lumma | hxxps://drive[.]google[.]com/file/d/1fwJdsnnK8CE52uB6ttf5BOyA6_zlBL57/view?usp=drive_link

Analysis

max time kernel
355s
max time network
358s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
30-07-2024 04:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1fwJdsnnK8CE52uB6ttf5BOyA6_zlBL57/view?usp=drive_link

Score

10^/10

lumma defense_evasion discovery stealer

Malware Config

Extracted

Family

lumma

https://flyyedreplacodp.shop/api

https://horizonvxjis.shop/api

https://effectivedoxzj.shop/api

https://parntorpkxzlp.shop/api

https://stimultaionsppzv.shop/api

https://grassytaisol.shop/api

https://broccoltisop.shop/api

https://shellfyyousdjz.shop/api

https://bravedreacisopm.shop/api

Extracted

Family

lumma

https://flyyedreplacodp.shop/api

https://horizonvxjis.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	peazip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	peazip-9.8.0.WIN64.tmp

Executes dropped EXE 12 IoCs

pid	Process
6444	peazip-9.8.0.WIN64.exe
6716	peazip-9.8.0.WIN64.tmp
6808	peazip.exe
5180	PEAZIP.EXE
6764	7z.exe
6456	7z.exe
4884	7z.exe
7128	PEAZIP.EXE
6844	7z.exe
6436	7z.exe
5172	peazip.exe
6720	7z.exe

Loads dropped DLL 46 IoCs

pid	Process
6808	peazip.exe
5180	PEAZIP.EXE
6764	7z.exe
6764	7z.exe
6764	7z.exe
6764	7z.exe
6764	7z.exe
6764	7z.exe
6764	7z.exe
6456	7z.exe
6456	7z.exe
6456	7z.exe
6456	7z.exe
6456	7z.exe
6456	7z.exe
6456	7z.exe
4884	7z.exe
4884	7z.exe
4884	7z.exe
4884	7z.exe
4884	7z.exe
4884	7z.exe
4884	7z.exe
7128	PEAZIP.EXE
6844	7z.exe
6844	7z.exe
6844	7z.exe
6844	7z.exe
6844	7z.exe
6844	7z.exe
6844	7z.exe
6436	7z.exe
6436	7z.exe
6436	7z.exe
6436	7z.exe
6436	7z.exe
6436	7z.exe
6436	7z.exe
5172	peazip.exe
6720	7z.exe
6720	7z.exe
6720	7z.exe
6720	7z.exe
6720	7z.exe
6720	7z.exe
6720	7z.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
49	drive.google.com
53	drive.google.com
54	drive.google.com
6	drive.google.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\PeaZip\res\share\batch\Windows\SendTo\SendTo_Program Files (x86)\is-EIG5U.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\Windows\Windows 11 mini context menu\is-VSED6.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\Windows\SendTo\SendTo_Program Files\is-90MM0.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\Windows\SendTo\SendTo_Program Files (x86)\is-4II4F.tmp	peazip-9.8.0.WIN64.tmp
File opened for modification	C:\Program Files\PeaZip\res\bin\zpaq\zpaq.exe	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\Windows\SendTo\SendTo_Program Files\is-RJKIB.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\Windows\Windows 11 mini context menu\is-UJCER.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\lang\is-EOQNS.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\sh\is-SLP1N.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\sh\is-8S8D2.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\Windows\SendTo\SendTo_Program Files\is-2LHHH.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\macOS service menus\PeaZip, add to GZ.workflow\Contents\is-THT98.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\Windows\SendTo\SendTo_Program Files (x86)\is-N6D7S.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\lang\is-CLKOF.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\macOS service menus\PeaZip, extract to Desktop.workflow\Contents\is-OUNIA.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\Windows\Windows 11 mini context menu\is-U4LGK.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\icons\is-J6465.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\Windows\SendTo\SendTo_Program Files\is-OBH86.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\Windows\SendTo\SendTo_Program Files\is-EL01L.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\bin\is-CVMS8.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\freedesktop_integration\is-2QNLP.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\Windows\SendTo\SendTo_Program Files\is-LJBB3.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\copying\is-USQPN.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\lang\is-0QT4L.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\macOS service menus\PeaZip, add to Brotli.workflow\Contents\is-H3MEG.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\sh\is-83HN7.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\Windows\Windows 11 mini context menu\is-SQL0K.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\lang-wincontext\is-28QKG.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\freedesktop_integration\KDE-servicemenus\KDE4-dolphin\is-0A627.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\freedesktop_integration\KDE-servicemenus\KDE4-dolphin\is-7UN9O.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\Windows\SendTo\SendTo_Program Files\is-16JN7.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\sh\is-DBI4S.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\macOS service menus\PeaZip, convert.workflow\Contents\QuickLook\is-G2R04.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\Windows\SendTo\SendTo_Program Files\is-9UT0L.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\lang\is-MJ2IV.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\macOS service menus\PeaZip, open file or folder.workflow\Contents\is-Q3FTI.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\Add to archive.lnk	peazip-9.8.0.WIN64.tmp
File opened for modification	\??\c:\program files\peazip\res\share\icons\peazip_rar.ico	firefox.exe
File created	C:\Program Files\PeaZip\res\share\presets\is-O1RJM.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\Windows\SendTo\SendTo_Program Files\is-NB90D.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\icons\is-PKBQ8.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\lang\is-FSQF6.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\copying\third-parties\is-KA3MC.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\icons\is-GU1ND.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\freedesktop_integration\Nautilus-scripts\Archiving\PeaZip\is-SA0MH.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\macOS service menus\PeaZip, add to XZ.workflow\Contents\is-LR21U.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\Windows\SendTo\SendTo_Program Files\is-230BJ.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\lang\is-M1BMI.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\lang-wincontext\is-3O71M.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\lang-wincontext\is-8CR5N.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\lang-wincontext\is-V3TFT.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\bat\is-7882R.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\Windows\SendTo\SendTo_Program Files\is-PLTO0.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\icons\is-0HTHV.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\lang\is-EA6CB.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\lang-wincontext\is-DKJ55.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\Open as archive.lnk	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\freedesktop_integration\is-E2812.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\Windows\SendTo\is-4BL4B.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\lang-wincontext\is-U3AAJ.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\lang-wincontext\is-KP179.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\presets\is-UMEOA.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\Windows\Windows 11 mini context menu\is-MTTGL.tmp	peazip-9.8.0.WIN64.tmp
File created	C:\Program Files\PeaZip\res\share\batch\Windows\Windows 11 mini context menu\is-ITVS3.tmp	peazip-9.8.0.WIN64.tmp

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 3 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\.petmp664AFC\main.exe:Zone.Identifier	7z.exe
File created	C:\Users\Admin\Desktop\ir\.pdtmp56D4AF\virtual\main.exe:Zone.Identifier	7z.exe
File created	C:\Users\Admin\Downloads\peazip-9.8.0.WIN64.exe:Zone.Identifier	firefox.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
6796	6168	WerFault.exe	195
6192	988	WerFault.exe	200
5352	1340	WerFault.exe	203
6668	1736	WerFault.exe	206
5948	3028	WerFault.exe	207

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	main.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	main.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	main.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	main.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	peazip-9.8.0.WIN64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	peazip-9.8.0.WIN64.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	main.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	main.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.PAQ8F\shell	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.BALZ\DefaultIcon	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.ZIPX\DefaultIcon	peazip-9.8.0.WIN64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lpaq8\ = "PeaZip.LPAQ8"	peazip-9.8.0.WIN64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.7Z\DefaultIcon\ = "C:\\Program Files\\PeaZip\\RES\\SHARE\\ICONS\\PEAZIP_7Z.ICO,0"	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ARJ	peazip-9.8.0.WIN64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.7Z\ = "7Z archive"	peazip-9.8.0.WIN64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.ZIP\DefaultIcon\ = "C:\\Program Files\\PeaZip\\RES\\SHARE\\ICONS\\PEAZIP_ZIP.ICO,0"	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\PeaZip_additional	peazip-9.8.0.WIN64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ACE\ = "PeaZip.ACE"	peazip-9.8.0.WIN64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\PeaZip\QUAD\ = "Associated PeaZip with file type(s)"	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.TBZ\DefaultIcon	peazip-9.8.0.WIN64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.TAZ\DefaultIcon\ = "C:\\Program Files\\PeaZip\\RES\\SHARE\\ICONS\\PEAZIP.ICO,0"	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.PAQ8O\shell	peazip-9.8.0.WIN64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\PeaZip_additional\linux\ = "Associated PeaZip with file type(s)"	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.PUP	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.BR	peazip-9.8.0.WIN64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.ZIPX\shell\open\command\ = "\"C:\\Program Files\\PeaZip\\PEAZIP.EXE\" \"%1\""	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.ACE\shell\open\command	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.PAQ8O	peazip-9.8.0.WIN64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.gz\ = "PeaZip.GZ"	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.CPIO	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.BCM\shell\open\command	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zst	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.PAQ8L	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.ACE	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.DEB\shell\open\command	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.RPM	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shell	peazip-9.8.0.WIN64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.BZ\ = "BZip2 compressed file"	peazip-9.8.0.WIN64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.TAZ\ = "Z compressed TAR archive"	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.SLP	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.WRC\DefaultIcon	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.paq8jd	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.PAQ8JD	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.QUAD\shell\open\command	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.CPIO\DefaultIcon	peazip-9.8.0.WIN64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.PET\shell\open\command\ = "\"C:\\Program Files\\PeaZip\\PEAZIP.EXE\" \"%1\""	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.SLP	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.LPAQ5\shell\open\command	peazip-9.8.0.WIN64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.BCM\shell\open\command\ = "\"C:\\Program Files\\PeaZip\\PEAZIP.EXE\" \"%1\""	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.BZ2\shell	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.ZIP\shell\open	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.LZH\shell\open\command	peazip-9.8.0.WIN64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\PeaZip_additional\mac\ = "Associated PeaZip with file type(s)"	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.BR\shell	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.DEB	peazip-9.8.0.WIN64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.PUP\ = "PUP package (Puppy Linux)"	peazip-9.8.0.WIN64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.TZST\DefaultIcon\ = "C:\\Program Files\\PeaZip\\RES\\SHARE\\ICONS\\PEAZIP.ICO,0"	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\PeaZip\QUAD	peazip-9.8.0.WIN64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\PeaZip_additional\ = "Created additional filetype associations"	peazip-9.8.0.WIN64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.PUP\ = "PeaZip.PUP"	peazip-9.8.0.WIN64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.001\shell\open\command\ = "\"C:\\Program Files\\PeaZip\\PEAZIP.EXE\" \"%1\""	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wrc	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.QUAD\shell\open	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.BZ\shell\open\command	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.LHA	peazip-9.8.0.WIN64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\PeaZip\ = "Created filetype associations"	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\PeaZip\ZIP	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.PET\DefaultIcon	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.DMG	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PeaZip.001\shell	peazip-9.8.0.WIN64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.RPM\ = "PeaZip.RPM"	peazip-9.8.0.WIN64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.RAR	peazip-9.8.0.WIN64.tmp

NTFS ADS 8 IoCs

description	ioc	Process
File created	C:\Users\Admin\Desktop\ir\.pdtmp56D4AF\virtual\main.exe:Zone.Identifier	7z.exe
File created	C:\Users\Admin\Desktop\ir\.pdtmp56D4AF\virtual\Tutorial.txt:Zone.Identifier	7z.exe
File created	C:\Users\Admin\Downloads\peazip-9.8.0.WIN64.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\install.rar:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\.petmp664AFC\cr.dll:Zone.Identifier	7z.exe
File created	C:\Users\Admin\Downloads\.petmp664AFC\main.exe:Zone.Identifier	7z.exe
File created	C:\Users\Admin\Downloads\.petmp664AFC\Tutorial.txt:Zone.Identifier	7z.exe
File created	C:\Users\Admin\Desktop\ir\.pdtmp56D4AF\virtual\cr.dll:Zone.Identifier	7z.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3256	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
6632	msedge.exe
6632	msedge.exe
6716	peazip-9.8.0.WIN64.tmp
6716	peazip-9.8.0.WIN64.tmp
3948	msedge.exe
3948	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5180	PEAZIP.EXE
7128	PEAZIP.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2800	firefox.exe
Token: SeDebugPrivilege	2800	firefox.exe
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp
Token: SeDebugPrivilege	6716	peazip-9.8.0.WIN64.tmp

Suspicious use of FindShellTrayWindow 11 IoCs

pid	Process
2800	firefox.exe
2800	firefox.exe
2800	firefox.exe
2800	firefox.exe
6716	peazip-9.8.0.WIN64.tmp
5180	PEAZIP.EXE
5180	PEAZIP.EXE
5180	PEAZIP.EXE
5172	peazip.exe
2800	firefox.exe
2800	firefox.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
2800	firefox.exe
2800	firefox.exe
2800	firefox.exe
2800	firefox.exe
2800	firefox.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2800	firefox.exe
2800	firefox.exe
2800	firefox.exe
2800	firefox.exe
2800	firefox.exe
2800	firefox.exe
2800	firefox.exe
2800	firefox.exe
2800	firefox.exe
2800	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3948 wrote to memory of 2800	3948	firefox.exe	83
PID 3948 wrote to memory of 2800	3948	firefox.exe	83
PID 3948 wrote to memory of 2800	3948	firefox.exe	83
PID 3948 wrote to memory of 2800	3948	firefox.exe	83
PID 3948 wrote to memory of 2800	3948	firefox.exe	83
PID 3948 wrote to memory of 2800	3948	firefox.exe	83
PID 3948 wrote to memory of 2800	3948	firefox.exe	83
PID 3948 wrote to memory of 2800	3948	firefox.exe	83
PID 3948 wrote to memory of 2800	3948	firefox.exe	83
PID 3948 wrote to memory of 2800	3948	firefox.exe	83
PID 3948 wrote to memory of 2800	3948	firefox.exe	83
PID 2800 wrote to memory of 2212	2800	firefox.exe	84
PID 2800 wrote to memory of 2212	2800	firefox.exe	84
PID 2800 wrote to memory of 2212	2800	firefox.exe	84
PID 2800 wrote to memory of 2212	2800	firefox.exe	84
PID 2800 wrote to memory of 2212	2800	firefox.exe	84
PID 2800 wrote to memory of 2212	2800	firefox.exe	84
PID 2800 wrote to memory of 2212	2800	firefox.exe	84
PID 2800 wrote to memory of 2212	2800	firefox.exe	84
PID 2800 wrote to memory of 2212	2800	firefox.exe	84
PID 2800 wrote to memory of 2212	2800	firefox.exe	84
PID 2800 wrote to memory of 2212	2800	firefox.exe	84
PID 2800 wrote to memory of 2212	2800	firefox.exe	84
PID 2800 wrote to memory of 2212	2800	firefox.exe	84
PID 2800 wrote to memory of 2212	2800	firefox.exe	84
PID 2800 wrote to memory of 2212	2800	firefox.exe	84
PID 2800 wrote to memory of 2212	2800	firefox.exe	84
PID 2800 wrote to memory of 2212	2800	firefox.exe	84
PID 2800 wrote to memory of 2212	2800	firefox.exe	84
PID 2800 wrote to memory of 2212	2800	firefox.exe	84
PID 2800 wrote to memory of 2212	2800	firefox.exe	84
PID 2800 wrote to memory of 2212	2800	firefox.exe	84
PID 2800 wrote to memory of 2212	2800	firefox.exe	84
PID 2800 wrote to memory of 2212	2800	firefox.exe	84
PID 2800 wrote to memory of 2212	2800	firefox.exe	84
PID 2800 wrote to memory of 2212	2800	firefox.exe	84
PID 2800 wrote to memory of 2212	2800	firefox.exe	84
PID 2800 wrote to memory of 2212	2800	firefox.exe	84
PID 2800 wrote to memory of 2212	2800	firefox.exe	84
PID 2800 wrote to memory of 2212	2800	firefox.exe	84
PID 2800 wrote to memory of 2212	2800	firefox.exe	84
PID 2800 wrote to memory of 2212	2800	firefox.exe	84
PID 2800 wrote to memory of 2212	2800	firefox.exe	84
PID 2800 wrote to memory of 2212	2800	firefox.exe	84
PID 2800 wrote to memory of 2212	2800	firefox.exe	84
PID 2800 wrote to memory of 2212	2800	firefox.exe	84
PID 2800 wrote to memory of 2212	2800	firefox.exe	84
PID 2800 wrote to memory of 2212	2800	firefox.exe	84
PID 2800 wrote to memory of 2212	2800	firefox.exe	84
PID 2800 wrote to memory of 2212	2800	firefox.exe	84
PID 2800 wrote to memory of 2212	2800	firefox.exe	84
PID 2800 wrote to memory of 2212	2800	firefox.exe	84
PID 2800 wrote to memory of 2212	2800	firefox.exe	84
PID 2800 wrote to memory of 2212	2800	firefox.exe	84
PID 2800 wrote to memory of 2704	2800	firefox.exe	85
PID 2800 wrote to memory of 2704	2800	firefox.exe	85
PID 2800 wrote to memory of 2704	2800	firefox.exe	85
PID 2800 wrote to memory of 2704	2800	firefox.exe	85
PID 2800 wrote to memory of 2704	2800	firefox.exe	85
PID 2800 wrote to memory of 2704	2800	firefox.exe	85
PID 2800 wrote to memory of 2704	2800	firefox.exe	85
PID 2800 wrote to memory of 2704	2800	firefox.exe	85
PID 2800 wrote to memory of 2704	2800	firefox.exe	85
PID 2800 wrote to memory of 2704	2800	firefox.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://drive.google.com/file/d/1fwJdsnnK8CE52uB6ttf5BOyA6_zlBL57/view?usp=drive_link"
1⤵
- Suspicious use of WriteProcessMemory
PID:3948
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://drive.google.com/file/d/1fwJdsnnK8CE52uB6ttf5BOyA6_zlBL57/view?usp=drive_link
  2⤵
  - Drops file in Program Files directory
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2800.0.1931668578\1484249490" -parentBuildID 20230214051806 -prefsHandle 1764 -prefMapHandle 1756 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf740658-4b00-47ad-ad4a-fcb8dfffc02f} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" 1856 13b3d206b58 gpu
    3⤵
    PID:2212
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2800.1.408736373\2004271341" -parentBuildID 20230214051806 -prefsHandle 2460 -prefMapHandle 2456 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d237b56e-b582-4b20-9d7c-3c08c71213dd} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" 2488 13b30488c58 socket
    3⤵
    PID:2704
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2800.2.1857724986\1597368087" -childID 1 -isForBrowser -prefsHandle 2876 -prefMapHandle 2744 -prefsLen 22965 -prefMapSize 235121 -jsInitHandle 948 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {29efc256-81b1-4b27-a536-20da22b34f73} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" 2736 13b40128f58 tab
    3⤵
    PID:3976
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2800.3.257741852\2134657997" -childID 2 -isForBrowser -prefsHandle 3648 -prefMapHandle 3644 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 948 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {37bde3c6-d084-4c79-8e7d-c95acb153191} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" 3660 13b41f21258 tab
    3⤵
    PID:1952
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2800.4.720426152\1008560204" -childID 3 -isForBrowser -prefsHandle 5044 -prefMapHandle 5040 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 948 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b6ffd3f2-d468-49e4-adde-4dbfc40275fa} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" 5032 13b42b91058 tab
    3⤵
    PID:1016
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2800.5.1554245936\1026448425" -childID 4 -isForBrowser -prefsHandle 5192 -prefMapHandle 5196 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 948 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e32c79e7-7ed8-420a-a20d-c78326550655} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" 5180 13b4389f158 tab
    3⤵
    PID:2292
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2800.6.2041049063\979640849" -childID 5 -isForBrowser -prefsHandle 5384 -prefMapHandle 5388 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 948 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {53386293-7de5-47a3-ae43-c47a37b372b8} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" 5372 13b438a0f58 tab
    3⤵
    PID:640
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2800.7.1184335205\592503736" -childID 6 -isForBrowser -prefsHandle 6052 -prefMapHandle 6056 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 948 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3f46da4-3273-4929-a15d-b4cd94f62e4a} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" 6080 13b44e03558 tab
    3⤵
    PID:5492
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2800.8.472595281\1858666156" -childID 7 -isForBrowser -prefsHandle 6036 -prefMapHandle 6064 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 948 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9bc2cb2-55fa-43d6-bf9e-5683a1c165ab} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" 6224 13b30443558 tab
    3⤵
    PID:5508
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2800.9.1824603404\2083413190" -childID 8 -isForBrowser -prefsHandle 3988 -prefMapHandle 3984 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 948 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {194f66ac-f24e-4ab5-9f26-24bd3f52db27} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" 6376 13b4479a358 tab
    3⤵
    PID:6136
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2800.10.850294214\1223614333" -childID 9 -isForBrowser -prefsHandle 5312 -prefMapHandle 5308 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 948 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {808a58c9-7a39-4b13-8f0a-6b19c9f56342} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" 5300 13b44e05f58 tab
    3⤵
    PID:2900
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2800.11.899275294\922536304" -childID 10 -isForBrowser -prefsHandle 2948 -prefMapHandle 6572 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 948 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa778347-d81f-4d74-a9e0-b69039f66f23} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" 1636 13b45a6e458 tab
    3⤵
    PID:1768
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2800.12.214421177\786730700" -childID 11 -isForBrowser -prefsHandle 3972 -prefMapHandle 5644 -prefsLen 28041 -prefMapSize 235121 -jsInitHandle 948 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5499c8de-7e53-476e-8d84-4f11a39b2bc5} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" 5348 13b443db958 tab
    3⤵
    PID:1516
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2800.13.916888792\1622827511" -childID 12 -isForBrowser -prefsHandle 6428 -prefMapHandle 6608 -prefsLen 28041 -prefMapSize 235121 -jsInitHandle 948 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6cb6084a-7f46-42d8-9110-95b6e144936e} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" 4844 13b44805658 tab
    3⤵
    PID:1824
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2800.14.1034999883\297717612" -childID 13 -isForBrowser -prefsHandle 6292 -prefMapHandle 10544 -prefsLen 28041 -prefMapSize 235121 -jsInitHandle 948 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dfde52e1-0910-4b98-8de1-717de22fce92} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" 6068 13b45e19f58 tab
    3⤵
    PID:3972
- - C:\Users\Admin\Downloads\peazip-9.8.0.WIN64.exe
    "C:\Users\Admin\Downloads\peazip-9.8.0.WIN64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6444
  - - C:\Users\Admin\AppData\Local\Temp\is-2IJJN.tmp\peazip-9.8.0.WIN64.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-2IJJN.tmp\peazip-9.8.0.WIN64.tmp" /SL5="$302E6,9108104,151552,C:\Users\Admin\Downloads\peazip-9.8.0.WIN64.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:6716
    - - C:\Program Files\PeaZip\peazip.exe
        
        "C:\Program Files\PeaZip\peazip.exe" -peaziplanguage *nochange
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:6808
      - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" import "C:\Program Files\PeaZip\res\share\lang-wincontext\default.reg"
        6⤵
        
        PID:3416
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd /c rmdir "C:\Users\Admin\AppData\Local\Temp\peazip-tmp\.pztmp\" /s /q
        6⤵
        
        PID:6548
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd /c rmdir "C:\Users\Admin\AppData\Local\Temp\peazip-tmp\" /s /q
        6⤵
        
        PID:6868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault03549f2bhdf64h4fb5hac3ahbd9d8b4a46a6
1⤵
PID:6312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xc8,0x12c,0x7ffd8a3046f8,0x7ffd8a304708,0x7ffd8a304718
  2⤵
  PID:6396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,10056971326822202371,2818675497787626577,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
  2⤵
  PID:6616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,10056971326822202371,2818675497787626577,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,10056971326822202371,2818675497787626577,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
  2⤵
  PID:6700

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6856

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6920

C:\Program Files\PeaZip\PEAZIP.EXE
"C:\Program Files\PeaZip\PEAZIP.EXE" "C:\Users\Admin\Downloads\install.rar"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:5180
- C:\Program Files\PeaZip\res\bin\7z\7z.exe
  "C:\Program Files\PeaZip\res\bin\7z\7z.exe" l -sccUTF-8 -bb0 -bse0 -bsp0 -pdefault "C:\Users\Admin\Downloads\install.rar" "-ir!*"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6764
- C:\Program Files\PeaZip\res\bin\7z\7z.exe
  "C:\Program Files\PeaZip\res\bin\7z\7z.exe" l -sccUTF-8 -slt -bb0 -bse0 -bsp0 -pdefault "C:\Users\Admin\Downloads\install.rar" "-x!*\*" "-ir!*"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6456
- C:\Program Files\PeaZip\res\bin\7z\7z.exe
  "C:\Program Files\PeaZip\res\bin\7z\7z.exe" x -aos "-oC:\Users\Admin\Downloads\.petmp664AFC\" -bb0 -bse0 -bsp2 "-p1111" -sccUTF-8 -snz "C:\Users\Admin\Downloads\install.rar"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4884
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c rmdir "C:\Users\Admin\Downloads\.petmp664AFC\" /s /q
  2⤵
  PID:6792
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c rmdir "C:\Users\Admin\AppData\Local\Temp\peazip-tmp\.pztmp\" /s /q
  2⤵
  PID:6576
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c rmdir "C:\Users\Admin\AppData\Local\Temp\peazip-tmp\" /s /q
  2⤵
  PID:6388

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5124

C:\Program Files\PeaZip\PEAZIP.EXE
"C:\Program Files\PeaZip\PEAZIP.EXE" "C:\Users\Admin\Downloads\install.rar"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:7128
- C:\Program Files\PeaZip\res\bin\7z\7z.exe
  "C:\Program Files\PeaZip\res\bin\7z\7z.exe" l -sccUTF-8 -bb0 -bse0 -bsp0 -pdefault "C:\Users\Admin\Downloads\install.rar" "-ir!*"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6844
- C:\Program Files\PeaZip\res\bin\7z\7z.exe
  "C:\Program Files\PeaZip\res\bin\7z\7z.exe" l -sccUTF-8 -slt -bb0 -bse0 -bsp0 -pdefault "C:\Users\Admin\Downloads\install.rar" "-x!*\*" "-ir!*"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6436
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c rmdir "C:\Users\Admin\AppData\Local\Temp\peazip-tmp\.pztmp\.pdtmp598314\virtual\" /s /q
  2⤵
  PID:4168
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c rmdir "C:\Users\Admin\AppData\Local\Temp\peazip-tmp\.pztmp\.pdtmp598314\source\" /s /q
  2⤵
  PID:4520
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c rmdir "C:\Users\Admin\AppData\Local\Temp\peazip-tmp\.pztmp\.pdtmp598314\" /s /q
  2⤵
  PID:3256
- C:\Program Files\PeaZip\peazip.exe
  "C:\Program Files\PeaZip\peazip.exe" -pdrop UN7Z 0 1435044488 "C:\Users\Admin\Downloads\install.rar" "C:\Program Files\PeaZip\res\bin\7z\7z.exe" x -aos "-oC:\Users\Admin\Desktop\ir\.pdtmp56D4AF\virtual\" -bb0 -bse0 -bsp2 "-p1111" -sccUTF-8 -snz "C:\Users\Admin\Downloads\install.rar" "-i!cr.dll" "-i!main.exe" "-i!Tutorial.txt"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  PID:5172
- - C:\Program Files\PeaZip\res\bin\7z\7z.exe
    "C:\Program Files\PeaZip\res\bin\7z\7z.exe" "x" "-aos" "-oC:\Users\Admin\Desktop\ir\.pdtmp56D4AF\virtual\" "-bb0" "-bse0" "-bsp2" "-p1111" "-sccUTF-8" "-snz" "C:\Users\Admin\Downloads\install.rar" "-i!cr.dll" "-i!main.exe" "-i!Tutorial.txt"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Subvert Trust Controls: Mark-of-the-Web Bypass
    - NTFS ADS
    PID:6720
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c rmdir "C:\Users\Admin\Desktop\ir\.pdtmp56D4AF\source\" /s /q
  2⤵
  PID:6040
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c rmdir "C:\Users\Admin\Desktop\ir\.pdtmp56D4AF\" /s /q
  2⤵
  PID:7012
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c rmdir "C:\Users\Admin\AppData\Local\Temp\peazip-tmp\.pztmp\.pdtmp56D4AF\virtual\" /s /q
  2⤵
  PID:6988
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c rmdir "C:\Users\Admin\AppData\Local\Temp\peazip-tmp\.pztmp\.pdtmp56D4AF\source\" /s /q
  2⤵
  PID:1228
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c rmdir "C:\Users\Admin\AppData\Local\Temp\peazip-tmp\.pztmp\.pdtmp56D4AF\" /s /q
  2⤵
  PID:1532

C:\Users\Admin\Desktop\ir\main.exe
"C:\Users\Admin\Desktop\ir\main.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:6168
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 6168 -s 1196
  2⤵
  - Program crash
  PID:6796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6168 -ip 6168
1⤵
PID:2012

C:\Users\Admin\Desktop\ir\main.exe
"C:\Users\Admin\Desktop\ir\main.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:988
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 644
  2⤵
  - Program crash
  PID:6192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 988 -ip 988
1⤵
PID:6444

C:\Users\Admin\Desktop\ir\main.exe
"C:\Users\Admin\Desktop\ir\main.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1340
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1340 -s 1184
  2⤵
  - Program crash
  PID:5352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1340 -ip 1340
1⤵
PID:6244

C:\Users\Admin\Desktop\ir\main.exe
"C:\Users\Admin\Desktop\ir\main.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1736
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 808
  2⤵
  - Program crash
  PID:6668

C:\Users\Admin\Desktop\ir\main.exe
"C:\Users\Admin\Desktop\ir\main.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3028
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 1192
  2⤵
  - Program crash
  PID:5948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1736 -ip 1736
1⤵
PID:6552

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ir\Tutorial.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3028 -ip 3028
1⤵
PID:2152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultaab62016h1dbbh4869h8dd7h0b72fc3db616
1⤵
PID:400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd8a3046f8,0x7ffd8a304708,0x7ffd8a304718
  2⤵
  PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,5262600990546625648,9559070395112836843,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
  2⤵
  PID:5260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,5262600990546625648,9559070395112836843,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2348 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,5262600990546625648,9559070395112836843,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:8
  2⤵
  PID:6576

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2784

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4748

C:\Users\Admin\Desktop\ir\main.exe
"C:\Users\Admin\Desktop\ir\main.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:5148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5148 -ip 5148
1⤵
PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\PeaZip\dragdropfilesdll.dll

Filesize
2.8MB

MD5
31799d3d9a34028cd107f4d89371817e

SHA1
162233528440107339c05031efc2ca73cf50a21f

SHA256
b8e60f5dd754b406363fcd6658cdb55ceb48256ae88d30dee7180a3706a1a34c

SHA512
de0c167a65005ab84ce9ea9ae446a6bcd742edd1803ec2c0abc798fb7d15d7f09aa410f5bd4a4449feedb5ec9ac9703b8dde0fa5366d97070ab5d4c4c1595239

Download Submit
C:\Program Files\PeaZip\peazip.exe

Filesize
6.9MB

MD5
2337e0d7f47ae59e849357a01cf61e92

SHA1
9a444109518c4404a46451cfb23e48a4b1390a4b

SHA256
6bcf062fbe670498365fdbf560d834c54e0b21b165a13679f70763ef5aa542aa

SHA512
bc0fe5053004f1b1a0678e953b4774eae45bbe13a71773469a569a9125abc564cc43ab34e4390da04dba1a4a0837fe5fad230a471115de928bd7de5deccc7eb1

Download Submit
C:\Program Files\PeaZip\res\bin\7z\7z.dll

Filesize
1.8MB

MD5
4e35a902ca8ed1c3d4551b1a470c4655

SHA1
ad9a9b5dbe810a6d7ea2c8430c32417d87c5930c

SHA256
77222e81cb7004e8c3e077aada02b555a3d38fb05b50c64afd36ca230a8fd5b9

SHA512
c7966f892c1f81fbe6a2197bd229904d398a299c53c24586ca77f7f657529323e5a7260ed32da9701fce9989b0b9a2463cd45c5a5d77e56a1ea670e02e575a30

Download Submit
C:\Program Files\PeaZip\res\bin\7z\7z.exe

Filesize
544KB

MD5
9a1dd1d96481d61934dcc2d568971d06

SHA1
f136ef9bf8bd2fc753292fb5b7cf173a22675fb3

SHA256
8cebb25e240db3b6986fcaed6bc0b900fa09dad763a56fb71273529266c5c525

SHA512
7ac1581f8a29e778ba1a1220670796c47fa5b838417f8f635e2cb1998a01515cff3ee57045dacb78a8ec70d43754b970743aba600379fe6d9481958d32d8a5aa

Download Submit
C:\Program Files\PeaZip\res\bin\7z\Codecs\brotli.dll

Filesize
900KB

MD5
ecf2ba205fd75db9a3b59dce888788df

SHA1
639b03eed1f3ba1a00ecba233066f234778e6952

SHA256
371be4a96894ed9e148338ca1c21efb7a3dc8ede59ded6b16670a70b5ab3d7f1

SHA512
bcfed7ac9941e2ce37f1216418c290f7f1cda1349ada7b42015166a58c6a035734991e846022b46499622671d57cbe866812e91b46354ba84d51da53ea07e9a9

Download Submit
C:\Program Files\PeaZip\res\bin\7z\Codecs\flzma2.dll

Filesize
282KB

MD5
1392d8c3acc489f6467142700a126a17

SHA1
3b369d3c35c23961df73b4489d3e672c3e0da1ba

SHA256
3de2589b4460ad4b85f0d5d69f046989913014817eaed2e1153d41a6884d9b11

SHA512
edaa856a8e58c390cf7568578de6ac19e7587c98c29086527ffff5eaa36a6db45979db410d7993533398ecab94c5dea1cf80b2a502f5e3d4ee3026c9fd9241dc

Download Submit
C:\Program Files\PeaZip\res\bin\7z\Codecs\lizard.dll

Filesize
353KB

MD5
e0e4e89a06b5574769ec96230a52f3bd

SHA1
7f648bd54185ffe19bd4998271f7cdb9bf7a98fa

SHA256
93a2abed15bccad167a85474a8f08977ef48c1b9d6e1f11851d151b37e4eb62b

SHA512
c32348ac8e367a033d7790540da651d217bd7b2b5af25193e3e17512f8b576612836388de4cd4f31624692e35ab9609e64a472403dabd05eb782ed8c46f7843c

Download Submit
C:\Program Files\PeaZip\res\bin\7z\Codecs\lz4.dll

Filesize
258KB

MD5
0eb3ef5e8ecba07b7372480c6a6071da

SHA1
8952b81a00ff5c055cd9e0259e1e70c7aad66be9

SHA256
b2adeff21c12fd1dc7c2fd2d8e1f8995fead5cb2cf465be4affccfd9d3c15f8d

SHA512
bae94707d92f8290f3553ec513999d044fbb00385c622f9f3578bd364bb1b86ea9720774c3791e1879210af4288e64a7c8885e92df673e8f09af5b01484d49ac

Download Submit
C:\Program Files\PeaZip\res\bin\7z\Codecs\lz5.dll

Filesize
236KB

MD5
441f8d6756ebba85e81bfd3475a1262c

SHA1
e877d914afb56bbd6a31001620ac2a59377b68b1

SHA256
0bc65cc8f2577b7d831c573f8c5feda52fce86fa881a87124f65a77d49b8ede5

SHA512
2073d61e406b89d4b1db4d7e8e2aa9b76ee516bc7c9593a32880def5a3c3536d31c49d11c4457833093db7b88b2249051a5f64cfac2456c2113c89ce10dbf908

Download Submit
C:\Program Files\PeaZip\res\bin\7z\Codecs\zstd.dll

Filesize
678KB

MD5
a0dea820dd23573bee8d497c34347875

SHA1
d702d4a8c20425ec9dee623944a6f1223f1b887d

SHA256
23058c265b345195cbb4dcf7db7e5626cd8350aa1df606f7bac9984fe02065e1

SHA512
f322d2674e4eede9ab214d7c1b71028c6b13cf70acedfc93ffbf08e5c1ff027d31e1e477ea5bd711635a338ca014290790c75cc6cbe2fb82257b48756e7faeb0

Download Submit
C:\Program Files\PeaZip\res\share\batch\macOS service menus\PeaZip, add to GZ.workflow\Contents\QuickLook\is-V0A2D.tmp

Filesize
3KB

MD5
e1e1070acdc6d9fe210a430f91fb2d14

SHA1
94e6f543d2d7511dd36e5d72b5e2f3c460d0a720

SHA256
d1075536f6b2b7dc5f5baeb44324db9508bedbec5c36b08864c97c8de647e549

SHA512
ca1c1acd595eab368d1a2cf8f82204db71d8ef43ccfb738512b61ac16df7a4d8c7d31de892975e19e7955b874d7e5a0abef278d6088b6adabca73c297c9c6410

Download Submit
C:\Program Files\PeaZip\res\share\icons\is-U7MQT.tmp

Filesize
1KB

MD5
87dde3772d4324ccfed2ed6e5d9b0ed5

SHA1
1e4b20441da280aeb6b6242a7a992933fe3703fd

SHA256
e995334de54eb1a206235ede2494fc20fbc6f1da8999dde987e465ab7ef96f82

SHA512
7e520a3391104ae6cd0b212864164909d938cb1a2931fabfca4376c4cdc2721de490bbdbf93c2b4b535f543e37a5ceafc8044ba56ff7255888f3c629cf1e631a

Download Submit
C:\Program Files\PeaZip\res\share\lang-wincontext\is-MHGPU.tmp

Filesize
6KB

MD5
9be5cb203bfaf9b217d0767e6b2cb41c

SHA1
eb9cde55ed3d1c50e8536d5f3c984b4aa9e1e6f2

SHA256
79e61ffdcbca1c3f30a9ed245bf68cd2505e447e18555fa8dac9eef18fd4d461

SHA512
eb7912c5c32c2a96556ff535f267d37d9a5cb702fd6c0b0081151b277b004069bdc78f72cd6224d4a6156881b31977ebf44865ab878eb0a934c1963d1353930b

Download Submit
C:\Program Files\PeaZip\res\share\lang\default.txt

Filesize
70KB

MD5
007525b0293a522721f4bd51c55f1523

SHA1
f9daa86841b3722db1cace0532f5fee5bb4b2cff

SHA256
fa0bda5f67c41e2d769ef752ffaf2c2815ff48c168dfb20fde74aa62c68f7c20

SHA512
ac0fac936079f97b6e2452d450ca837c232c789081bbbc835414b8b4a5491d41410734ed6774488ee7bd2c15079804ed3f86b652401cc04bb3e5d2886f1e6478

Download Submit
C:\Program Files\PeaZip\res\share\presets\0.txt

Filesize
3KB

MD5
df130ddbe83e762c0938e562c19d7c63

SHA1
bdd0202ac423a06aa313ff3e078d3188c89c1a54

SHA256
29c98b67be2ce78c8b7894fb399e3eac6d2a13a112523e42a23ba57cc5a89d94

SHA512
51ba312f6f48486d213db3d69b1459447078bf7726dd2675c7a4f2f1382c85ee3a4fc796b8c8095de738d52b956ab4431fb794a09a9d697d185b0d50fbaef34f

Download Submit
C:\Program Files\PeaZip\res\share\presets\1.txt

Filesize
3KB

MD5
fac0cec6cf5aebcba0c1ed9622d7e801

SHA1
31457857ab75c10590fc692da17448633502cdda

SHA256
b37a4c544351a1994677158fd11fe8a924af7ec669b136f05abca19ceebcc5fe

SHA512
20451b90af753f5235813152f0a37839f1b3ba1f696a83ebb7cde317f1287928294da87406ef69f8c07d1e05998eafeaffda866f7820c1ea7df4fd2ad727fca1

Download Submit
C:\Program Files\PeaZip\res\share\presets\10.txt

Filesize
3KB

MD5
b6d3881b74c64a48c856f1c7f47d6713

SHA1
7637a2e4357c0f3d146be014a9f80222a7d519ab

SHA256
0f174ccc2fbb9624f817195188f0dcebfbdf00be5bc138d14a56650d16e621ba

SHA512
f5650a49da15f9be80831b014f8d41db85244adb2dfb924b847a2031444f7b8f84a1ed4d4e3208400f06151a56c9868f1bc92bdc42b35d39aa1e1d7f68f241c1

Download Submit
C:\Program Files\PeaZip\res\share\presets\11.txt

Filesize
3KB

MD5
9363a981054453fe80a4d4124d134191

SHA1
c20c0953e418018b33491dacb0ca301791d6c6a9

SHA256
1e04316f7b2bba83464c2fbac1e9e5387c4ab79bdb18d4d2ce9117f791d096a0

SHA512
f2075dd8438229c7efa69d7a87dda107a4ac54f8cad28d3f0ee230828ee34a1815011be7badb700c226582c11667f6154d13f3321c257c289b27c65448b1c721

Download Submit
C:\Program Files\PeaZip\res\share\presets\12.txt

Filesize
3KB

MD5
d84d16c3861e5c60d448d02acc47ae43

SHA1
61aebd54398f36b92ac48f90397c91e3de9f71b9

SHA256
8978bada3249d5ae1f3c7fdbec4b0e9c5c86a9af14c45c52f11f28595493ef66

SHA512
3fe435f2e40e58b5939432e00cf3e0853ba105b08a37a9c2f28549da2c7958462fc883e87af5c3ecc185f8980538dc2534059b36ab7dcb6f1233142651869acb

Download Submit
C:\Program Files\PeaZip\res\share\presets\13.txt

Filesize
3KB

MD5
0a08a011ea9cb532a3fbfe5c286cc389

SHA1
bac8adab082f2025f2b3965869a9e5fa02e8fa05

SHA256
cda0b85ee936cecced0441e1320a8603831badc40216f48823dfe2f344c5368f

SHA512
64f09577cea0ba3d8a653f1d34e53111c0708c7949dc44dd5a005ba7bb32ae9770f1ef3f7c9cf015bc9a976fffc57f7c803e2aeb53ba243784a1190a4cbede7d

Download Submit
C:\Program Files\PeaZip\res\share\presets\14.txt

Filesize
3KB

MD5
db53495853c1590d05870e5f0325c3c9

SHA1
42a317e08a273afc04e59d12c91b14756199322b

SHA256
eb931ebbf95e27a625f31dc5b6f193d3e04a279a24c65a03b36852a61b66e1a9

SHA512
789f38e6b0bb53cbcb62f0c90eeec6922fe1560c9d26b2bf1c8f1d8907eb605b1b2788ea8fc232c657e19b75f36024150cd8e45e717499cfa8b03b570c54c912

Download Submit
C:\Program Files\PeaZip\res\share\presets\15.txt

Filesize
3KB

MD5
4ee8be05f38bb3b544877096d24e03dd

SHA1
83e03b846ac45fe37b88990cf97f6092b9d8c08b

SHA256
6d3eeec7f46de6c60312c46a397f5fce2e0a76d8f73ffadfc61d7d00fc2cb1c0

SHA512
710afdbf4926388417777409bdce06622e9b490ba81b3846e516a495b7026ef96d592db28e9627ac28fa3954f50cfc778e6fd1736716bff66ca40aa916185fe6

Download Submit
C:\Program Files\PeaZip\res\share\presets\2.txt

Filesize
3KB

MD5
b07afc6d8bfbf7de6cef2b1b042be838

SHA1
82edf5579558b22c1d067fbeb2f960dcb123bb52

SHA256
b7389d2a18f6c60209c7475b239091d311ae0e52c41dcfb8ac595ebc45b357f5

SHA512
a7488eccaf3a64421b16bf6d07493993cd31c87890096c5405b577f3b4e0177f38b2bc835a786e384a3e3c2758b22eeaa83038e156f7e6bc88520698e9442d98

Download Submit
C:\Program Files\PeaZip\res\share\presets\3.txt

Filesize
3KB

MD5
fc69df58339c6c4db570816e2774cfbf

SHA1
1e32bdb63f04fd5f256085c7f453103ba2200d94

SHA256
f17fabc988fc366371e250f1c87514cfcfb38acfabc3c438ca35d22b099c742f

SHA512
66cc6dfff57a880f49461f83981cb1a7f36b4aed37cb3432585dbe9bd6552cb446c1ccb639b9e877bdafb3bb41f7d0fbf1fc3ab47250976d3bc487129ecc4514

Download Submit
C:\Program Files\PeaZip\res\share\presets\4.txt

Filesize
3KB

MD5
d7e67c0e5bddd4e01843d25a45cb661b

SHA1
7b5f582c6270a50f30dd6a30f045c2a2f4dd021d

SHA256
e4fba0d92ecf122e18a7d02ea1cda246cfaf9677338b9d46e332b00ec5293ad9

SHA512
322eab22e8bc54825f40dd009cc0c203de7f10a00245d4763d3aa846e73481229fa3823091736019c0aa2e6c916836029ff04b9da0131df6476148424c4858ad

Download Submit
C:\Program Files\PeaZip\res\share\presets\5.txt

Filesize
3KB

MD5
4b8b622166a249feb292d6d100dbbe70

SHA1
7a9a87ce4b175570d9e9f532a2fcabda860c0ea7

SHA256
245e6eda87591c9dddf318f5bb2002656788c3aa5f59d9ec7d7b525348ee692f

SHA512
e5a113233eef6beab107f592d5d35f4b52cc9c83b81c280c802e64dcada5c0cb039d9b996b366cff1eb7d9caa0b30c9a338e4cc889bd28846624e1cef5bc5abb

Download Submit
C:\Program Files\PeaZip\res\share\presets\6.txt

Filesize
3KB

MD5
0b7e2685d79d32de5d3b1f5753658fac

SHA1
4d3c75505169cc51e78790166c34a0ef384be28d

SHA256
f50debe2a9d009b409318c5fe68bdd6404d11f7e46d3bf00224f33469204a1bb

SHA512
534970d112d15562ecfdf6b388afe997d7ba2f5b7d171e1e9af56f7eef629a5f1a07e0261966271489b7fc36cc2fa1fc8a1dd06e32a28d69f6a195061eaa8871

Download Submit
C:\Program Files\PeaZip\res\share\presets\7.txt

Filesize
3KB

MD5
941035bd3c57a91c7d069437bdc96e2a

SHA1
b0c35a8fcea9cffa81dee3468cd13f834c0c94d1

SHA256
6aa8fd4acd52201ed69090d137fb7fccc376fe40cc36c44f28e80fd3be37fe36

SHA512
bbd055e99c08fee55a34a4588102490beda9d25dbb0ecb4119ad6a95145f60cd4e0695274ffaa113240085aa268589459a4bd77668f66164889f7e01e885f6ed

Download Submit
C:\Program Files\PeaZip\res\share\presets\8.txt

Filesize
3KB

MD5
c83b752ebeea3af140fffe85578ca775

SHA1
2f7371a6e908939a520cbb52a3e26fb05b2e3803

SHA256
a37279c575f0a388e4f657d155154318cd95015528773d8c0643999364655c1a

SHA512
64f24a2970a0d6eb212ed5b3c88dacb0edd008a15ae1e003a9a5b2ad49b6098f1a143b96cb19f325ee16a89e6ecdc34d90b6efe092b061ef7f5d17d33a16f9fd

Download Submit
C:\Program Files\PeaZip\res\share\presets\9.txt

Filesize
3KB

MD5
74c90a2dfdb63c530c07844bc6cfa59d

SHA1
5f55cebc73d19d602ed4471e75710863c3623414

SHA256
ef1802dec57fcb3e5ed1e04611252a71b3c1865c7ca98c69cab40656533acb59

SHA512
8d846b6c4b743cc7684131083c1b3a498ae046971d4e9ccf2203632b1b182639dec91241632a15448f37335ba1a93a3091fb9c5e359900b8204564799aaca770

Download Submit
C:\Program Files\PeaZip\res\share\themes\main-embedded\fm-theme.bmp

Filesize
70B

MD5
e57040134b77ae54df14121c793aff53

SHA1
0abd2098e6aae2e647d15de10f6e4d5f28f8fc4f

SHA256
3958ecc97b63508f01dee5636b247820b812aa933b75725db30e9f4eaf58f703

SHA512
f299c65c30e2a39a76c0feefe5decf7bcf321e2799662e38d0e6e350b71a3a346ec5bfe633cce9fb0e73320163829f2b5d174b738995b03596524feca7dc4a48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
210676dde5c0bd984dc057e2333e1075

SHA1
2d2f8c14ee48a2580f852db7ac605f81b5b1399a

SHA256
2a89d71b4ddd34734b16d91ebd8ea68b760f321baccdd4963f91b8d3507a3fb5

SHA512
aeb81804cac5b17a5d1e55327f62df7645e9bbbfa8cad1401e7382628341a939b7aedc749b2412c06174a9e3fcdd5248d6df9b5d3f56c53232d17e59277ab017

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4e6521c03f1bc16d91d99c059cc5424

SHA1
043665051c486192a6eefe6d0632cf34ae8e89ad

SHA256
7759c346539367b2f80e78abca170f09731caa169e3462f11eda84c3f1ca63d1

SHA512
0bb4f628da6d715910161439685052409be54435e192cb4105191472bb14a33724592df24686d1655e9ba9572bd3dff8f46e211c0310e16bfe2ac949c49fbc5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
61B

MD5
4df4574bfbb7e0b0bc56c2c9b12b6c47

SHA1
81efcbd3e3da8221444a21f45305af6fa4b71907

SHA256
e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377

SHA512
78b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2c1cf97b642879dfb0b1ce689028b42c

SHA1
32a94a690c479529c0045a822d52e5ea478bee85

SHA256
8e9bab97de08eeb80a07f37e957b9358c0fa79fa0cab42727ea7839ea9d63c53

SHA512
2de746884c70f781fce61d2fb9f343c6800f1a2f330c8c682d9d04604fe063cfd8d6638d931b8cc730305d26b1afba9108bba44acd9c0cfc9a0d168f9535661d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
de8f83d4a39329f0b4b6cb78e039e2b6

SHA1
035c842a37ca58159d48b0ad27ce8feaf32aa537

SHA256
3ef50128e6d6279bbd8b93a5d0f06328c91d78b08e49f116f9c75314377fa2af

SHA512
2dba3e57f9118ac16a895819e08cd2867423a4c22034a8b912b9b68780c648157ffad59f392ac62663e7d1583e925352257165eb58a7c71076caccbb327de498

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\q38sqp1f.default-release\activity-stream.discovery_stream.json.tmp

Filesize
30KB

MD5
b0996f90ab573443b3638520d2041154

SHA1
26912955a235d3b6a2426f9cbbd2c26cf7da7061

SHA256
579e099b9b223acdaa2c66c5f5bd410d38439198364ebd69fd55815eb6776a79

SHA512
3e868faee20138f1f33c6bfe837eab8835ab8aa0609fb84949c479641832e0a6aeb9f70b57ce45b72ebfc396f71e6b12550404d9e779e0fc05083f9c8d62b5eb

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\q38sqp1f.default-release\cache2\doomed\7772

Filesize
15KB

MD5
44a0777864f823710724c44699321172

SHA1
1c876f624a1eac839641e470cee2092e5b18c78a

SHA256
95cdd05e97ccb113fcacfed529e9cd5a1b72d018ff3e2e343cf4a6184f909d41

SHA512
17d049da8f236e458d8b9e23a2d570933c081975955799e3092ed1817e6d068fa03682d24fbdcd799fd48419e3bcee182fbc31666f927407f616eb384fa7db4e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\q38sqp1f.default-release\cache2\entries\055BBB905A5045D20CA3FAAD45FCD316C5072EEB

Filesize
218KB

MD5
8f57e1d808902362c30b247c4b515da4

SHA1
405f635c8ec2fc00dc7eccd79ff128eba21a84bb

SHA256
ff072bf4b5fa4904269c6fa21383564e53f16621e8e58ad1ff94163206839cde

SHA512
5d3ffc1c6fbf391720b8f7eb375820c3aea881403ca9be8aa244d29241b16e696f295025460a795fd9d870f587b52c6f51aaf0d92bb4f0a9101e94e66101c47b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2IJJN.tmp\peazip-9.8.0.WIN64.tmp

Filesize
1.2MB

MD5
889c8ef91ac310544d1539ac3cdc0f07

SHA1
3ccb4c5ff6c419599138bcce43a70780a9570871

SHA256
7ba798767f82812cc3bfba370b6797fd29ecdcddc52baf967a52773edee4a0c7

SHA512
a25353e243a4db84d0262210eacb6ce07b13bed982e347cba085d6d7b895a781c00524739477baec5eac186b65e65da0cca0315bb8f3abcd250ab032d866d2a3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
19KB

MD5
90bac4ed3d144498c9c7c6861e6973d2

SHA1
809a5d68677ce64cc311898cc242925ab5858883

SHA256
02d793a592367697e7915f7ff69b8c1612f032e14d06341b480fd44f5ba72cb5

SHA512
8f1e51f41c6d7878a3843a79e40c4b25c61d718fa0ec01d3a4650463ce9d7e4cad24b7735a9312eb3e4df0dcceb21f81454e848e1c57d0862ed323663ad7a30d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\prefs-1.js

Filesize
6KB

MD5
1d12d0f42a1b35285c9f8ac5674b3897

SHA1
077c2fe68cb5ca992120c5c55d96032a5f27b576

SHA256
ff1ee93021bf1d6e3d89d7e6101b4ea2717bddcc42b3efeecd7db34b788cb936

SHA512
fa59d26d25ce31040a58c067e2dc0656f1d9b5231abe836fdbe75438154ed8c9d1d1e12a086018d612dbedf4c33b253103c8422c9309149fc9fc06939fde0b89

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\prefs-1.js

Filesize
7KB

MD5
af1d24ca6f32e0a827a7b4b2da61eb49

SHA1
a391e469df2d6725e14e5346fd51f00d4b22603e

SHA256
af11f30704e5f03692e5a0617888bef9906591d66d4773220eae44eab8b3f42a

SHA512
773cdba4399b7bf8d316f6b37620dd7dfb20e53c127399a33692fba05e70b5616f6cb32c4c1a05896e8249b901710c9060828085427722c94dd705bced6b5d3a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1016B

MD5
118f5cdc38c57607789cc99e680ff07a

SHA1
70ec41d77f633f2116ce5418cfa020bd4b646aaf

SHA256
d4f2de3916ee0cd6da807d50082680822a1d36edb78cf4dfe2b03b5374505b70

SHA512
94724686459ecf1610b90fa0cd57ce6d77040c48a68f25327feb6a3edfbeb0a586f783092cdef497df97331c71d37217706052b3a9def1b8954becdb01f676f7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
11KB

MD5
5868d05d0e248474078fdc1a69f462ab

SHA1
081ea76c1934305fb25cbeb742e028bf7aa53e94

SHA256
5f218a8af0305c4feeb4224ff6f1e3addbde4a2f5d190eae8d2df3447b6aac87

SHA512
7bc70e1e735201622443034b29627e8c6c656db84ea2251f841509241d8bd936167f338af25fb6a8f633e02c6907231a496ea7b30d59b9e28a75a20f0ff380f7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
11KB

MD5
8cf13be3b8c8088db7abec7eb75ca7b7

SHA1
74c6652ba9ada9f0a10057c1503c7af349b36af1

SHA256
989df662d26a58f8ebc1fef04d4630b063e18e086d3eb0130facd3a7ae035b81

SHA512
3a736f6eeabd8d1be7cda30e35e26c1db3a7eda099d4b37b0cadb787baa515f62cfe683759a8ee55f1858aa9a068267eff05f437418182713cc1e45dc11b235a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
11KB

MD5
5b17a2c2633ff296305c4b3cfb05127b

SHA1
4261011cf559df0bd5c99ec7c635b3c7384cd719

SHA256
ec2033494eb41b7813c4aab8bca0362c1953951053dba06b8adaeac529c1e24b

SHA512
d6289f4ff68c40e8feb48cbcca3ad2c185930df389977203e5810dc9df04ef29c9726e4d4011fc9a3a6458b9395079dd46d24b70b280be9c9e87f946e13ae800

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
05093833d4ea7f900b07d19403eb2842

SHA1
16a80d97edde7eaea1f12186e9e4658fa62fd5d7

SHA256
52e0e0c01859d0922679ca87cf461340e95d90a11d6484fd718a0c5804226c8f

SHA512
b4c3cbed3a728c3fa8db33691f36342c9a4da6496c511ae7108b1d8362a3076f557e757323235b04e3e5e4cc037b9c5188525a0e07dd13c5663b2c02d243e0a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
11KB

MD5
339f1b82d331706d570738b6fb286bcf

SHA1
b78a9ef36603f94b4ca3802d3f1e30b57100e0b3

SHA256
f7c8a1a7413313c84600e03c17add95deeb455c1d358c307c443d6b1c32453bd

SHA512
5df8974fdd737a0781b081f1070dba5aed795cc28cd08635d18e51b00bccf6c829b5cb1ea6234cd71c10d9edbc0a3d17b4caca05677478dfb929450ece65f2e9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
11KB

MD5
3805c0a6ba31f59fbbeef5aeffef3497

SHA1
6d117012eea80671bf326bdb7b058366fc137256

SHA256
6934cc61a43eeb93c2ea247835c2b868d891fd1e352f51f2bdbde93d5cdcf821

SHA512
d8a931f57658f0ff08558435e497dfdb096225dab6878fa4d8d943a964d2666d138f3a302791144a2e5de0028123026fc0eadb1615e2c83930eb4fe2660dca97

Download Submit
C:\Users\Admin\AppData\Roaming\PeaZip\bookmarks.txt

Filesize
295B

MD5
2b8aafa512d574995fe68d912beb22ef

SHA1
4c6362e42564553aff40255885ae0ff5691d8e90

SHA256
4c7b721654f1883ceb8a0de803565f56e2038c5df24a975701d8b9f33ee7b44f

SHA512
f2196435af459102bc9a3701ed5265c9d18f837f6ed279bc9530695b28a7ec5112b61c5c523b90fbf9141cc4f8ac368a13fd6275c0a71294a00a3e86307863c9

Download Submit
C:\Users\Admin\AppData\Roaming\PeaZip\conf.txt

Filesize
12KB

MD5
9f744b298d73df9e07f5d23924c61088

SHA1
2fbecaad46aef61bd1555d290accef47fba25984

SHA256
280f0caa5c56b2c9e81f719a81a1fa44229395f596f27630d74c3f2c64b6b96b

SHA512
6876e9c4afd83b663909780f3cf1d13975c7ab52ccb1801edb0db6ae79804c77f8d9c90802facc931e4ff040d5d81f381a42e9efc120c8a1d93938768bdea45e

Download Submit
C:\Users\Admin\Desktop\ir\.pdtmp56D4AF\virtual\cr.dll:Zone.Identifier

Filesize
173B

MD5
3b3b5b65739ba297d62a8f4eab72fe83

SHA1
b02ce2411ce7fc6e5def4964580d4ebbb4a39ecc

SHA256
d69901e2df83d13995c7ebbb5d6a63272c20e62a06e54d63222e867dd6a080a5

SHA512
dcb1c613f0c91093a0c8aad760963ccdd3e4d3e096e54e67742e113be8263fa47918b57ca3b9871843ed5958afa928501f38b9e58b1475be9ee07ed292fd9296

Download Submit
C:\Users\Admin\Downloads\install.-q0Z-XnJ.rar.part

Filesize
6KB

MD5
4d27079fd2c2c524734f057574db875a

SHA1
a865099dd5e4344dececdda3d0de1712695d6181

SHA256
1c73d8aad69972eae5c0e287fad77a11c517175877f49ba44f94095b92cb8fab

SHA512
f4f1399814448d991a925b151791440ff76bc55d29b6cded6f3df5ddc84eb478d82e5f096cb8852c8225e93f3efa4fdbd779b75b1d6a10c9763a27329e5c1d6e

Download Submit
C:\Users\Admin\Downloads\install.rar

Filesize
448KB

MD5
4564a9a35d9e7e7883faa2ed3361e0e4

SHA1
79a611b96bc0cdab0bea30423814b4ad7245800c

SHA256
06ce088beb65731be6268934f89d44a00d386e517ad88f8e28a8968c0a43b7e0

SHA512
efcec8c64edc5e23a7d24610c4a7e7facd3c682eb42875bc0b19e95ffc3479749d044a78f274cbdabd4252a07ef3da567aabe995abf2f5790da139203075fa51

Download Submit
C:\Users\Admin\Downloads\peazip-9.8.0.WIN64.exe

Filesize
9.1MB

MD5
898a8987cc606b17a5e588ed976b35a0

SHA1
d49db9e82ab22e4f51b051b1ee1069a5067308de

SHA256
f0637a8d40fb90f39ee156bd9c826e605a5a82f520d48931990b307ad08a0572

SHA512
7c0b06b1b517196798ce324142f08ef6f4fb8f21d4765e4d194088229d297c6ad5c8ee80ed41cc4506e5c98fa6b6092dc4734ca5c0664c19a0e58bc1c7fe1d0e

Download Submit
C:\Users\Admin\Downloads\peazip-9.nxIkrocl.8.0.WIN64.exe.part

Filesize
16KB

MD5
3ab88e58d89cc18cf38a3b51c21de863

SHA1
257f04e3ec12054d2150faf6e42fad2b3c68d621

SHA256
51ddf09d9bb227e27ae8cc72ad3fba09f4365b6451a675c4777ef1177c67d4ad

SHA512
4b92c32c852833681463997cff08fd663b54d7b4a531fd28738c2708561d9387d80a6bdedc679219d69ab80ee0c985694d88f4b00aeef11df28416fc8ea07834

Download Submit
\??\c:\program files\peazip\res\share\icons\peazip_rar.ico

Filesize
19KB

MD5
3c362ee797ae670c00c9ee383f239276

SHA1
3d5468abe443202768db31fb4c7a1c998a2f63b1

SHA256
5a646c34293db43ad4520d2185ed3377105a920ee7f14f7a9aec9840afc53793

SHA512
aad352d83b5c109c4187bf5509411a2ff579a595e486c0e0e309c0dcc39f9adef64c8e062e047349f2eeaa9b8a8de28a2a3e308c09b13b9e8c6ccba0a8c7d7b6

Download Submit
memory/988-1651-0x0000000074C80000-0x0000000074DE4000-memory.dmp

Filesize
1.4MB

Download
memory/988-1655-0x0000000074C80000-0x0000000074DE4000-memory.dmp

Filesize
1.4MB

Download
memory/988-1653-0x00000000015C0000-0x0000000001615000-memory.dmp

Filesize
340KB

Download
memory/988-1650-0x0000000000240000-0x000000000024D000-memory.dmp

Filesize
52KB

Download
memory/1340-1669-0x0000000000F10000-0x0000000000F65000-memory.dmp

Filesize
340KB

Download
memory/1340-1670-0x0000000000240000-0x000000000024D000-memory.dmp

Filesize
52KB

Download
memory/1340-1671-0x0000000074C80000-0x0000000074DE4000-memory.dmp

Filesize
1.4MB

Download
memory/1736-1680-0x0000000074C80000-0x0000000074DE4000-memory.dmp

Filesize
1.4MB

Download
memory/1736-1682-0x0000000000FF0000-0x0000000001045000-memory.dmp

Filesize
340KB

Download
memory/1736-1684-0x0000000074C80000-0x0000000074DE4000-memory.dmp

Filesize
1.4MB

Download
memory/3028-1686-0x0000000074C80000-0x0000000074DE4000-memory.dmp

Filesize
1.4MB

Download
memory/3028-1699-0x0000000074C80000-0x0000000074DE4000-memory.dmp

Filesize
1.4MB

Download
memory/3028-1688-0x0000000001780000-0x00000000017D5000-memory.dmp

Filesize
340KB

Download
memory/5148-1759-0x0000000074D10000-0x0000000074E74000-memory.dmp

Filesize
1.4MB

Download
memory/5148-1761-0x0000000001030000-0x0000000001085000-memory.dmp

Filesize
340KB

Download
memory/5148-1758-0x0000000000240000-0x000000000024D000-memory.dmp

Filesize
52KB

Download
memory/6168-1648-0x0000000074BE0000-0x0000000074D44000-memory.dmp

Filesize
1.4MB

Download
memory/6168-1646-0x0000000000E60000-0x0000000000EB5000-memory.dmp

Filesize
340KB

Download
memory/6168-1645-0x0000000000E60000-0x0000000000EB5000-memory.dmp

Filesize
340KB

Download
memory/6168-1644-0x0000000074BE0000-0x0000000074D44000-memory.dmp

Filesize
1.4MB

Download
memory/6168-1643-0x0000000000240000-0x000000000024D000-memory.dmp

Filesize
52KB

Download
memory/6444-1243-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6444-1511-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6444-573-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/6444-571-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6716-1510-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/6716-1244-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/6716-578-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download