1eddc7c828f55c4879decba9d8d1011deacc756ecbf137bb7abfb315a8d675b9

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
01-05-2024 18:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SevenRecode.exe
Size

67.6MB
MD5

272e0f870784656cfc714ed65c635c54
SHA1

5b32ce1a2178d9281d8ecebffabdb496a56ecd08
SHA256

a85f906174267927addab742727b2ef74a6327d33f8cd5ca6a9654657593e9eb
SHA512

e42a8aea5d12cc10510e8a02ccd350504fd77b2740f993f6bb2dab7769eeee1221fc6d2eca627e4ad98bc26f63f382ea0347aceecadaa61935f93c4198052bff
SSDEEP

786432:43a4EjmnHgFz47/vZCM2/55c2lStV07Abla0gGbiWj+:43a4EjaHgDM2/LjSD07tjG+

Score

9^/10

evasion ransomware spyware stealer

Malware Config

Signatures

Renames multiple (4271) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SevenRecode.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	SevenRecode.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt.sos	SevenRecode.exe
File created	C:\Windows\SysWOW64\drivers\gmreadme.txt.sos	SevenRecode.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
64	raw.githubusercontent.com
65	raw.githubusercontent.com

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\@WirelessDisplayToast.png.sos	SevenRecode.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\HelpV3.format.ps1xml.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_mediumchanger.inf_amd64_69ea0d8614286224\c_mediumchanger.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\iscsi.inf_amd64_c089962740ea1f84\iscsi.inf.sos	SevenRecode.exe
File created	C:\Windows\SysWOW64\wbem\xsl-mappings.xml.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_x86_360f6f3a7c4b3433\prnms003.inf.sos	SevenRecode.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetAdapter\MSFT_NetAdapterLso.Format.ps1xml.sos	SevenRecode.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PrintManagement\MSFT_PrinterConfiguration.types.ps1xml.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_fssystemrecovery.inf_amd64_aa57df1ffa9aace0\c_fssystemrecovery.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_scsiadapter.inf_amd64_efffb8c026d3abc5\c_scsiadapter.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ehstortcgdrv.inf_amd64_5cb0c23f45dac01c\ehstortcgdrv.inf.sos	SevenRecode.exe
File created	C:\Windows\SysWOW64\Speech_OneCore\Common\fr-FR\Tokens_SR_fr-FR-N.xml.sos	SevenRecode.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PrintManagement\MSFT_TcpIpPrinterPort.format.ps1xml.sos	SevenRecode.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetAdapter\MSFT_NetAdapterVmq.Format.ps1xml.sos	SevenRecode.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PrintManagement\MSFT_TcpIpPrinterPort.format.ps1xml.sos	SevenRecode.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\typesv3.ps1xml.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\bthmtpenum.inf_amd64_3abc48e730d08fde\bthmtpenum.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ndisimplatform.inf_amd64_b6b644565437983a\ndisimplatform.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usbprint.inf_amd64_86cdf3e1f512cca1\usbprint.inf.sos	SevenRecode.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\VpnClient\VpnClientPSProvider.Types.ps1xml.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_fsactivitymonitor.inf_amd64_cccd1b2cb61d2440\c_fsactivitymonitor.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_usb.inf_amd64_17c270ca25f45542\c_usb.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netvwififlt.inf_amd64_c5e19aab2305f37f\netvwififlt.inf.sos	SevenRecode.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetAdapter\MSFT_NetAdapterVPort.Format.ps1xml.sos	SevenRecode.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\Smb.types.ps1xml.sos	SevenRecode.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\VpnClient\VpnClientPSProvider.Format.ps1xml.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\percsas3i.inf_amd64_c17a63dada1eaa02\percsas3i.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW-constraints.js.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\rdlsbuscbs.inf_amd64_0eb96a1741539c14\rdlsbuscbs.inf.sos	SevenRecode.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents\MSFT_DAClientExperienceConfiguration.types.ps1xml.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\virtualdisplayadapter.inf_amd64_bcc7550a6e285f92\virtualdisplayadapter.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wdma_usb.inf_amd64_e879d41db6fd1ab8\wdma_usb.inf.sos	SevenRecode.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Dism\Dism.Format.ps1xml.sos	SevenRecode.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetAdapter\MSFT_NetAdapterVmq.Format.ps1xml.sos	SevenRecode.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\prnqctl.vbs.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmiodat.inf_amd64_95e01117eb9c1bd2\mdmiodat.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net1yx64.inf_amd64_8604d8a50804b9c1\net1yx64.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\smartsamd.inf_amd64_2238284d493e89f4\SmartSAMD.inf.sos	SevenRecode.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Wdac\Wdac.types.ps1xml.sos	SevenRecode.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetworkTransition\MSFT_Net6to4Configuration.types.ps1xml.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\pcmcia.inf_amd64_cb18bba4788e47f7\pcmcia.inf.sos	SevenRecode.exe
File created	C:\Windows\SysWOW64\slmgr.vbs.sos	SevenRecode.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\prncnfg.vbs.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmcomp.inf_amd64_bf289615d063c627\mdmcomp.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmtdkj3.inf_amd64_9658f2eb83f061c9\mdmtdkj3.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmvv.inf_amd64_26dc960cc4c84207\mdmvv.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW-PDC.xml.sos	SevenRecode.exe
File created	C:\Windows\SysWOW64\Speech_OneCore\Common\de-DE\tokens_TTS_de-DE.xml.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\sti.inf_amd64_096c9e42fe4749d2\sti.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPWGR.xml.sos	SevenRecode.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsClient\DnsCmdlets.Format.ps1xml.sos	SevenRecode.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PrintManagement\MSFT_PrintJob.format.ps1xml.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_fsquotamgmt.inf_amd64_5f092e2a496f61af\c_fsquotamgmt.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtwlans.inf_amd64_97cd1a72c2a7829c\netrtwlans.inf.sos	SevenRecode.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetSwitchTeam\MSFT_NetSwitchTeamMember.format.ps1xml.sos	SevenRecode.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\EventTracingManagement\MSFT_EtwTraceSession_v1.0.format.ps1xml.sos	SevenRecode.exe
File opened for modification	C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.xls.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mgtdyn.inf_amd64_a6235e923dc4047c\mgtdyn.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usb.inf_amd64_683fd853c8b8a4db\usb.inf.sos	SevenRecode.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PKI\pki.types.ps1xml.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmpsion.inf_amd64_28542b9aafacda15\mdmpsion.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\memory.inf_amd64_9af3a8a63d4cb5f9\memory.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms012.inf_amd64_707d3849370b9d23\prnms012.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wvmic.inf_amd64_ae02676ac3e3c474\wvmic.inf.sos	SevenRecode.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpwhurtw.tmp.jpg"	SevenRecode.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hr-hr\ui-strings.js.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ClippingTool.targetsize-16.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\189.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-white\SmallTile.scale-125.png.sos	SevenRecode.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\sendforcomments.svg.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\Landing.svg.sos	SevenRecode.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldBe.snippets.ps1xml.sos	SevenRecode.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\s_radio_selected_18.svg.sos	SevenRecode.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fill-sign.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\TXP_TicketedEvent.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-24_altform-lightunplated.png.sos	SevenRecode.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\da-dk\ui-strings.js.sos	SevenRecode.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-ae\ui-strings.js.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNewNoteMedTile.scale-400.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.Tests.ps1.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_MouseEar.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-256_contrast-black.png.sos	SevenRecode.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sv-se\ui-strings.js.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-48_altform-unplated_contrast-black.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\skype-logo-40.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\MedTile.scale-100.png.sos	SevenRecode.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected]	SevenRecode.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\line_2x.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-400.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\FetchingMail.scale-100.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailWideTile.scale-400.png.sos	SevenRecode.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-ae\ui-strings.js.sos	SevenRecode.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\sat_logo.png.sos	SevenRecode.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\create_stream.html.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-125_contrast-white.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.targetsize-32_altform-unplated.png.sos	SevenRecode.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\rhp_world_icon.png.sos	SevenRecode.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\share_icons2x.png.sos	SevenRecode.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fr-fr\ui-strings.js.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\BuildInfo.xml.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-96_altform-unplated_contrast-black.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-30_altform-unplated_contrast-black.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-40_altform-unplated_contrast-black.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookWideTile.scale-400.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageLargeTile.scale-400.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-16_contrast-white.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\199.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageMedTile.scale-400.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Scientific.targetsize-32_contrast-black.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-400_contrast-black.png.sos	SevenRecode.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\da-dk\ui-strings.js.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-256.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-80_contrast-black.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Dark.scale-300.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\82.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\uk-UA\View3d\3DViewerProductDescription-universal.xml.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\WideTile.scale-125.png.sos	SevenRecode.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\plugin.js.sos	SevenRecode.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\az_get.svg.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-400_contrast-black.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-80_contrast-white.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.scale-100_altform-lightunplated.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderSmallTile.contrast-black_scale-200.png.sos	SevenRecode.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\new_icons_retina.png.sos	SevenRecode.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-ae\ui-strings.js.sos	SevenRecode.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\It.ps1.sos	SevenRecode.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\next-arrow-disabled.svg.sos	SevenRecode.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_ellipses_selected-hover.svg.sos	SevenRecode.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-printing-powershell_31bf3856ad364e35_10.0.19041.746_none_2a47504bd1d8220e\MSFT_LprPrinterPort.format.ps1xml.sos	SevenRecode.exe
File created	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\monaco-editor\min\vs\basic-languages\src\coffee.js.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.19041.1202_none_8f7e37524c3e1a13\splashscreen.contrast-white_scale-200.png.sos	SevenRecode.exe
File created	C:\Windows\PLA\Reports\en-US\Report.System.Summary.xml.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_dual_tsgenericusbdriver.inf_31bf3856ad364e35_10.0.19041.1151_none_5977f756866b1632\TSGenericUSBDriver.inf.sos	SevenRecode.exe
File created	C:\Windows\INF\volume.inf.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iesecuritydiagnostic_31bf3856ad364e35_10.0.19041.1_none_4a561be6a723ae5e\IESecurity_TroubleShooter.ps1.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.19041.1_none_b1e502c19c2a358b\Square71x71Logo.scale-200.png.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.1_none_75cd350cc8b5dbcf\editor.main.nls.js.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..ialibrarydiagnostic_31bf3856ad364e35_10.0.19041.1_none_dedee787078f40e3\TS_WindowsMediaPlayer.ps1.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft.certifica..s.pkiclient.cmdlets_31bf3856ad364e35_10.0.19041.746_none_6ff5291e6a0cd6ac\pki.types.ps1xml.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.423_none_9de80b9d881a1ebd\filesnodeicon.png.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-powerdiagnostic_31bf3856ad364e35_10.0.19041.1_none_f0510b72ed025043\TS_DisplayIdleTimeout.ps1.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sechealthui.appxmain_31bf3856ad364e35_10.0.19041.964_none_90d24b203cdf4e96\Wide310x150Logo.contrast-white_scale-150.png.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ui-shell-component_31bf3856ad364e35_10.0.19041.1_none_03928ee4a9e5894c\RequestedDownloadsLargeCloudIcon.contrast-black_scale-125.png.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\r\oobelocalaccount-page.js.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.423_none_9de80b9d881a1ebd\formatterTypescriptServices.nls.keys.js.sos	SevenRecode.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\2 - Search.lnk.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_dual_mdmtdkj3.inf_31bf3856ad364e35_10.0.19041.1_none_cfe3a5fe151abe4f\mdmtdkj3.inf.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\wow64_microsoft.powershell.pester_31bf3856ad364e35_10.0.19041.1_none_9478227a478f23d5\New-Fixture.ps1.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.1_none_4a388618f6365227\NarratorUWPStoreLogo.scale-400_contrast-white.png.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.19041.1_none_d0af17ec366548f3\splashscreen.contrast-black_scale-125.png.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-management-oobe_31bf3856ad364e35_10.0.19041.1266_none_e6ebbe2a02425392\oobeautopilotactivation-page.js.sos	SevenRecode.exe
File created	C:\Windows\SystemApps\Windows.CBSPreview_cw5n1h2txyewy\Assets\Wide310x150Logo.png.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\hololensWorkAccountPage.js.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_dual_mdmracal.inf_31bf3856ad364e35_10.0.19041.1_none_bd709414e3de27c0\mdmracal.inf.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_10.0.19041.746_none_afaafac6b02c16fa\insertbase.xml.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_netfx4clientcorecomp.resources_31bf3856ad364e35_10.0.15805.0_fr-fr_1913b24a44b591ab\Tracking_Schema.sql.sos	SevenRecode.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\SmallIcon.targetsize-16.png.sos	SevenRecode.exe
File created	C:\Windows\servicing\Sessions\31101482_2373895951.back.xml.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\resources.js.sos	SevenRecode.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\cache\Desktop\26.txt.sos	SevenRecode.exe
File created	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\Assets\BadgeLogo.scale-125.png.sos	SevenRecode.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\Assets\PeopleLogo.scale-100_contrast-black.png.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_dual_wstorvsp.inf_31bf3856ad364e35_10.0.19041.985_none_9ec3d9e91b3d1b4c\wstorvsp.inf.sos	SevenRecode.exe
File created	C:\Windows\Media\Windows Print complete.wav.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_dual_hidbth.inf_31bf3856ad364e35_10.0.19041.423_none_226d067426a3a65c\hidbth.inf.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_dual_iastorv.inf_31bf3856ad364e35_10.0.19041.1_none_dc98afdac988ca55\iastorv.inf.sos	SevenRecode.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\AppListIcon.scale-125.png.sos	SevenRecode.exe
File created	C:\Windows\INF\miradisp.inf.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..honyinteractiveuser_31bf3856ad364e35_10.0.19041.264_none_a61d15efb6291d40\Answer.scale-125.png.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.19041.1266_none_fb76f6fb7e78a373\InputApp\InputApp\Assets\WideLogo310x150.scale-100.png.sos	SevenRecode.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\AppxBlockMap.xml.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_dual_whyperkbd.inf_31bf3856ad364e35_10.0.19041.1_none_8a6620005875ccc5\whyperkbd.inf.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.19041.1_none_b1e502c19c2a358b\Square44x44Logo.targetsize-16_altform-unplated_contrast-black.png.sos	SevenRecode.exe
File created	C:\Windows\Cursors\person.svg.sos	SevenRecode.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\Assets\Square44x44Logo.scale-100.png.sos	SevenRecode.exe
File created	C:\Windows\SystemResources\Windows.UI.Shell\Images\RequestedDownloadsCloudIcon.contrast-black_scale-125.png.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_dual_ntprint.inf_31bf3856ad364e35_10.0.19041.906_none_c3423ff2a842a4c8\f\ntprint.inf.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..trolpanel.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_d23715c9ea6f2f2c\r\appxmanifest.xml.sos	SevenRecode.exe
File created	C:\Windows\INF\c_printer.inf.sos	SevenRecode.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.FileExplorer_cw5n1h2txyewy\Assets\PPIRemovableStorageDevicesSquareTile150x150.scale-100.png.sos	SevenRecode.exe
File created	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\Assets\SquareLogo44x44.scale-200.png.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobehello-main.html.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\ooberegion-page.js.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..okerplugin.appxmain_31bf3856ad364e35_10.0.19041.1202_none_d081f9868ac0a804\PasswordExpiry.contrast-white_scale-125.png.sos	SevenRecode.exe
File created	C:\Windows\diagnostics\system\WindowsUpdate\cl_windowsupdate.ps1.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-bluetoothdiagnostic_31bf3856ad364e35_10.0.19041.746_none_77afd174abe4f214\BluetoothDiagnostic.xml.sos	SevenRecode.exe
File created	C:\Windows\diagnostics\system\Apps\RC_TempInetFolder.ps1.sos	SevenRecode.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.FilePicker_cw5n1h2txyewy\Assets\SquareTile71x71.scale-200.png.sos	SevenRecode.exe
File created	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\serviceworker\serviceworker.html.sos	SevenRecode.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\autopilot\autopilotespprogress-main.html.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..zer-fr-fr-n-onecore_31bf3856ad364e35_10.0.19041.1_none_0bf864d6d24d83fe\Tokens_SR_fr-FR-N.xml.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_dual_c_multifunction.inf_31bf3856ad364e35_10.0.19041.1_none_7b5716b71723acf4\c_multifunction.inf.sos	SevenRecode.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3996	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2604	SevenRecode.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 4916	2604	SevenRecode.exe	85
PID 2604 wrote to memory of 4916	2604	SevenRecode.exe	85
PID 2604 wrote to memory of 4916	2604	SevenRecode.exe	85
PID 2604 wrote to memory of 4592	2604	SevenRecode.exe	87
PID 2604 wrote to memory of 4592	2604	SevenRecode.exe	87
PID 2604 wrote to memory of 4592	2604	SevenRecode.exe	87
PID 4592 wrote to memory of 2424	4592	cmd.exe	89
PID 4592 wrote to memory of 2424	4592	cmd.exe	89
PID 4592 wrote to memory of 2424	4592	cmd.exe	89
PID 2604 wrote to memory of 2568	2604	SevenRecode.exe	90
PID 2604 wrote to memory of 2568	2604	SevenRecode.exe	90
PID 2604 wrote to memory of 2568	2604	SevenRecode.exe	90
PID 2604 wrote to memory of 1904	2604	SevenRecode.exe	92
PID 2604 wrote to memory of 1904	2604	SevenRecode.exe	92
PID 2604 wrote to memory of 1904	2604	SevenRecode.exe	92
PID 1904 wrote to memory of 5080	1904	cmd.exe	94
PID 1904 wrote to memory of 5080	1904	cmd.exe	94
PID 1904 wrote to memory of 5080	1904	cmd.exe	94
PID 2604 wrote to memory of 1928	2604	SevenRecode.exe	95
PID 2604 wrote to memory of 1928	2604	SevenRecode.exe	95
PID 2604 wrote to memory of 1928	2604	SevenRecode.exe	95
PID 2604 wrote to memory of 3296	2604	SevenRecode.exe	97
PID 2604 wrote to memory of 3296	2604	SevenRecode.exe	97
PID 2604 wrote to memory of 3296	2604	SevenRecode.exe	97
PID 3296 wrote to memory of 3344	3296	cmd.exe	99
PID 3296 wrote to memory of 3344	3296	cmd.exe	99
PID 3296 wrote to memory of 3344	3296	cmd.exe	99
PID 2604 wrote to memory of 2520	2604	SevenRecode.exe	100
PID 2604 wrote to memory of 2520	2604	SevenRecode.exe	100
PID 2604 wrote to memory of 2520	2604	SevenRecode.exe	100
PID 2520 wrote to memory of 2172	2520	cmd.exe	102
PID 2520 wrote to memory of 2172	2520	cmd.exe	102
PID 2520 wrote to memory of 2172	2520	cmd.exe	102
PID 2604 wrote to memory of 5012	2604	SevenRecode.exe	103
PID 2604 wrote to memory of 5012	2604	SevenRecode.exe	103
PID 2604 wrote to memory of 5012	2604	SevenRecode.exe	103
PID 5012 wrote to memory of 1092	5012	cmd.exe	105
PID 5012 wrote to memory of 1092	5012	cmd.exe	105
PID 5012 wrote to memory of 1092	5012	cmd.exe	105
PID 2604 wrote to memory of 4868	2604	SevenRecode.exe	106
PID 2604 wrote to memory of 4868	2604	SevenRecode.exe	106
PID 2604 wrote to memory of 4868	2604	SevenRecode.exe	106
PID 2604 wrote to memory of 1020	2604	SevenRecode.exe	108
PID 2604 wrote to memory of 1020	2604	SevenRecode.exe	108
PID 2604 wrote to memory of 1020	2604	SevenRecode.exe	108
PID 1020 wrote to memory of 2836	1020	cmd.exe	110
PID 1020 wrote to memory of 2836	1020	cmd.exe	110
PID 1020 wrote to memory of 2836	1020	cmd.exe	110
PID 2604 wrote to memory of 1376	2604	SevenRecode.exe	111
PID 2604 wrote to memory of 1376	2604	SevenRecode.exe	111
PID 2604 wrote to memory of 1376	2604	SevenRecode.exe	111
PID 2604 wrote to memory of 4780	2604	SevenRecode.exe	113
PID 2604 wrote to memory of 4780	2604	SevenRecode.exe	113
PID 2604 wrote to memory of 4780	2604	SevenRecode.exe	113
PID 4780 wrote to memory of 4964	4780	cmd.exe	115
PID 4780 wrote to memory of 4964	4780	cmd.exe	115
PID 4780 wrote to memory of 4964	4780	cmd.exe	115
PID 2604 wrote to memory of 1004	2604	SevenRecode.exe	116
PID 2604 wrote to memory of 1004	2604	SevenRecode.exe	116
PID 2604 wrote to memory of 1004	2604	SevenRecode.exe	116
PID 2604 wrote to memory of 4664	2604	SevenRecode.exe	118
PID 2604 wrote to memory of 4664	2604	SevenRecode.exe	118
PID 2604 wrote to memory of 4664	2604	SevenRecode.exe	118
PID 4664 wrote to memory of 4152	4664	cmd.exe	120

Views/modifies file attributes 1 TTPs 13 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5080	attrib.exe
4964	attrib.exe
4152	attrib.exe
1896	attrib.exe
3344	attrib.exe
2172	attrib.exe
2836	attrib.exe
2424	attrib.exe
3308	attrib.exe
1560	attrib.exe
4476	attrib.exe
1092	attrib.exe
4044	attrib.exe

C:\Users\Admin\AppData\Local\Temp\SevenRecode.exe
"C:\Users\Admin\AppData\Local\Temp\SevenRecode.exe"
1⤵
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Drops file in Drivers directory
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\SevenRecode.exe" "C:\Windows\System32\Winhttp.exe"
  2⤵
  PID:4916
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C attrib +h "C:\Windows\System32\Winhttp.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4592
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Windows\System32\Winhttp.exe"
    3⤵
    - Views/modifies file attributes
    PID:2424
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\SevenRecode.exe" "C:\Windows\System32\SevenRecode.dll"
  2⤵
  PID:2568
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C attrib +h "C:\Windows\System32\SevenRecode.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Windows\System32\SevenRecode.dll"
    3⤵
    - Views/modifies file attributes
    PID:5080
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\SevenRecode.exe" "C:\Users\Public\Documents\Winhttp.exe"
  2⤵
  PID:1928
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C attrib +h "C:\Users\Public\Documents\Winhttp.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3296
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Users\Public\Documents\Winhttp.exe"
    3⤵
    - Views/modifies file attributes
    PID:3344
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C attrib +h "C:\Windows\System32\Winhttp.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Windows\System32\Winhttp.exe"
    3⤵
    - Views/modifies file attributes
    PID:2172
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C attrib +h "C:\Users\Public\Documents\Winhttp.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Users\Public\Documents\Winhttp.exe"
    3⤵
    - Views/modifies file attributes
    PID:1092
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\SevenRecode.exe" "C:\Windows\System32\SevenRecode.exe"
  2⤵
  PID:4868
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C attrib +h "C:\Windows\System32\SevenRecode.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1020
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Windows\System32\SevenRecode.exe"
    3⤵
    - Views/modifies file attributes
    PID:2836
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\SevenRecode.exe" "C:\Users\Public\Documents\SevenRecode.dll"
  2⤵
  PID:1376
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C attrib +h "C:\Users\Public\Documents\SevenRecode.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4780
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Users\Public\Documents\SevenRecode.dll"
    3⤵
    - Views/modifies file attributes
    PID:4964
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\SevenRecode.exe" "C:\Windows\System32\SevenRecode.runtimeconfig.json"
  2⤵
  PID:1004
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C attrib +h "C:\Windows\System32\SevenRecode.runtimeconfig.json"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4664
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Windows\System32\SevenRecode.runtimeconfig.json"
    3⤵
    - Views/modifies file attributes
    PID:4152
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\SevenRecode.exe" "C:\Users\Public\Documents\SevenRecode.runtimeconfig.json"
  2⤵
  PID:1776
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C attrib +h "C:\Users\Public\Documents\SevenRecode.runtimeconfig.json"
  2⤵
  PID:1616
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Users\Public\Documents\SevenRecode.runtimeconfig.json"
    3⤵
    - Views/modifies file attributes
    PID:3308
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C attrib +h "C:\Windows\System32\SevenRecode.exe"
  2⤵
  PID:2956
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Windows\System32\SevenRecode.exe"
    3⤵
    - Views/modifies file attributes
    PID:1560
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C attrib +h "C:\Windows\System32\SevenRecode.runtimeconfig.json"
  2⤵
  PID:4824
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Windows\System32\SevenRecode.runtimeconfig.json"
    3⤵
    - Views/modifies file attributes
    PID:4476
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C attrib +h "C:\Users\Public\Documents\SevenRecode.exe"
  2⤵
  PID:2660
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Users\Public\Documents\SevenRecode.exe"
    3⤵
    - Views/modifies file attributes
    PID:1896
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C attrib +h "C:\Users\Public\Documents\SevenRecode.runtimeconfig.json"
  2⤵
  PID:1108
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Users\Public\Documents\SevenRecode.runtimeconfig.json"
    3⤵
    - Views/modifies file attributes
    PID:4044
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /create /tn "SevenRecode" /tr "C:\Windows\system32\Winhttp.exe" /sc minute /mo 1 /rl highest /f
  2⤵
  - Creates scheduled task(s)
  PID:3996

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
PID:4160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg.sos

Filesize
720B

MD5
c18be9a6683d4091603e827f96ff19c0

SHA1
93870909eb5fe9946b0dcb8ee47b9d2ec5aa4fef

SHA256
97f0d005fbf7e526e565a3c981386e47fec434374d4f96431afb52bd77824cba

SHA512
19a2d86df2cee824358f364fec37737a2a9e987c69ce9318037db2e310f6a36c2e9b4058b91aee9a1e5736fe52777a45d44cd3167546cbe24f5e0a89c1b7f072

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons.png.sos

Filesize
7KB

MD5
ac0c5b1f0890f8f7d68f9d73acf82b50

SHA1
d02d3ab9952e1ebedc2b2fcb2e9e8b9f00ee286a

SHA256
4069a844a487c8aefb08119eedbaae8801cea467fb09399a991771de7e8e1811

SHA512
4a9a14a07da87dacceb62492d3d1e712a8f806d25bf304ad956641cdb2faa7dbbcaa64b2fe9f69a5015d75e91ddf5181916d21ccbc4f8d309e8183807dad7849

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_retina.png.sos

Filesize
15KB

MD5
e2c7edb05c3e4e5dee2fdaaadf61f59a

SHA1
c6cbf44697407e40f145ad26629145e390d63864

SHA256
eab5180305a44567b5aac75f6e702f36f051fb10db9e70a8317d546764cad814

SHA512
25ccce12edd2284243bc2edc0906153adfa43ca2a358cf2e46082a0402a51497f264b9493ab8297baab1e81deac8dfa2dcccd27ffc73b26f729e9c550edb0217

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons.png.sos

Filesize
8KB

MD5
25a53c8123df35ebf05c5612fff0cea9

SHA1
6de58e0e636b5008e4762a7380c5ec8338a02fad

SHA256
91d2f884822715f0f6d0b2813f5a68d48d3ca34c561a3faa126d5f37ea48a043

SHA512
f49cf4519194d8044bb8d8dd5e902a750cb9608fde7e682c2ba624d345fdc75c035dce1b7cb24a6f8dfa59051825ccb6e5d7e5d4da91cab3fb2b0a16e6d26569

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons_retina.png.sos

Filesize
17KB

MD5
e7bdac54bc35961274d85cb879cb3a5f

SHA1
17d5e6947bdb5e7dab410dabf20934d1e5d6151d

SHA256
d0d77291b9b4e0e9c27f2d59777f458a4d30aaac18c49914b9d2494e01768a5a

SHA512
62478a8a8faf7e29fe0ff822f88f6c0a22ee9d13dff62d89649806056bb6fd3730fede5b4651311d017696c8dd0de92ee66a79f64db75621f52efcf4a1cf0639

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png.sos

Filesize
448B

MD5
08074361cfaacb9230a37d1ec7f30c42

SHA1
45e2ccf94e69c5a9f83e7be992bb7cf57859ed56

SHA256
e3ce9dc337bc5e9cf1040a9462126beb5cd4d38510d1ebd2bea2110f3ea69c2b

SHA512
2137411f129ecbe9231c8ea7308ab3dd9942f7936648521469801b79147888047725acd383b3908fe3b385044050542b084543f1e68908c74ed5d45df20b414f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png.sos

Filesize
624B

MD5
ac9c2131040639e559a790d6c3325258

SHA1
8c4967481008c67fc76fcb236ad59dc940f46618

SHA256
3e9712251a7e6d4b1927be0c0e7fbfc85c267be4beed4eb23ddd7de24f166d3f

SHA512
46bf0c7b89bd9cc7f4771c64b7eab06ae870f7f95685e12c0541314495352403374899b8ce101b741a1c8da440c27aaddc95e73b3418e263591c386c8e7c7445

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover.png.sos

Filesize
400B

MD5
4916680f2d27bb9d179ebc65b0149a89

SHA1
49d7f6cfd26be12a8d71a83053f13f1e1b605652

SHA256
f7ea397f27665d2d1cfe50681081f761a271930362a948d805b0621ceeba204d

SHA512
4bc6a3c000a01fa4ba4dcdf8c82d3cc0895c6cde292b8dc1921babfe1372fa2a1fb018195151dcbce2c90298444f1ed31d594bdeb76be477b2ebca7ebbdee891

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover_2x.png.sos

Filesize
560B

MD5
7c7462d9ef4a27964ad1a7593fc20edf

SHA1
1e0099323893ad8a48f587bc82e8aded2052b5a7

SHA256
ca5a8a25adb873b3d4ddc423fe22e1a28e034d21e2445e38a36467add52418ea

SHA512
7b4d107d0d3a9c57920f63f75fbbca1e59f3d3e93a660737b8ba69ee29dcbf559ca7aa3a95ad2580b34bb80ac088aaf0a25830ffe86f74037dea481b02db2204

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon.png.sos

Filesize
400B

MD5
c76c9318cddca8db2836119892fb5903

SHA1
67730824af5d01e15f8e6ef377be74b48b00f3dd

SHA256
e1ce640c49ae1e35b423ca761dc5366e58938e3970f9e1cdbde55eec8f9e9f18

SHA512
a0f39011215c9dd529ea5ccd5912c03bd694083ab65189914af53e426994a113ebfd08cd0d1bb3debe85e91ab6be9e204edff45c5b4f6ef79792732299367528

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png.sos

Filesize
560B

MD5
613705c7ce6595df2201dcb4b99cc39a

SHA1
847a82305ad6cf12e4ba3a995de0ff75c66d84fa

SHA256
1f759125550d1b7dd2e9498461c8fc0581f713fa1e8d33ffa8ffeaa56c1b2f3c

SHA512
316602e4262dffd6d93e7e64b9aaf273a3e9286b338a96d936085b374fa4586425f3ece09a3bd892d3aef99c62d556a724f2800196023b1b95956423568de081

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png.sos

Filesize
400B

MD5
c67e600a6145a76ff3a4c2364c4122be

SHA1
a0f69bbb1f3e8f6a273d163b270398df1ad5b2b7

SHA256
a1bddc85d83d700867b97a739fdd30005155fb14e053e97cf0062c682fc6d976

SHA512
7bd1f90a304603d9adee8dfd35acec4a58455a9fb17c67c4a6b0fd774a2fe75f8fa516d5e509e18d73f36fb63cf1e9bccbc8ffc5df073b27c764040d15a45168

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png.sos

Filesize
560B

MD5
cd9efc5912b45ac3485ea82b96a8a471

SHA1
18d38ebff6b98dbc25518faad009143bd37666e9

SHA256
78dcbd9800702bbfd1a26939847087bbc99141872389b011dc1f572424cd3f53

SHA512
a9e2ad0a9d84894d8ee31d5b83812d604038c18e882d41d83b1b40225f594c03d8954305a31b698e118184a080887ae0ee8818a685ae61e116a8db33f041927c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\example_icons.png.sos

Filesize
688B

MD5
8f503a4c5c27953cdfaf495f3a2cf312

SHA1
b83fa2cb356b1ff67f7bcdcfc0783e97cb1fdfff

SHA256
ea1a11c764ec9bc9ba3a2625f03405b87d69e9cd5fd4529fa4395c2b9ebf8d62

SHA512
5db415e95f68afaa5310eeed40fd1d34d03cd5e9f3fdcddc74dfc6c3705a98ed2036854b9f25f9ac6acac808458ba6fc66567688f2db9cae876e29873996a750

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\example_icons2x.png.sos

Filesize
1KB

MD5
82cbbe22b879510cb83e680f14214891

SHA1
abf71eb55c92042d43086e69b6d1c93959162df8

SHA256
b761ba91fcd5cd416eee0d98bb47bb30305221831c6ff962740da6c4f95dc8f9

SHA512
ef602fd0e3d37019278b83afb0513b1cb20832f7917fc0b99030a01e0a0e55c9e38b8fd1f6e624bf1603f962fe811b1ed745d524183b24f5279e3232190e6523

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_pattern_RHP.png.sos

Filesize
192B

MD5
30dd292b9f8a8f9b7a0c52bbbd2c87ff

SHA1
7dc393330fe95745ff6337e9d404d6fb29097c59

SHA256
dc8c360d48e5243b544ccf4077b34a620bb6ae24d8979f7c1f41c1c757f45f71

SHA512
9f404d3c1dc03c95ff1866fd81e56041ec548837436849c75884622d68065defa2afa27ec61c6aa004b3a6fb1a76e4f1d5d3b6fa6d015bab9f0fbf2acb134424

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_patterns_header.png.sos

Filesize
704B

MD5
08f61f1459f9119573eb2ca4df40e34b

SHA1
e440b4725102d014f16519b290f97d30b3d69ea9

SHA256
f608bdce4663484ae2dcdc60bc26a8eb30d854d52f2cebaf732fba1f938a0698

SHA512
10ffa3a7c07d8ddcafaf1df5a89bba589e1b4c6650c925a7c67e2e28b786b7d3500f7953c67c9595476cf7b4e91dd21a0b55ac3a6b7540fed8e0dc1722c4c415

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\illustrations.png.sos

Filesize
8KB

MD5
2d520312907aa40bbebcff24679124b8

SHA1
18c55d21efa6b3fb60806d9848cdf51fe4519c5d

SHA256
093cd5df3fcca311ca5058ee81a08ad9ca531af4fadf1bd341ed963faa358e29

SHA512
a4cecc5d22c47fd016bd81967d3ede827409ca8287dac17af8bc58de0ec05d6a708767d852efa219898120c573c5be91ecada92126ea7c2237200e842bb440a1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\illustrations_retina.png.sos

Filesize
19KB

MD5
78044eadbbef5c20b310b81edb9cc7f4

SHA1
de309213395a15269ab97bbc09f39f6154f05063

SHA256
86d6a1ac67f30108c4aa9c396a2b7179c97cb5c11e0305c10f1a134673a90b93

SHA512
8e10b45dd88bc4cca4260ccade1fd83dc99c756b0582f14d3f73860788cc550bf8c6d2b86eb08da93d96d0b47c51774211cdaf0fc5cda0cde7c0be7d43194a61

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\ui-strings.js.sos

Filesize
832B

MD5
ff610472329e209c971e61bf83b081dd

SHA1
11a1271bb02a5a8b04a6e0633d246f51296461bc

SHA256
9379c40601a2b61cc450295953ca64e352b97c2e9f8bd002c4b715981c576898

SHA512
5f7d7f51b23644921f1fe44dd783dd9637a4d2d11702fb16db06f98d17ec60513e1e6985f16d9b57a516b5acbe009bb6a5f303a877ba4d2e96987f5bec9114e0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ui-strings.js.sos

Filesize
1KB

MD5
6057b17df09a6e80ef03de5882e21640

SHA1
828c97c49f43dbca2b808070fbc0f2f62b6c976e

SHA256
f7b0619bd459d7bf359c1f4cedd34e4695dd493c647456987dcdfc5f60aaaf53

SHA512
250986527b07344dffe0ea71bac216e33b004bb84a67fa3527cea048b2cbb786186cc77547b8bca31290ea51a4b12cf132c87eb741c5766bccf672e90ecabd69

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ui-strings.js.sos

Filesize
1KB

MD5
8e4ec8fd6b69ebacaebfd10d7b808591

SHA1
9f9721ac08bcd35b049f8b0d1686e1f1bd914c63

SHA256
b38eb1f98cb7b0c5ba0e5d0ea93269a3ccd1e782fd853c9f9fba0d852bfdc32a

SHA512
ae67781d69de0ed76556aa0a996952723d3476399833a2c852e2ce9513e100096229fee8606caf0acb930198ff9b146164d643d705d4a6086c5094e39e275ee6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png.sos

Filesize
2KB

MD5
7e8706f91781fcb94782d9604d6947d6

SHA1
f1830fb9657171f186449b9a1bc244d18c54a15c

SHA256
7d0935e8783b3e1378ed8e6f7a706e02c00f05fb52899edb83c243c2e3645a5b

SHA512
c3fcb8a29c9e53111462f35916bc8b753e1b149804e833dcc3257055e6eed9c61109ffacd7bb38951a0da13ca6a41062e774d267011a4bfb904b201ac7ccdf0c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png.sos

Filesize
2KB

MD5
1bc411ca226061d39743bc69a43e3135

SHA1
4aafcfde3a1077e6adce4c6fa1028b4560c5e197

SHA256
e23894e617fd7bf0c0dba16a599d1da7e83bdb20b90d4c9d18f59a192b22ab22

SHA512
845996db242a8ebe6f77ab86b8ea30182a868c727537383b7de2110040f1e9bac73411ac666a56f08a3a6dd89f2af1eb490c744ee75ef671e3f3da1bc90a0cb2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png.sos

Filesize
4KB

MD5
e430a09b73fd306087badef4ab13b8f1

SHA1
df428dbefb5d73112f599d80bbc0716c5ae9bfa2

SHA256
d51178cc512f61c428205ad94db424602861077669d7b8913e14f037bb218a3b

SHA512
6d5f345817bcbdcfd7083bf85cef871af74b2c840cabe2fa04dc11e0a2e299d6ada676d94374e2bef0cafa054e3bad7b306d725d4ca943918ace9a88e93753d6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small.png.sos

Filesize
304B

MD5
43360c8a22318b802f18c14e3b242815

SHA1
985ac1af40b2f8d8dca9ccc6caebd5a4d4aefabf

SHA256
4531142493b217a681aeda4494638e3dbe49398e6f3baa918ecc1b137ce14f97

SHA512
60ed43315c376b9579a2a6e9e229595c0d49006e1317bdcf5e581a157a8f72de09df6fd28c5b2ab7a06742bdf0c2533d2760ce5bcd6ae3722f70740688a3d1b2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png.sos

Filesize
400B

MD5
62600940148a9b0280d1dce7b6cad17d

SHA1
3acf197ab502a0897629e3d1cb5fb40082463625

SHA256
2ca428218281e36b3035a54e028218199a7573c7e16f0d34662bfb288ca8be6b

SHA512
5164078adbf76b472f9b1dfb7630151b025c9c81b77e28058c56aa5953f2812ca78328d103479018d59fac7f81ceb266fb08e77b7020545a3d7058b9d7634c3b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png.sos

Filesize
1008B

MD5
e11798558b5a65488f7f2feed32de67b

SHA1
cb9e3df6c0460aa85f552f73ccef7796b64f2e17

SHA256
ffd421974ec7f70754b8b959b2196bb1234da28ecd8fb6249f5f0df2db94c076

SHA512
d2ad11895de5e83ffe9d0e81ef5927e4ead0e851cdadc32799c4ee20c50198e2660f5a42ff31dcfcbe8a1cd3b6751d8b432ad70ac9ca38fb12ae31da19ffacc9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons.png.sos

Filesize
1KB

MD5
45227ed19c66bec018fbb3dc7f533a78

SHA1
831359a1b0c4b33451060e7a827eee3eec9076e4

SHA256
dd28611d0cc4283e5d7fbd7dea8afcd3f2abdd2c3a440afcb7600ad90878e5e1

SHA512
0a160b325295661c1b370c07f37e49607e5ec1ba9cbab26f641ab4cd750debdb38a67f8ed2446580731046968d3eb7f495a156fe6727c8097de364dae65f224e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png.sos

Filesize
2KB

MD5
eb5842e387a663d67499b7607c2dce3e

SHA1
3c85098c881016e05dcc952c679471bb3b5da081

SHA256
c76e8b582372037b051c691298efb8f83162f93092b54fb026b932ce6320db35

SHA512
6bbb72b0c00c0b1fe305bbb3f82df73738a6b2038012db1cd67ff6d1ad50a0e7948309760657e131358fd49cc88193bc3537eca55136f1e02fea878ae88963c5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\ui-strings.js.sos

Filesize
848B

MD5
ddd098d75cec06a603843ac0f673353a

SHA1
4f55228132599f3f9de79fe1019f18e77f2ea3f3

SHA256
5d99f1eac3f360b24861ac5ed9db6f15fde42bcd7438d05a4ecd125c7c9c08fa

SHA512
f2654aeda60a3f7cb8f768f4ffc459ed671f4cece88bcc0207abe64597ea7509d556bf73f7cd7761fdd9d95e43abacef5cfec8448edffa04c491061939110131

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.sos

Filesize
32KB

MD5
381707adf1deb580b40372d15884523e

SHA1
72036a3e82877cfb5cfc7f9e234d5e2efc198589

SHA256
44f8449b151f31462057775dd1123fbf9fec5216764842eda748fe516db79572

SHA512
641c7b80ee80c6dffcfb249d2faf6294513b716b1a6626e5c90294ee24678d54f98335a584d323464756482be19293b90337b5fde5940d8dce3ab3288e5aedf2

Download Submit
C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\Simple\Example3B.Diagnostics.Tests.ps1.sos

Filesize
256B

MD5
930a4e8c1d3596094c54a01bf3cdfe60

SHA1
d150ba0e5b0fbc67ed246b0f3eed0ee31d6c9045

SHA256
a886d27b8c4cfd50aa0fea1822e11da2eb3a6b5248efb2c218778d416b16cbab

SHA512
2c14f00f10c4cd7116dfda3630c0af12cadad148d04a78ac59cb5397e0db22971fc86fdcc2e796f71d5c4ee6cc8a0bc56f70952d5a39739a034aa18665034686

Download Submit
C:\Windows\ImmersiveControlPanel\images\TileSmall.scale-100.png.sos

Filesize
992B

MD5
4bc3fa1934e7ef961f7e7cac92e1950b

SHA1
fabd3128d5b09055b5523b9f5e5efd7bc5c36ca1

SHA256
de6512ba3b589b8842eb0c27edd7de27e5250733cc041933dda4e87760d06582

SHA512
e16d3a66d1e6d281b5bb2d6368568795b29ef1da1b97702f66a34f0d723331bb94cfbcca9dc1fdc28a853af7031ec684ec281ed5cdfe18b5eceb9b93a891f616

Download Submit
C:\Windows\ImmersiveControlPanel\images\TinyTile.scale-100.png.sos

Filesize
576B

MD5
ea025259749e9db0e22523369f2c3b9a

SHA1
0258e77030935e3ffada2791519db556bc6b81ff

SHA256
5b114ea4c3fe481d15db4f2f0f5b76fbef9f43ac9dae4c71c8fe47e7913d713f

SHA512
9b789fe3f05e684e39c6c2534cb05af024132b64c8b836163e3b62f01ae28111c73b87a71e8f89ee6fe3be0bd8fa6a9f6323b479fc782614f1960b683ac1ecf6

Download Submit
C:\Windows\ImmersiveControlPanel\images\logo.scale-100.png.sos

Filesize
368B

MD5
050bcdf4d9bb6e1a14d13d0fb16336de

SHA1
60e2cab77ceb09f6b1f5c24fa2a089ce3c554f17

SHA256
33a2059629bdc70a179bcada5088a0e116599758598a24ae5e1e894da0f56ef9

SHA512
f2b2393db4ca188e2e0e5a35974e850b59d15f519a892adf827b8f5edf2f9b88b3d577080118837378017f470dd9ea70f3283792e2b84e17976725b2c3ec16ae

Download Submit
C:\Windows\Microsoft.NET\Framework\v3.5\SQL\it\DropSqlPersistenceProviderLogic.sql.sos

Filesize
2KB

MD5
3bf2d33f73c6893a20a537ea447a6e7b

SHA1
777dfdc4ee4eed26abf47fb0a30f04c4934957e4

SHA256
086134b901fcabd07b1f48053b6932237c67303b32a3335f3c02790dd3f0e484

SHA512
5b3d40a79cd60545e930dddb2a8ac912f45f6691368b481d31c30716259be6c90e6fc24b0b1e1c4cd9ba3504d21ce1c5e7d20f014289397aeec6f65567e2e4e5

Download Submit
C:\Windows\Microsoft.NET\Framework\v3.5\SQL\it\SqlPersistenceProviderLogic.sql.sos

Filesize
13KB

MD5
f085d68ebae5e0d1246b826a1b6b8a81

SHA1
4d07883ab3c46aad9a196e9cf91a9843ef270dba

SHA256
0f908b79c65b1453a881a53f006705282bd69d1c7abfcfb36669fff4bccdbe55

SHA512
9a27b422692e0bfba9c96925213b078c157a2299d0b44c6444cbbcdd11bc3d58d39272007a006a24e8f9cf81b57068929f3cfa9d17b937c7e07780f55044444b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\fr\DropSqlPersistenceProviderSchema.sql.sos

Filesize
1KB

MD5
fe6894d5f70985460aed4fb862329fd0

SHA1
4633449a249a57fdaedfc998959f8899a9385bfa

SHA256
ca8c763bbc36d0d674f5dcad8e3bbc97d20da9ed70b6b9409b083606db4c3335

SHA512
5bc558687151efb33037e08114b8fe16b4f20ffb69c1fb634b70c3e2c4e3ac4eb5e97fdfab53988958ac6d12d5e146c9ece6ebaa734319efb8a43222fa218587

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\it\DropSqlPersistenceProviderLogic.sql.sos

Filesize
1KB

MD5
baf47775f583f06c4577636ba27b63fc

SHA1
7cacdd05d6cadd14aaa42b6508207c1fe58fd6cf

SHA256
318c043059d22fee05b07c7b1778a439da77c3c8e9da2511120941706cc4bf4c

SHA512
726759c40cd0a364aba7ac037de203fe9048a5ba0d19e7f1d6c314f21a78c6e7c6979efb0346f08cb32907ae493e9e0c6daa89aa657638f6d532a2e2c7f4df18

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\it\DropSqlWorkflowInstanceStoreLogic.sql.sos

Filesize
5KB

MD5
dba1e94691a66ef9b7c58253415256f2

SHA1
304ad12a88e2b4f3db8c4930d12d17a598aded12

SHA256
2d488e914112f897fdca7dc4fbe7af5f55cc0c5b39d18e21a1857790f5e1bce8

SHA512
d99db0936e597f5ea00af70693350db631d9f58cfa8023b77e3305be36ceeec6d2163ee4ee3c3ed6470fb07b660b5e57d9fdd2bd368b6d0243a2ad6f44460e1a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\it\DropSqlWorkflowInstanceStoreSchema.sql.sos

Filesize
3KB

MD5
511787f429cf8d2104c06284cd96fb84

SHA1
df8b682cdd3a1e4732d46f54abd28aaf48014984

SHA256
213b18081756182ff3e8a85e529b42a4cd1dd9259db56ab7c395a90c486abde1

SHA512
3ecaa609bf51a8a2a71c98d8a03e776435c38048fdac4ccb4340bcdcdc1504afd14b9886004b9a45caa8fd91b0c7339c5e9b5cfd7c0cc9594b5528093aa35213

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\it\SqlPersistenceProviderLogic.sql.sos

Filesize
6KB

MD5
e0e94a5d0f6e0c76321aec9adc611541

SHA1
b705acf4c964712970cf8d6e7081817ccbb56226

SHA256
ebce3b523501dbefd04df27d602d42af9df83afbb180aad1fc1526c0f6fa4301

SHA512
cb6358cef008f75d5190423da1b993b7a1df5ac21fc782937d61a18700e32a9f7d2f8900a418b55b81f87b838a58326606fd74f36d63b15a1ec62de9c2adcb22

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\it\SqlWorkflowInstanceStoreLogic.sql.sos

Filesize
62KB

MD5
a1f1fd4fde88dd183d3cb2b528cfabd3

SHA1
475b473ebe5f094cae65e8cc2be377c25abfac91

SHA256
d4122aad0a37d7a28ef55f3284e4d69e937dbf81264842728a9e7cf1e6104040

SHA512
271cd9eac58c662ddae31b0bf65263eb006f63f0348ee0971499f8f9691a9463d4942606b008174c43cb6f36ce30d5ee4209e1d9143503ad852833869d8825be

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\it\SqlWorkflowInstanceStoreSchema.sql.sos

Filesize
28KB

MD5
cc30cb66980b0ce495e3dc373f7d3e2a

SHA1
61aae09bca47f6fcff5d7532a3310cdd9753f759

SHA256
ac92cac3bd41897fd1887ed1b5bce66c5a2671b397f3d301984828d4f2617c88

SHA512
18e6d17b1e6f9631ba0adc24ac031b1b2b4e9a557c14eaee093aed8e611d272dc066c354786649d2e3f2227f4f0a16114ed065049ae427fbcaa9420c6cf307bb

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\it\SqlWorkflowInstanceStoreSchemaUpgrade.sql.sos

Filesize
88KB

MD5
32ae70561bf28da39fb734eb01da049b

SHA1
4f4fbbba70d878b6e99421273def0b86ca7dc365

SHA256
cf449ffe25607d7f9c50964701c10469ede048e848f7d7fe380af6644d89ac79

SHA512
132835d00d0dec13a87e4bcf547af3abe9bd4bbfc30196e7d9640f2b50e13299e832b186003ececa357d3c0d66d3e00be2eb1424d692c7aafcf22e6883efdfdc

Download Submit
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk.sos

Filesize
416B

MD5
e25baa9f0fc68e966dbc27cd591f6d34

SHA1
e1635c45bceadf6c9c2a14728ae09e8eb17d4d28

SHA256
ad4144c82162c13f0aa4dafc0f2cf5b56053b5adcbb4d499541c1d22a77467db

SHA512
851e7103742d44c1d8990548a09c0f150aebcbe1839928b105ca3abe51151cd7045ade17097677155128ec37baa080e8a4e240c8a4628da80d4b41c81d9a4157

Download Submit
C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\prncnfg.vbs.sos

Filesize
104KB

MD5
2b8cf2cd44709134cb4432806be2ae87

SHA1
58a2e665523b2d05a9cead41a2bf46d41680e131

SHA256
c9990beb33429b732485c170ea9e4e5fe3847e81da459becc6575e266ba93d25

SHA512
5050c2832b8ace6df0a63583b10fe03013dbd62d4634f9d495c8a345d06cdd0d1cd6c9bd6b6ba7ac3a0be3263147587bd0bb262966ce9861db7e71ae141645c8

Download Submit
C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\prnport.vbs.sos

Filesize
56KB

MD5
2279e4a585affd5b51af684842e99fe1

SHA1
521a0805af3c5c809b8e7b26071da878dbcc819e

SHA256
df75a969f3593e446f1565a2bab2832eb5cb6991bbf3c85e05c99115fc838dd3

SHA512
9215490642d7679b7b0aca1eea305441d461116a577ac47475340c1fd619c60109a26f51fb63c350413f6e1dbcce4799d88833b2b63f57639e6e50d742ef2da4

Download Submit
C:\Windows\servicing\Editions\ProfessionalSingleLanguageEdition.xml.sos

Filesize
30KB

MD5
664811fd86a5b42c997fe8974c81b195

SHA1
ab77a3641a0427a8c50afe7aa71998d87b5ebebb

SHA256
460e61f49272d1468d1d2fe3e3e258016d5af980214f170bfc0479d7735f77a6

SHA512
6360b5346e629d181d637bfd8b7709bc44456d5311ff52644aa7840086780ff86a1eedc4ff7682d002cc7babeb5870d859d98a3d9f690a94d0d843ec17a70b03

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads