6df99010279800c1cce0ecc0a59281f399b4c774ad61dc486a9ee9944bef3901

Analysis

max time kernel
122s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
01/05/2024, 04:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SevenRecode.exe
Size

139KB
MD5

a2488db381a90da326053a2050cee0b3
SHA1

ccd2a0b649126f6fcd9c8118ee35c9444bc5acd3
SHA256

ab179853ce915ac8d41a77c553a56bd9c660f632326ab97929fd57b081138ef4
SHA512

3f9ae5f78f632e9b07f98ea88a806f7252340882f07081bfe2f1cdadde39a13324bee455a78971ade7e893d03ed27a1a7d123dd59b504eaf0adc8340457fad42
SSDEEP

3072:eiS4omp03WQthI/9S3BZi08iRQ1G78IVn27bSfcJt8ltf:eiS4ompB9S3BZi0a1G78IVhcXct

Score

9^/10

ransomware spyware stealer

Malware Config

Signatures

Renames multiple (3774) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\gmreadme.txt.sos	SevenRecode.exe
File created	C:\Windows\SysWOW64\drivers\gmreadme.txt.sos	SevenRecode.exe

Executes dropped EXE 3 IoCs

pid	Process
2088	Winhttp.exe
4716	Winhttp.exe
2692	Winhttp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
39	raw.githubusercontent.com
40	raw.githubusercontent.com

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\c_fsvirtualization.inf_amd64_078671a0cdfe2870\c_fsvirtualization.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_net.inf_amd64_32a9ad23c1ecc42d\c_net.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\heat.inf_amd64_b73306c081719f1f\heat.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmx5560.inf_amd64_209486f1c39d4b46\mdmx5560.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ndisimplatformmp.inf_amd64_8de1181bfd1f1628\ndisimplatformmp.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\EventTracingManagement\MSFT_EtwTraceSession_v1.0.format.ps1xml.sos	SevenRecode.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\prnmngr.vbs.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\acpipagr.inf_amd64_a3248d35e6aba0f3\acpipagr.inf.sos	SevenRecode.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\ScheduledTasks\MSFT_ScheduledTask.types.ps1xml.sos	SevenRecode.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsClient\DnsClientPSProvider.Format.ps1xml.sos	SevenRecode.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PrintManagement\MSFT_3DPrinter.format.ps1xml.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_61883.inf_amd64_2c1769df23d261a5\c_61883.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\errdev.inf_amd64_616c5168a5b1807a\errdev.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ialpss2i_i2c_bxt_p.inf_amd64_190858fd8e931883\iaLPSS2i_I2C_BXT_P.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmvv.inf_amd64_26dc960cc4c84207\mdmvv.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wvmic_heartbeat.inf_amd64_ad33c2d1c7a3023e\wvmic_heartbeat.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PrintManagement\MSFT_PrintJob.types.ps1xml.sos	SevenRecode.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\en-US\prnqctl.vbs.sos	SevenRecode.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.Format.ps1xml.sos	SevenRecode.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\default.help.txt.sos	SevenRecode.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetTCPIP\Tcpip.Format.ps1xml.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\flpydisk.inf_amd64_acb1691126c93472\flpydisk.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmeric.inf_amd64_41ae7c84b8d94de0\mdmeric.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\EventTracingManagement\MSFT_EtwTraceProvider_v1.0.format.ps1xml.sos	SevenRecode.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PrintManagement\MSFT_WsdPrinterPort.format.ps1xml.sos	SevenRecode.exe
File created	C:\Windows\SysWOW64\tcpbidi.xml.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\multiprt.inf_amd64_a9b96d6c7813082a\multiprt.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\dc21x4vm.inf_amd64_3294fc34256dbb0e\dc21x4vm.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmolic.inf_amd64_7f84203a67c210e4\mdmolic.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\nett4x64.inf_amd64_54eacac1858c78ab\nett4x64.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\percsas3i.inf_amd64_c17a63dada1eaa02\percsas3i.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\NetSecurity\NetSecurity.types.ps1xml.sos	SevenRecode.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\NetTCPIP\Tcpip.Types.ps1xml.sos	SevenRecode.exe
File created	C:\Windows\System32\Winhttp.exe	cmd.exe
File created	C:\Windows\SysWOW64\Msdtc\Trace\msdtcvtr.bat.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hidspi_km.inf_amd64_7e53b3972dc4df20\hidspi_km.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmaiwat.inf_amd64_3bb2e5702f25a518\mdmaiwat.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net44amd.inf_amd64_450d4b1e35cc8e0d\net44amd.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms014.inf_amd64_faec3fc366f8e1fa\prnms014.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\Microsoft.PowerShell.ODataUtilsHelper.ps1.sos	SevenRecode.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\NetAdapter\MSFT_NetAdapterBinding.Format.ps1xml.sos	SevenRecode.exe
File created	C:\Windows\System32\@StorageSenseToastIcon.png.sos	SevenRecode.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\de-DE\prncnfg.vbs.sos	SevenRecode.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\NetLbfo\MSFT_NetLbfoTeamMember.format.ps1xml.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net9500-x64-n650f.inf_amd64_e92c5a65e41993f9\net9500-x64-n650f.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vhdmp.inf_amd64_aa94d04ecf56de1f\vhdmp.inf.sos	SevenRecode.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\UEV.Types.ps1xml.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_infrared.inf_amd64_3160910a003e1f11\c_infrared.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\microsoft_bluetooth_a2dp_src.inf_amd64_0bdbb11733d87f9a\microsoft_bluetooth_a2dp_src.inf.sos	SevenRecode.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetNat\MSFT_NetNat.Format.ps1xml.sos	SevenRecode.exe
File created	C:\Windows\System32\PhoneSystemToastIcon.png.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmar1.inf_amd64_b2ebe9229789b181\mdmar1.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmmega.inf_amd64_f35131186d3026aa\mdmmega.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netmlx5.inf_amd64_101a408e6cb1d8f8\netmlx5.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wnetvsc.inf_amd64_9a5b429abc465278\wnetvsc.inf.sos	SevenRecode.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PrintManagement\MSFT_PrinterConfiguration.format.ps1xml.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ipmidrv.inf_amd64_ddb154dfd1a1c33d\ipmidrv.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmlucnt.inf_amd64_f4769cb994ece833\mdmlucnt.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netimm.inf_amd64_8b2087393aaef952\netimm.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ts_generic.inf_amd64_b6cb67052996a0bf\ts_generic.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_volsnap.inf_amd64_47e3741bbf4d6b06\c_volsnap.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmsonyu.inf_amd64_0e77868deff0b0cd\mdmsonyu.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmirmdm.inf_amd64_ba5b77b7d46bc10d\mdmirmdm.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\it-IT\default.help.txt.sos	SevenRecode.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmptpg31h.tmp.jpg"	SevenRecode.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Logo.scale-100_contrast-white.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedLargeTile.scale-100.png.sos	SevenRecode.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\hscroll-thumb.png.sos	SevenRecode.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\plugin.js.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-256_altform-lightunplated.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\8080_36x36x32.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-256.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarMediumTile.scale-125.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Dark\Sunset.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailWideTile.scale-200.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-80_altform-lightunplated.png.sos	SevenRecode.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-80.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-100_contrast-white.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Light.scale-100.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-30_altform-lightunplated.png.sos	SevenRecode.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\nl-nl\ui-strings.js.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxMediumTile.scale-125.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderLargeTile.contrast-white_scale-100.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageMedTile.scale-150.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Dark.scale-250.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\6.jpg.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosWideTile.contrast-black_scale-200.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-20_altform-lightunplated.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\AppPackageWideTile.scale-125_contrast-black.png.sos	SevenRecode.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\tr-tr\ui-strings.js.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-200.png.sos	SevenRecode.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeGreaterThan.Tests.ps1.sos	SevenRecode.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\arrow-up.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-16_altform-unplated.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubSplashWideTile.scale-200_contrast-black.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-24.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeWideTile.scale-100.png.sos	SevenRecode.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\es-es\ui-strings.js.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsLargeTile.contrast-black_scale-200.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-48_altform-lightunplated.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-20_altform-unplated_contrast-white.png.sos	SevenRecode.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldNotMatch.snippets.ps1xml.sos	SevenRecode.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_flat_10_000000_40x100.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-72.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-24_altform-unplated_contrast-black.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-48_altform-unplated_contrast-white.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\InModuleScope.ps1.sos	SevenRecode.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\Match.ps1.sos	SevenRecode.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\DMR_120.jpg.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-96_altform-fullcolor.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Dark.scale-200.png.sos	SevenRecode.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\adc_logo.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-64_contrast-white.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-60_altform-unplated.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-24_altform-lightunplated.png.sos	SevenRecode.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-180.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\SplashScreen.scale-125.png.sos	SevenRecode.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons_retina.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-64.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-36.png.sos	SevenRecode.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nb-no\ui-strings.js.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Exchange.scale-400.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-60.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosMedTile.scale-100.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\SmallTile.scale-200.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\SmallTile.scale-200.png.sos	SevenRecode.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\oobelanguage-page.js.sos	SevenRecode.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\cache\Local\Desktop\16.js.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_10.0.19041.173_none_af877ec0b0472fde\oskpred.xml.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_dual_prnms010.inf_31bf3856ad364e35_10.0.19041.1_none_51daff6f902eb5e6\Amd64\MSECP-pipelineconfig.xml.sos	SevenRecode.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\wizard.aspx.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\default-frame-vm.js.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-dot3svc_31bf3856ad364e35_10.0.19041.1_none_215d1c4c12e1d275\Rules.System.Wired.xml.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.1_none_75cd350cc8b5dbcf\foreground.png.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft.powershell.odatautils_31bf3856ad364e35_10.0.19041.1_none_90e443fdebf6a82f\Microsoft.PowerShell.ODataAdapter.ps1.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\x86_netfx-aspnet_webevent_sqlprov_b03f5f7f11d50a3a_10.0.19041.1_none_641cd8499a376e57\InstallWebEventSqlProvider.sql.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_dual_net8187se64.inf_31bf3856ad364e35_10.0.19041.1_none_c64b5602653e7b30\net8187se64.inf.sos	SevenRecode.exe
File created	C:\Windows\ImmersiveControlPanel\images\TinyTile.scale-200.png.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.423_none_9de80b9d881a1ebd\scriptfileicon.png.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.1266_none_802f96a5044b0fbe\connectionmanager_dmr.xml.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..riencehost.appxmain_31bf3856ad364e35_10.0.19041.423_none_bfcb7b02f95b1e52\PeopleLogo.targetsize-80_altform-unplated.png.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-quickassist_31bf3856ad364e35_10.0.19041.1_none_b3f1d9ff0e206c99\Quick Assist.lnk.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_dual_intelpep.inf_31bf3856ad364e35_10.0.19041.1266_none_323b1cade61f29e6\r\intelpep.inf.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\wow64_netfx4clientcorecomp.resources_31bf3856ad364e35_10.0.15805.0_es-es_80b0e69d86443d44\SqlPersistenceService_Schema.sql.sos	SevenRecode.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\Assets\PeopleLogo.scale-150.png.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\ScoobeAccountState.js.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..ngshellapp.appxmain_31bf3856ad364e35_10.0.19041.84_none_24f8aafdaceaf0b5\square44x44logo.scale-150_contrast-black.png.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobeupdatesettings-vm.js.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-healthcenter_31bf3856ad364e35_10.0.19041.746_none_89566cffc2a3c072\SecurityAndMaintenance_Alert.png.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..ngshellapp.appxmain_31bf3856ad364e35_10.0.19041.84_none_24f8aafdaceaf0b5\square150x150logo.scale-100_contrast-black.png.sos	SevenRecode.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\oobeprovisioningprogress-page.js.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\MicrosoftEdgeSquare310x310.scale-200.png.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.423_none_72535ca9b59a9515\NarratorUWPSquare44x44Logo.targetsize-48_altform-unplated.png.sos	SevenRecode.exe
File created	C:\Windows\INF\wdmaudio.inf.sos	SevenRecode.exe
File created	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\Formatter\StateMachine.js.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_cd2d1cde69f392b4\pdferrorofflineaccessdenied.html.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_10.0.19041.173_none_af877ec0b0472fde\base_jpn.xml.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_systemresource-wind..-ui-accountscontrol_31bf3856ad364e35_10.0.19041.1_none_8805ef3af31f4b8c\Advanced.Theme-Dark_Scale-125.png.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\wow64_netfx4clientcorecomp.resources_31bf3856ad364e35_10.0.15805.0_fr-fr_23685c9c791653a6\DropSqlPersistenceProviderLogic.sql.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.19041.173_none_6486f23c2831aaf3\f\AppxManifest.xml.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.423_none_9de80b9d881a1ebd\debugger.bundle.js.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.1_none_4a388618f6365227\NarratorUWPSplashScreen.scale-100.png.sos	SevenRecode.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\Assets\PeopleLogo.targetsize-16_altform-unplated_contrast-black.png.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.19041.844_none_d9eb415c5b9dbe4e\Square310x310Logo.scale-400.png.sos	SevenRecode.exe
File created	C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPSquare44x44Logo.targetsize-16_altform-unplated_contrast-black.png.sos	SevenRecode.exe
File created	C:\Windows\SystemResources\Windows.UI.Shell\Images\RequestedDownloadsCloudIcon.contrast-black_scale-100.png.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-compat-appraiser_31bf3856ad364e35_10.0.19041.1266_none_0615c459620affef\Win32CompatibilityAppraiser_DDF.xml.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..xtservice.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_c429f54b07aa1ba4\f\AppxManifest.xml.sos	SevenRecode.exe
File created	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\Assets\SquareLogo71x71.scale-400.png.sos	SevenRecode.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.ConfigCI.Commands\v4.0_10.0.0.0__31bf3856ad364e35\AllowMicrosoft.xml.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_dual_arcsas.inf_31bf3856ad364e35_10.0.19041.1_none_c2d974ae26769fe6\arcsas.inf.sos	SevenRecode.exe
File created	C:\Windows\PLA\Reports\fr-FR\Report.System.Wireless.xml.sos	SevenRecode.exe
File created	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\Assets\StoreLogo.scale-200.png.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..ngshellapp.appxmain_31bf3856ad364e35_10.0.19041.84_none_24f8aafdaceaf0b5\Square44x44Logo.targetsize-36_altform-lightunplated.png.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft.powershell.pester_31bf3856ad364e35_10.0.19041.1_none_8a237828132e61da\BeGreaterThan.Tests.ps1.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\x86_netfx4-aspnet_webadmin_b03f5f7f11d50a3a_4.0.15805.0_none_ef6dd2b1186a2bbe\default.aspx.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..in.assets.searchapp_31bf3856ad364e35_10.0.19041.1_none_501fda1ac26a3cf4\SmallIcon.targetsize-32.png.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.153_none_f3a9dc0fe254a157\RenderingControl.xml.sos	SevenRecode.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallCommon.sql.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-netadaptercim_31bf3856ad364e35_10.0.19041.1_none_2f19571d8ff91e32\MSFT_NetAdapterQos.Format.ps1xml.sos	SevenRecode.exe
File created	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\debugger\images\breakWorker.png.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\MicrosoftEdgeWide310x150.scale-200_contrast-black.png.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_it-it_f8576122041e54e0\Rules.System.Summary.xml.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-pcwdiagnostic_31bf3856ad364e35_10.0.19041.1_none_ab1cdb679f059ace\VF_ProgramCompatibilityWizard.ps1.sos	SevenRecode.exe
File created	C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPSquare44x44Logo.targetsize-80_altform-unplated_contrast-black.png.sos	SevenRecode.exe
File created	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\Formatter\typescript\formatterTypescriptServices.js.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobelanguage-page.js.sos	SevenRecode.exe
File created	C:\Windows\Media\Windows Shutdown.wav.sos	SevenRecode.exe
File created	C:\Windows\diagnostics\system\Printer\TS_PrinterDriverError.ps1.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_dual_prnms002.inf_31bf3856ad364e35_10.0.19041.1023_none_625c42877ea35108\f\prnms002.inf.sos	SevenRecode.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1848	schtasks.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 892 wrote to memory of 1824	892	SevenRecode.exe	84
PID 892 wrote to memory of 1824	892	SevenRecode.exe	84
PID 892 wrote to memory of 4852	892	SevenRecode.exe	85
PID 892 wrote to memory of 4852	892	SevenRecode.exe	85
PID 892 wrote to memory of 1304	892	SevenRecode.exe	86
PID 892 wrote to memory of 1304	892	SevenRecode.exe	86
PID 892 wrote to memory of 8	892	SevenRecode.exe	87
PID 892 wrote to memory of 8	892	SevenRecode.exe	87
PID 892 wrote to memory of 2112	892	SevenRecode.exe	88
PID 892 wrote to memory of 2112	892	SevenRecode.exe	88
PID 892 wrote to memory of 720	892	SevenRecode.exe	89
PID 892 wrote to memory of 720	892	SevenRecode.exe	89
PID 892 wrote to memory of 5048	892	SevenRecode.exe	90
PID 892 wrote to memory of 5048	892	SevenRecode.exe	90
PID 892 wrote to memory of 1448	892	SevenRecode.exe	91
PID 892 wrote to memory of 1448	892	SevenRecode.exe	91
PID 892 wrote to memory of 3368	892	SevenRecode.exe	92
PID 892 wrote to memory of 3368	892	SevenRecode.exe	92
PID 892 wrote to memory of 996	892	SevenRecode.exe	93
PID 892 wrote to memory of 996	892	SevenRecode.exe	93
PID 892 wrote to memory of 2044	892	SevenRecode.exe	94
PID 892 wrote to memory of 2044	892	SevenRecode.exe	94
PID 892 wrote to memory of 3724	892	SevenRecode.exe	95
PID 892 wrote to memory of 3724	892	SevenRecode.exe	95
PID 892 wrote to memory of 1848	892	SevenRecode.exe	96
PID 892 wrote to memory of 1848	892	SevenRecode.exe	96
PID 8 wrote to memory of 4016	8	cmd.exe	97
PID 8 wrote to memory of 4016	8	cmd.exe	97
PID 3724 wrote to memory of 5096	3724	cmd.exe	98
PID 3724 wrote to memory of 5096	3724	cmd.exe	98
PID 1304 wrote to memory of 4496	1304	cmd.exe	99
PID 1304 wrote to memory of 4496	1304	cmd.exe	99
PID 2044 wrote to memory of 4068	2044	cmd.exe	100
PID 2044 wrote to memory of 4068	2044	cmd.exe	100
PID 996 wrote to memory of 4688	996	cmd.exe	101
PID 996 wrote to memory of 4688	996	cmd.exe	101
PID 3368 wrote to memory of 4356	3368	cmd.exe	102
PID 3368 wrote to memory of 4356	3368	cmd.exe	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4496	attrib.exe
4068	attrib.exe
4688	attrib.exe
4356	attrib.exe
4016	attrib.exe
5096	attrib.exe

C:\Users\Admin\AppData\Local\Temp\SevenRecode.exe
"C:\Users\Admin\AppData\Local\Temp\SevenRecode.exe"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:892
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\SevenRecode.exe C:\Windows\System32\Winhttp.exe
  2⤵
  - Drops file in System32 directory
  PID:1824
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\SevenRecode.exe C:\Users\Public\Documents\Winhttp.exe
  2⤵
  PID:4852
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Windows\System32\Winhttp.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1304
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Windows\System32\Winhttp.exe
    3⤵
    - Views/modifies file attributes
    PID:4496
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Users\Public\Documents\Winhttp.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:8
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Users\Public\Documents\Winhttp.exe
    3⤵
    - Views/modifies file attributes
    PID:4016
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\SevenRecode.exe C:\Windows\System32\SevenRecode.exe
  2⤵
  PID:2112
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\SevenRecode.dll C:\Users\Public\Documents\SevenRecode.dll
  2⤵
  PID:720
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\SevenRecode.runtimeconfig.json C:\Windows\System32\SevenRecode.runtimeconfig.json
  2⤵
  PID:5048
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\SevenRecode.runtimeconfig.json C:\Users\Public\Documents\SevenRecode.runtimeconfig.json
  2⤵
  PID:1448
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Windows\System32\SevenRecode.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3368
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Windows\System32\SevenRecode.exe
    3⤵
    - Views/modifies file attributes
    PID:4356
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Windows\System32\SevenRecode.runtimeconfig.json
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:996
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Windows\System32\SevenRecode.runtimeconfig.json
    3⤵
    - Views/modifies file attributes
    PID:4688
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Users\Public\Documents\SevenRecode.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Users\Public\Documents\SevenRecode.exe
    3⤵
    - Views/modifies file attributes
    PID:4068
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Users\Public\Documents\SevenRecode.runtimeconfig.json
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3724
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Users\Public\Documents\SevenRecode.runtimeconfig.json
    3⤵
    - Views/modifies file attributes
    PID:5096
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks.exe" /create /tn "SevenRecode" /tr "C:\Windows\System32\Winhttp.exe" /sc minute /mo 1 /rl highest /f
  2⤵
  - Creates scheduled task(s)
  PID:1848

C:\Windows\System32\Winhttp.exe
C:\Windows\System32\Winhttp.exe
1⤵
- Executes dropped EXE
PID:2088

C:\Windows\System32\Winhttp.exe
C:\Windows\System32\Winhttp.exe
1⤵
- Executes dropped EXE
PID:4716

C:\Windows\System32\Winhttp.exe
C:\Windows\System32\Winhttp.exe
1⤵
- Executes dropped EXE
PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons.png.sos

Filesize
7KB

MD5
ac0c5b1f0890f8f7d68f9d73acf82b50

SHA1
d02d3ab9952e1ebedc2b2fcb2e9e8b9f00ee286a

SHA256
4069a844a487c8aefb08119eedbaae8801cea467fb09399a991771de7e8e1811

SHA512
4a9a14a07da87dacceb62492d3d1e712a8f806d25bf304ad956641cdb2faa7dbbcaa64b2fe9f69a5015d75e91ddf5181916d21ccbc4f8d309e8183807dad7849

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_retina.png.sos

Filesize
15KB

MD5
e2c7edb05c3e4e5dee2fdaaadf61f59a

SHA1
c6cbf44697407e40f145ad26629145e390d63864

SHA256
eab5180305a44567b5aac75f6e702f36f051fb10db9e70a8317d546764cad814

SHA512
25ccce12edd2284243bc2edc0906153adfa43ca2a358cf2e46082a0402a51497f264b9493ab8297baab1e81deac8dfa2dcccd27ffc73b26f729e9c550edb0217

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons.png.sos

Filesize
8KB

MD5
25a53c8123df35ebf05c5612fff0cea9

SHA1
6de58e0e636b5008e4762a7380c5ec8338a02fad

SHA256
91d2f884822715f0f6d0b2813f5a68d48d3ca34c561a3faa126d5f37ea48a043

SHA512
f49cf4519194d8044bb8d8dd5e902a750cb9608fde7e682c2ba624d345fdc75c035dce1b7cb24a6f8dfa59051825ccb6e5d7e5d4da91cab3fb2b0a16e6d26569

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons_retina.png.sos

Filesize
17KB

MD5
e7bdac54bc35961274d85cb879cb3a5f

SHA1
17d5e6947bdb5e7dab410dabf20934d1e5d6151d

SHA256
d0d77291b9b4e0e9c27f2d59777f458a4d30aaac18c49914b9d2494e01768a5a

SHA512
62478a8a8faf7e29fe0ff822f88f6c0a22ee9d13dff62d89649806056bb6fd3730fede5b4651311d017696c8dd0de92ee66a79f64db75621f52efcf4a1cf0639

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png.sos

Filesize
448B

MD5
08074361cfaacb9230a37d1ec7f30c42

SHA1
45e2ccf94e69c5a9f83e7be992bb7cf57859ed56

SHA256
e3ce9dc337bc5e9cf1040a9462126beb5cd4d38510d1ebd2bea2110f3ea69c2b

SHA512
2137411f129ecbe9231c8ea7308ab3dd9942f7936648521469801b79147888047725acd383b3908fe3b385044050542b084543f1e68908c74ed5d45df20b414f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png.sos

Filesize
624B

MD5
ac9c2131040639e559a790d6c3325258

SHA1
8c4967481008c67fc76fcb236ad59dc940f46618

SHA256
3e9712251a7e6d4b1927be0c0e7fbfc85c267be4beed4eb23ddd7de24f166d3f

SHA512
46bf0c7b89bd9cc7f4771c64b7eab06ae870f7f95685e12c0541314495352403374899b8ce101b741a1c8da440c27aaddc95e73b3418e263591c386c8e7c7445

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover.png.sos

Filesize
400B

MD5
4916680f2d27bb9d179ebc65b0149a89

SHA1
49d7f6cfd26be12a8d71a83053f13f1e1b605652

SHA256
f7ea397f27665d2d1cfe50681081f761a271930362a948d805b0621ceeba204d

SHA512
4bc6a3c000a01fa4ba4dcdf8c82d3cc0895c6cde292b8dc1921babfe1372fa2a1fb018195151dcbce2c90298444f1ed31d594bdeb76be477b2ebca7ebbdee891

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover_2x.png.sos

Filesize
560B

MD5
7c7462d9ef4a27964ad1a7593fc20edf

SHA1
1e0099323893ad8a48f587bc82e8aded2052b5a7

SHA256
ca5a8a25adb873b3d4ddc423fe22e1a28e034d21e2445e38a36467add52418ea

SHA512
7b4d107d0d3a9c57920f63f75fbbca1e59f3d3e93a660737b8ba69ee29dcbf559ca7aa3a95ad2580b34bb80ac088aaf0a25830ffe86f74037dea481b02db2204

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon.png.sos

Filesize
400B

MD5
c76c9318cddca8db2836119892fb5903

SHA1
67730824af5d01e15f8e6ef377be74b48b00f3dd

SHA256
e1ce640c49ae1e35b423ca761dc5366e58938e3970f9e1cdbde55eec8f9e9f18

SHA512
a0f39011215c9dd529ea5ccd5912c03bd694083ab65189914af53e426994a113ebfd08cd0d1bb3debe85e91ab6be9e204edff45c5b4f6ef79792732299367528

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png.sos

Filesize
560B

MD5
613705c7ce6595df2201dcb4b99cc39a

SHA1
847a82305ad6cf12e4ba3a995de0ff75c66d84fa

SHA256
1f759125550d1b7dd2e9498461c8fc0581f713fa1e8d33ffa8ffeaa56c1b2f3c

SHA512
316602e4262dffd6d93e7e64b9aaf273a3e9286b338a96d936085b374fa4586425f3ece09a3bd892d3aef99c62d556a724f2800196023b1b95956423568de081

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png.sos

Filesize
400B

MD5
c67e600a6145a76ff3a4c2364c4122be

SHA1
a0f69bbb1f3e8f6a273d163b270398df1ad5b2b7

SHA256
a1bddc85d83d700867b97a739fdd30005155fb14e053e97cf0062c682fc6d976

SHA512
7bd1f90a304603d9adee8dfd35acec4a58455a9fb17c67c4a6b0fd774a2fe75f8fa516d5e509e18d73f36fb63cf1e9bccbc8ffc5df073b27c764040d15a45168

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png.sos

Filesize
560B

MD5
cd9efc5912b45ac3485ea82b96a8a471

SHA1
18d38ebff6b98dbc25518faad009143bd37666e9

SHA256
78dcbd9800702bbfd1a26939847087bbc99141872389b011dc1f572424cd3f53

SHA512
a9e2ad0a9d84894d8ee31d5b83812d604038c18e882d41d83b1b40225f594c03d8954305a31b698e118184a080887ae0ee8818a685ae61e116a8db33f041927c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\example_icons.png.sos

Filesize
688B

MD5
8f503a4c5c27953cdfaf495f3a2cf312

SHA1
b83fa2cb356b1ff67f7bcdcfc0783e97cb1fdfff

SHA256
ea1a11c764ec9bc9ba3a2625f03405b87d69e9cd5fd4529fa4395c2b9ebf8d62

SHA512
5db415e95f68afaa5310eeed40fd1d34d03cd5e9f3fdcddc74dfc6c3705a98ed2036854b9f25f9ac6acac808458ba6fc66567688f2db9cae876e29873996a750

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\example_icons2x.png.sos

Filesize
1KB

MD5
82cbbe22b879510cb83e680f14214891

SHA1
abf71eb55c92042d43086e69b6d1c93959162df8

SHA256
b761ba91fcd5cd416eee0d98bb47bb30305221831c6ff962740da6c4f95dc8f9

SHA512
ef602fd0e3d37019278b83afb0513b1cb20832f7917fc0b99030a01e0a0e55c9e38b8fd1f6e624bf1603f962fe811b1ed745d524183b24f5279e3232190e6523

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_pattern_RHP.png.sos

Filesize
192B

MD5
30dd292b9f8a8f9b7a0c52bbbd2c87ff

SHA1
7dc393330fe95745ff6337e9d404d6fb29097c59

SHA256
dc8c360d48e5243b544ccf4077b34a620bb6ae24d8979f7c1f41c1c757f45f71

SHA512
9f404d3c1dc03c95ff1866fd81e56041ec548837436849c75884622d68065defa2afa27ec61c6aa004b3a6fb1a76e4f1d5d3b6fa6d015bab9f0fbf2acb134424

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_patterns_header.png.sos

Filesize
704B

MD5
08f61f1459f9119573eb2ca4df40e34b

SHA1
e440b4725102d014f16519b290f97d30b3d69ea9

SHA256
f608bdce4663484ae2dcdc60bc26a8eb30d854d52f2cebaf732fba1f938a0698

SHA512
10ffa3a7c07d8ddcafaf1df5a89bba589e1b4c6650c925a7c67e2e28b786b7d3500f7953c67c9595476cf7b4e91dd21a0b55ac3a6b7540fed8e0dc1722c4c415

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\illustrations.png.sos

Filesize
8KB

MD5
2d520312907aa40bbebcff24679124b8

SHA1
18c55d21efa6b3fb60806d9848cdf51fe4519c5d

SHA256
093cd5df3fcca311ca5058ee81a08ad9ca531af4fadf1bd341ed963faa358e29

SHA512
a4cecc5d22c47fd016bd81967d3ede827409ca8287dac17af8bc58de0ec05d6a708767d852efa219898120c573c5be91ecada92126ea7c2237200e842bb440a1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\illustrations_retina.png.sos

Filesize
19KB

MD5
78044eadbbef5c20b310b81edb9cc7f4

SHA1
de309213395a15269ab97bbc09f39f6154f05063

SHA256
86d6a1ac67f30108c4aa9c396a2b7179c97cb5c11e0305c10f1a134673a90b93

SHA512
8e10b45dd88bc4cca4260ccade1fd83dc99c756b0582f14d3f73860788cc550bf8c6d2b86eb08da93d96d0b47c51774211cdaf0fc5cda0cde7c0be7d43194a61

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\ui-strings.js.sos

Filesize
832B

MD5
ff610472329e209c971e61bf83b081dd

SHA1
11a1271bb02a5a8b04a6e0633d246f51296461bc

SHA256
9379c40601a2b61cc450295953ca64e352b97c2e9f8bd002c4b715981c576898

SHA512
5f7d7f51b23644921f1fe44dd783dd9637a4d2d11702fb16db06f98d17ec60513e1e6985f16d9b57a516b5acbe009bb6a5f303a877ba4d2e96987f5bec9114e0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ui-strings.js.sos

Filesize
1KB

MD5
6057b17df09a6e80ef03de5882e21640

SHA1
828c97c49f43dbca2b808070fbc0f2f62b6c976e

SHA256
f7b0619bd459d7bf359c1f4cedd34e4695dd493c647456987dcdfc5f60aaaf53

SHA512
250986527b07344dffe0ea71bac216e33b004bb84a67fa3527cea048b2cbb786186cc77547b8bca31290ea51a4b12cf132c87eb741c5766bccf672e90ecabd69

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ui-strings.js.sos

Filesize
1KB

MD5
8e4ec8fd6b69ebacaebfd10d7b808591

SHA1
9f9721ac08bcd35b049f8b0d1686e1f1bd914c63

SHA256
b38eb1f98cb7b0c5ba0e5d0ea93269a3ccd1e782fd853c9f9fba0d852bfdc32a

SHA512
ae67781d69de0ed76556aa0a996952723d3476399833a2c852e2ce9513e100096229fee8606caf0acb930198ff9b146164d643d705d4a6086c5094e39e275ee6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png.sos

Filesize
2KB

MD5
7e8706f91781fcb94782d9604d6947d6

SHA1
f1830fb9657171f186449b9a1bc244d18c54a15c

SHA256
7d0935e8783b3e1378ed8e6f7a706e02c00f05fb52899edb83c243c2e3645a5b

SHA512
c3fcb8a29c9e53111462f35916bc8b753e1b149804e833dcc3257055e6eed9c61109ffacd7bb38951a0da13ca6a41062e774d267011a4bfb904b201ac7ccdf0c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png.sos

Filesize
2KB

MD5
1bc411ca226061d39743bc69a43e3135

SHA1
4aafcfde3a1077e6adce4c6fa1028b4560c5e197

SHA256
e23894e617fd7bf0c0dba16a599d1da7e83bdb20b90d4c9d18f59a192b22ab22

SHA512
845996db242a8ebe6f77ab86b8ea30182a868c727537383b7de2110040f1e9bac73411ac666a56f08a3a6dd89f2af1eb490c744ee75ef671e3f3da1bc90a0cb2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png.sos

Filesize
4KB

MD5
e430a09b73fd306087badef4ab13b8f1

SHA1
df428dbefb5d73112f599d80bbc0716c5ae9bfa2

SHA256
d51178cc512f61c428205ad94db424602861077669d7b8913e14f037bb218a3b

SHA512
6d5f345817bcbdcfd7083bf85cef871af74b2c840cabe2fa04dc11e0a2e299d6ada676d94374e2bef0cafa054e3bad7b306d725d4ca943918ace9a88e93753d6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small.png.sos

Filesize
304B

MD5
43360c8a22318b802f18c14e3b242815

SHA1
985ac1af40b2f8d8dca9ccc6caebd5a4d4aefabf

SHA256
4531142493b217a681aeda4494638e3dbe49398e6f3baa918ecc1b137ce14f97

SHA512
60ed43315c376b9579a2a6e9e229595c0d49006e1317bdcf5e581a157a8f72de09df6fd28c5b2ab7a06742bdf0c2533d2760ce5bcd6ae3722f70740688a3d1b2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png.sos

Filesize
400B

MD5
62600940148a9b0280d1dce7b6cad17d

SHA1
3acf197ab502a0897629e3d1cb5fb40082463625

SHA256
2ca428218281e36b3035a54e028218199a7573c7e16f0d34662bfb288ca8be6b

SHA512
5164078adbf76b472f9b1dfb7630151b025c9c81b77e28058c56aa5953f2812ca78328d103479018d59fac7f81ceb266fb08e77b7020545a3d7058b9d7634c3b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png.sos

Filesize
1008B

MD5
e11798558b5a65488f7f2feed32de67b

SHA1
cb9e3df6c0460aa85f552f73ccef7796b64f2e17

SHA256
ffd421974ec7f70754b8b959b2196bb1234da28ecd8fb6249f5f0df2db94c076

SHA512
d2ad11895de5e83ffe9d0e81ef5927e4ead0e851cdadc32799c4ee20c50198e2660f5a42ff31dcfcbe8a1cd3b6751d8b432ad70ac9ca38fb12ae31da19ffacc9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons.png.sos

Filesize
1KB

MD5
45227ed19c66bec018fbb3dc7f533a78

SHA1
831359a1b0c4b33451060e7a827eee3eec9076e4

SHA256
dd28611d0cc4283e5d7fbd7dea8afcd3f2abdd2c3a440afcb7600ad90878e5e1

SHA512
0a160b325295661c1b370c07f37e49607e5ec1ba9cbab26f641ab4cd750debdb38a67f8ed2446580731046968d3eb7f495a156fe6727c8097de364dae65f224e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png.sos

Filesize
2KB

MD5
eb5842e387a663d67499b7607c2dce3e

SHA1
3c85098c881016e05dcc952c679471bb3b5da081

SHA256
c76e8b582372037b051c691298efb8f83162f93092b54fb026b932ce6320db35

SHA512
6bbb72b0c00c0b1fe305bbb3f82df73738a6b2038012db1cd67ff6d1ad50a0e7948309760657e131358fd49cc88193bc3537eca55136f1e02fea878ae88963c5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\ui-strings.js.sos

Filesize
848B

MD5
ddd098d75cec06a603843ac0f673353a

SHA1
4f55228132599f3f9de79fe1019f18e77f2ea3f3

SHA256
5d99f1eac3f360b24861ac5ed9db6f15fde42bcd7438d05a4ecd125c7c9c08fa

SHA512
f2654aeda60a3f7cb8f768f4ffc459ed671f4cece88bcc0207abe64597ea7509d556bf73f7cd7761fdd9d95e43abacef5cfec8448edffa04c491061939110131

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.sos

Filesize
32KB

MD5
381707adf1deb580b40372d15884523e

SHA1
72036a3e82877cfb5cfc7f9e234d5e2efc198589

SHA256
44f8449b151f31462057775dd1123fbf9fec5216764842eda748fe516db79572

SHA512
641c7b80ee80c6dffcfb249d2faf6294513b716b1a6626e5c90294ee24678d54f98335a584d323464756482be19293b90337b5fde5940d8dce3ab3288e5aedf2

Download Submit
C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\Simple\Example3B.Diagnostics.Tests.ps1.sos

Filesize
256B

MD5
930a4e8c1d3596094c54a01bf3cdfe60

SHA1
d150ba0e5b0fbc67ed246b0f3eed0ee31d6c9045

SHA256
a886d27b8c4cfd50aa0fea1822e11da2eb3a6b5248efb2c218778d416b16cbab

SHA512
2c14f00f10c4cd7116dfda3630c0af12cadad148d04a78ac59cb5397e0db22971fc86fdcc2e796f71d5c4ee6cc8a0bc56f70952d5a39739a034aa18665034686

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{c2066bf6-8098-4d79-bae9-cfb04f518f0f}\0.1.filtertrie.intermediate.txt.sos

Filesize
16B

MD5
e8aaa566651759e399714d464cdfb390

SHA1
373942a3618c8d5ff0ba8aab8e22d4a64e5641ae

SHA256
1a4a61c3ade192d7f35bb5879ba1493ac39369579eaf9f73c72c44a9ecfa3a6a

SHA512
23f835ffc6cfa06b864ee0f945dc844cb88aa1b0ab3cf2d0f8bf616c9a7446a563875ebd04f1b23d86d5a20ccc1a2cacd3e199c228cd73e8652c6f9e34b55ce2

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{c2066bf6-8098-4d79-bae9-cfb04f518f0f}\0.2.filtertrie.intermediate.txt.sos

Filesize
16B

MD5
209371fb985ae536f7a01b2cbf06fdeb

SHA1
6e5d735e5a6aef442f3342931eaf47d505763578

SHA256
4cef54ede857b123a2b675fdce8147dbcc1a7c4d471ec5bfd8791f9e2ad9c0b3

SHA512
53203c3447837fc04d0114f282e5b1efaeb1e81a90a9d50bd6384bd44823ab70c37f12aca73a52f803ba61a11ed3d7fd05ea04f79fc969212dce946df89b8bbe

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586086594688776.txt.sos

Filesize
77KB

MD5
ba4322cde9f13af4f9eee094e19dea74

SHA1
ffc075c1b81fde57b1faac59fa4bf4966017a9cc

SHA256
d8b9dca18a21c862ea2f5d917e2fc74dc2fa742899c7048b3a361439cff9b2fe

SHA512
df6042e93a93feee993707d5e584d8f4441a68909d4da032c52c19112bea7838921804b82b39098734f3749404f3b2f3befabe191da76c53ecf76e929289c391

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586091897989945.txt.sos

Filesize
48KB

MD5
d2d98991640f351111e835d43a2aa274

SHA1
e16657b9474a518cf5e2cc6b2bc1c52763a54f2b

SHA256
5ad85386a3c6dc1cf4c48ddca9151b221d2673f79c2fb3e12fa93042dded0e36

SHA512
75f2a271f29ad3cd9681e1cf773ed469dfe19194bd9f40837897e2fffe45579b132b9f114aa55d5fd42df15a8937a00e92e3fad7257ad408a162e7eb785a39f1

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586094768785820.txt.sos

Filesize
66KB

MD5
49decfe81666667c457426ab0aaef75f

SHA1
acc34ab1529ea7dd693f03363c142bdef769a7cd

SHA256
a43dba137e9a0e50daf794f7b2969acd3dd4232f05736aa7112ef57b86216de4

SHA512
bd0dd2daf63f9deddca74b6ee2f36c54efe05f920a33af26b14609850e87f9743169c6f7f5552bd38a3bc5257a29b5fe16950bba31ec1f62d56c5fff3ec5b302

Download Submit
C:\Users\Public\Documents\Winhttp.exe

Filesize
139KB

MD5
a2488db381a90da326053a2050cee0b3

SHA1
ccd2a0b649126f6fcd9c8118ee35c9444bc5acd3

SHA256
ab179853ce915ac8d41a77c553a56bd9c660f632326ab97929fd57b081138ef4

SHA512
3f9ae5f78f632e9b07f98ea88a806f7252340882f07081bfe2f1cdadde39a13324bee455a78971ade7e893d03ed27a1a7d123dd59b504eaf0adc8340457fad42

Download Submit
C:\Windows\ImmersiveControlPanel\images\TileSmall.scale-100.png.sos

Filesize
992B

MD5
4bc3fa1934e7ef961f7e7cac92e1950b

SHA1
fabd3128d5b09055b5523b9f5e5efd7bc5c36ca1

SHA256
de6512ba3b589b8842eb0c27edd7de27e5250733cc041933dda4e87760d06582

SHA512
e16d3a66d1e6d281b5bb2d6368568795b29ef1da1b97702f66a34f0d723331bb94cfbcca9dc1fdc28a853af7031ec684ec281ed5cdfe18b5eceb9b93a891f616

Download Submit
C:\Windows\ImmersiveControlPanel\images\TinyTile.scale-100.png.sos

Filesize
576B

MD5
ea025259749e9db0e22523369f2c3b9a

SHA1
0258e77030935e3ffada2791519db556bc6b81ff

SHA256
5b114ea4c3fe481d15db4f2f0f5b76fbef9f43ac9dae4c71c8fe47e7913d713f

SHA512
9b789fe3f05e684e39c6c2534cb05af024132b64c8b836163e3b62f01ae28111c73b87a71e8f89ee6fe3be0bd8fa6a9f6323b479fc782614f1960b683ac1ecf6

Download Submit
C:\Windows\ImmersiveControlPanel\images\logo.png.sos

Filesize
368B

MD5
050bcdf4d9bb6e1a14d13d0fb16336de

SHA1
60e2cab77ceb09f6b1f5c24fa2a089ce3c554f17

SHA256
33a2059629bdc70a179bcada5088a0e116599758598a24ae5e1e894da0f56ef9

SHA512
f2b2393db4ca188e2e0e5a35974e850b59d15f519a892adf827b8f5edf2f9b88b3d577080118837378017f470dd9ea70f3283792e2b84e17976725b2c3ec16ae

Download Submit
C:\Windows\Microsoft.NET\Framework\v3.5\SQL\it\DropSqlPersistenceProviderLogic.sql.sos

Filesize
2KB

MD5
3bf2d33f73c6893a20a537ea447a6e7b

SHA1
777dfdc4ee4eed26abf47fb0a30f04c4934957e4

SHA256
086134b901fcabd07b1f48053b6932237c67303b32a3335f3c02790dd3f0e484

SHA512
5b3d40a79cd60545e930dddb2a8ac912f45f6691368b481d31c30716259be6c90e6fc24b0b1e1c4cd9ba3504d21ce1c5e7d20f014289397aeec6f65567e2e4e5

Download Submit
C:\Windows\Microsoft.NET\Framework\v3.5\SQL\it\SqlPersistenceProviderLogic.sql.sos

Filesize
13KB

MD5
f085d68ebae5e0d1246b826a1b6b8a81

SHA1
4d07883ab3c46aad9a196e9cf91a9843ef270dba

SHA256
0f908b79c65b1453a881a53f006705282bd69d1c7abfcfb36669fff4bccdbe55

SHA512
9a27b422692e0bfba9c96925213b078c157a2299d0b44c6444cbbcdd11bc3d58d39272007a006a24e8f9cf81b57068929f3cfa9d17b937c7e07780f55044444b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\fr\DropSqlPersistenceProviderSchema.sql.sos

Filesize
1KB

MD5
fe6894d5f70985460aed4fb862329fd0

SHA1
4633449a249a57fdaedfc998959f8899a9385bfa

SHA256
ca8c763bbc36d0d674f5dcad8e3bbc97d20da9ed70b6b9409b083606db4c3335

SHA512
5bc558687151efb33037e08114b8fe16b4f20ffb69c1fb634b70c3e2c4e3ac4eb5e97fdfab53988958ac6d12d5e146c9ece6ebaa734319efb8a43222fa218587

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\it\DropSqlPersistenceProviderLogic.sql.sos

Filesize
1KB

MD5
baf47775f583f06c4577636ba27b63fc

SHA1
7cacdd05d6cadd14aaa42b6508207c1fe58fd6cf

SHA256
318c043059d22fee05b07c7b1778a439da77c3c8e9da2511120941706cc4bf4c

SHA512
726759c40cd0a364aba7ac037de203fe9048a5ba0d19e7f1d6c314f21a78c6e7c6979efb0346f08cb32907ae493e9e0c6daa89aa657638f6d532a2e2c7f4df18

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\it\DropSqlWorkflowInstanceStoreLogic.sql.sos

Filesize
5KB

MD5
dba1e94691a66ef9b7c58253415256f2

SHA1
304ad12a88e2b4f3db8c4930d12d17a598aded12

SHA256
2d488e914112f897fdca7dc4fbe7af5f55cc0c5b39d18e21a1857790f5e1bce8

SHA512
d99db0936e597f5ea00af70693350db631d9f58cfa8023b77e3305be36ceeec6d2163ee4ee3c3ed6470fb07b660b5e57d9fdd2bd368b6d0243a2ad6f44460e1a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\it\DropSqlWorkflowInstanceStoreSchema.sql.sos

Filesize
3KB

MD5
511787f429cf8d2104c06284cd96fb84

SHA1
df8b682cdd3a1e4732d46f54abd28aaf48014984

SHA256
213b18081756182ff3e8a85e529b42a4cd1dd9259db56ab7c395a90c486abde1

SHA512
3ecaa609bf51a8a2a71c98d8a03e776435c38048fdac4ccb4340bcdcdc1504afd14b9886004b9a45caa8fd91b0c7339c5e9b5cfd7c0cc9594b5528093aa35213

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\it\SqlPersistenceProviderLogic.sql.sos

Filesize
6KB

MD5
e0e94a5d0f6e0c76321aec9adc611541

SHA1
b705acf4c964712970cf8d6e7081817ccbb56226

SHA256
ebce3b523501dbefd04df27d602d42af9df83afbb180aad1fc1526c0f6fa4301

SHA512
cb6358cef008f75d5190423da1b993b7a1df5ac21fc782937d61a18700e32a9f7d2f8900a418b55b81f87b838a58326606fd74f36d63b15a1ec62de9c2adcb22

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\it\SqlWorkflowInstanceStoreLogic.sql.sos

Filesize
62KB

MD5
a1f1fd4fde88dd183d3cb2b528cfabd3

SHA1
475b473ebe5f094cae65e8cc2be377c25abfac91

SHA256
d4122aad0a37d7a28ef55f3284e4d69e937dbf81264842728a9e7cf1e6104040

SHA512
271cd9eac58c662ddae31b0bf65263eb006f63f0348ee0971499f8f9691a9463d4942606b008174c43cb6f36ce30d5ee4209e1d9143503ad852833869d8825be

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\it\SqlWorkflowInstanceStoreSchema.sql.sos

Filesize
28KB

MD5
cc30cb66980b0ce495e3dc373f7d3e2a

SHA1
61aae09bca47f6fcff5d7532a3310cdd9753f759

SHA256
ac92cac3bd41897fd1887ed1b5bce66c5a2671b397f3d301984828d4f2617c88

SHA512
18e6d17b1e6f9631ba0adc24ac031b1b2b4e9a557c14eaee093aed8e611d272dc066c354786649d2e3f2227f4f0a16114ed065049ae427fbcaa9420c6cf307bb

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\it\SqlWorkflowInstanceStoreSchemaUpgrade.sql.sos

Filesize
88KB

MD5
32ae70561bf28da39fb734eb01da049b

SHA1
4f4fbbba70d878b6e99421273def0b86ca7dc365

SHA256
cf449ffe25607d7f9c50964701c10469ede048e848f7d7fe380af6644d89ac79

SHA512
132835d00d0dec13a87e4bcf547af3abe9bd4bbfc30196e7d9640f2b50e13299e832b186003ececa357d3c0d66d3e00be2eb1424d692c7aafcf22e6883efdfdc

Download Submit
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk.sos

Filesize
416B

MD5
e25baa9f0fc68e966dbc27cd591f6d34

SHA1
e1635c45bceadf6c9c2a14728ae09e8eb17d4d28

SHA256
ad4144c82162c13f0aa4dafc0f2cf5b56053b5adcbb4d499541c1d22a77467db

SHA512
851e7103742d44c1d8990548a09c0f150aebcbe1839928b105ca3abe51151cd7045ade17097677155128ec37baa080e8a4e240c8a4628da80d4b41c81d9a4157

Download Submit
C:\Windows\System32\Printing_Admin_Scripts\it-IT\prncnfg.vbs.sos

Filesize
104KB

MD5
2b8cf2cd44709134cb4432806be2ae87

SHA1
58a2e665523b2d05a9cead41a2bf46d41680e131

SHA256
c9990beb33429b732485c170ea9e4e5fe3847e81da459becc6575e266ba93d25

SHA512
5050c2832b8ace6df0a63583b10fe03013dbd62d4634f9d495c8a345d06cdd0d1cd6c9bd6b6ba7ac3a0be3263147587bd0bb262966ce9861db7e71ae141645c8

Download Submit
C:\Windows\System32\Printing_Admin_Scripts\it-IT\prnport.vbs.sos

Filesize
56KB

MD5
2279e4a585affd5b51af684842e99fe1

SHA1
521a0805af3c5c809b8e7b26071da878dbcc819e

SHA256
df75a969f3593e446f1565a2bab2832eb5cb6991bbf3c85e05c99115fc838dd3

SHA512
9215490642d7679b7b0aca1eea305441d461116a577ac47475340c1fd619c60109a26f51fb63c350413f6e1dbcce4799d88833b2b63f57639e6e50d742ef2da4

Download Submit
C:\Windows\System32\SevenRecode.runtimeconfig.json

Filesize
340B

MD5
253333997e82f7d44ea8072dfae6db39

SHA1
03b9744e89327431a619505a7c72fd497783d884

SHA256
28329cf08f6505e73806b17558b187c02f0c1c516fe47ebfb7a013d082aaa306

SHA512
56d99039e0fb6305588e9f87361e7e0d5051507bf321ba36619c4d29741f35c27c62f025a52523c9e1c7287aabf1533444330a8cdf840fa5af0fa2241fcb4fc2

Download Submit
C:\Windows\servicing\Editions\ProfessionalSingleLanguageEdition.xml.sos

Filesize
30KB

MD5
664811fd86a5b42c997fe8974c81b195

SHA1
ab77a3641a0427a8c50afe7aa71998d87b5ebebb

SHA256
460e61f49272d1468d1d2fe3e3e258016d5af980214f170bfc0479d7735f77a6

SHA512
6360b5346e629d181d637bfd8b7709bc44456d5311ff52644aa7840086780ff86a1eedc4ff7682d002cc7babeb5870d859d98a3d9f690a94d0d843ec17a70b03

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads