f4821013edb0b288f097c5c27bef2bf1b9b06f84f5e12ec2956a09936965e9aeec6de48916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
11KB

MD5
1323b953a8fc46b14efad1b826c402b6

SHA1
f0c5dd0d15d3e3dd24ca72c7d557bc3852188f19

SHA256
b0b6bac2f165063758c6ff15c9ae589a08367a32af680e0ce75022317bf7549b

SHA512
969be3bd25feb1661d2a0f0921b3d6981cc7205d8c4a7b2fd0d83400c87d99ed3dba4bdf48c894925ec29a043b0452106de499154801073875cf8b685c02bf80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
3369650c2591124695d90ea98065ff26

SHA1
f37bf2a4457524db23ba2854de6519fca2d4ca5e

SHA256
ed9810e987192a257658529639fe9589cdbbe8d8d41036d8ba7911703cd38659

SHA512
5932ee2edb98a0844b057091267cf756d3e44c81060a5f3601229d30566fddaeccce458d60b200a9891e1e990885956af398be2c65b1854093fd60929659beda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
828947854e688b8c20d8468b44d4759f

SHA1
cb4fdef654550b65da6e06a8a036e47216504584

SHA256
88abde4bbe24477f4303fae272513ae50284c3b998652510dd647e7b4a2d862d

SHA512
0d3d813bc584141909555a84e1c31bc23d4759e5a2ea711df03830259bfd014dc67bc4c5c0586d1d8f31042002c6fb8b4930de23e2d36656e67187c45e8a4f3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
6d0b23338705885e67bb6fa454c17ea7

SHA1
fcddcc47b9513d2a8ab968b4069832b3de75648e

SHA256
e0611aa58a3a91755a26c6440e759b0ad3113c6c49a52971f94131430f0028ef

SHA512
8067c3680047d52be74ebdc8b449fc39bed01f32ed4f4391b5e8f6eedd7a34c9d710cf0b77b2031bc7879d0cc93a4eca1ad03c7833408d2c21b9e9ce69691b4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
07fa085a3b78d9b322e8ecc95a0a24ab

SHA1
b147532a7f4de12f34503893e4e5f4a74b56bbe1

SHA256
f2c24fa1d01004a3a2b855fa4c264d5c4b9c91b4d2c196a007d55e532cf158fa

SHA512
9b8682e5c408ab8c8d824b2d3800a0fddd8e3ba05de014f489c07e6359cbec41a07301ea958f4c66b17ca3c0d96ec4cea4bfb2eb1a9fc47073274f81e7b447f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
6e48e3e7d45244a3149975472514d215

SHA1
fe5d8d2b5ce93b339f5b050be6accd5903a280f7

SHA256
54405148724cdc7745a5d0a7959400a417b523b284ba45fad507b457ae540f70

SHA512
e14f21d04bc48c513a4276d5ac176702876db37ae1c6847b15d486291259096ee2e0a11a6058e76fe13acb38a7f82d3ceb1c697c3328e52e5b3f6d20742fb9e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
f05f1d049bc4b5059aee3fb6f170ff95

SHA1
a07cb278e67735fbb4f60f4530a6d559dc45c45f

SHA256
495f4952b106cc2e79404ef175d201ee6f28f54ab70e3d81ca231d77e75a1f89

SHA512
7b9944e8ae8d5601ddca3ba967cc41b69b971b5fa113127569b7c9801b5317f569d14d86e4f32e92d8bdaf41d337093f15f36d48340799f9b63c910ffe4dd0bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
aabd4c180c768ca7460101359397e496

SHA1
9b666973a8582d6e112b4b2bc0e8aebdff64622c

SHA256
9552057a91f37d3ee43e68e83ee13d94e83a7e85354fc5d6e954c2b522e135d8

SHA512
8052e1c7dd173a477b8af5aa2d2d50cff0f7f2b2446701b96025bce8300129630f8906524d69ebe5325d04cf2e123b2c149cea8fa00c43c8b554e9d462feed76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe578194.TMP

Filesize
2KB

MD5
0454f3b60b28e97da037103f24b748e8

SHA1
e254f0271625e00c55c9992509ba6a8837a1a506

SHA256
8245f06941b30eff4ebd95bfcafbb82ff2ade9f38024db218da0696d50e3d6ce

SHA512
bb9f1433bc679996a47338fd9bf9079ba0b68ab2347faa58a3377e457c0e62e457a55a7a0872a7542884f8b57d51dd8fd57e19cc7f4b6311c7ab16dfde5a5563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
21adea37e11ef58ba258c2d71fa0667f

SHA1
c2e164b374b287c7a5421ec1f59954cfe4c7158c

SHA256
c6d071b69fb67c0c9b68d5af43761e322f0535c22d2ae3fccaef4a65dbcc606b

SHA512
54d15cf12e5cf480fc6160159f1d63a2a6f5b12c2c17dc45e41ebd43cfa96bfa33f54ac00f0306c1cf58346d294f6e0976172998834c2058e8351f5695fccae5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0b477eac1b1adb8c6ce9351897dafb6b

SHA1
f18b6ce90cc33010fb009ae51c271a1051a1d6dd

SHA256
6c72a543a28069c9b31cd6b530c79c8bf8afc34f3cf9bcaa7a6506773b894cf7

SHA512
2e47368766a3f857d58572db1f1c2bc98ca95382667f1490288050ad11fe423a4fd2b3b2d138f2ceb4e6239dade412a337e0482c128213aac3a936b207bea061

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
64200fb721be0347d8721ef8caf120f4

SHA1
314d96b843af294ac37002131cb98ec341be8b2b

SHA256
ddbb8449621f9689532ce4e101644d01934a52cda85f5ac15efde0395757131b

SHA512
daba47f62dbdf74c77712ed24a90d5c21c1b9bcd6c6272568e1cfa9791238418be64825af466fa667b90ba271b8a53a76e02e00fbd9048c4f68f7bf0a13d1d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
9b4b652205adb8dd7ab7af41bc3694fd

SHA1
5e0835585eee0b09ca60d8205b5e6d24c127d7e7

SHA256
d8cb8224aab25bdb4c1902920f2ec60c218095fd204b1cbc58f6f94a8ef10713

SHA512
5e597c451617d05b857a31afeb60c04a0baceb503ebce0e544e599305c69ab32e8ff63d05adc859a052f8f7a1888f25c30d7f357aa5c91a7830e6b53b3b71b12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
43a665f1034c5a27e1f4fece426afaf4

SHA1
70916cc4bddfe37a4e3463c22ada3b49917a453f

SHA256
c2c9ca6e8ebeee8b4b74f9163a24fd171c09697c373288889f5af03d55caed80

SHA512
2323e3c8140f2fc4a51a32fbde33df926e1270c501a7b520b9b2214f3a2ce51c4024773cc41d87d5329e4dc2c6fbe4086b122ddfaa8ec529e1483cd2bb17b4dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-19BAH.tmp\peazip-9.8.0.WIN64.tmp

Filesize
1.2MB

MD5
889c8ef91ac310544d1539ac3cdc0f07

SHA1
3ccb4c5ff6c419599138bcce43a70780a9570871

SHA256
7ba798767f82812cc3bfba370b6797fd29ecdcddc52baf967a52773edee4a0c7

SHA512
a25353e243a4db84d0262210eacb6ce07b13bed982e347cba085d6d7b895a781c00524739477baec5eac186b65e65da0cca0315bb8f3abcd250ab032d866d2a3

Download Submit
C:\Users\Admin\AppData\Roaming\PeaZip\conf-lastgood.txt

Filesize
12KB

MD5
0cf43083149899f84c39d609aa7e22c2

SHA1
253561f1f526d72d1c5a1fd8d4f8be778428c525

SHA256
e0374950dc26c60d7e1254825c15c036d40b468fc34da630f1081beab8f3771b

SHA512
21dc5f7721f78bc4548c7a0564c330422c2966289701ee6d5615561da1e1bebe250ddcdb859855ed856f73b7ffe0a9e310af0863402a4d3b59121e1e3acb4b28

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 668894.crdownload

Filesize
9.1MB

MD5
898a8987cc606b17a5e588ed976b35a0

SHA1
d49db9e82ab22e4f51b051b1ee1069a5067308de

SHA256
f0637a8d40fb90f39ee156bd9c826e605a5a82f520d48931990b307ad08a0572

SHA512
7c0b06b1b517196798ce324142f08ef6f4fb8f21d4765e4d194088229d297c6ad5c8ee80ed41cc4506e5c98fa6b6092dc4734ca5c0664c19a0e58bc1c7fe1d0e

Download Submit
memory/7780-1465-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/7780-1167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/7780-520-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/8172-1168-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/8172-1464-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download