1eddc7c828f55c4879decba9d8d1011deacc756ecbf137bb7abfb315a8d675b9

Analysis

max time kernel
150s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
01/05/2024, 18:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SevenRecode.exe
Size

67.6MB
MD5

272e0f870784656cfc714ed65c635c54
SHA1

5b32ce1a2178d9281d8ecebffabdb496a56ecd08
SHA256

a85f906174267927addab742727b2ef74a6327d33f8cd5ca6a9654657593e9eb
SHA512

e42a8aea5d12cc10510e8a02ccd350504fd77b2740f993f6bb2dab7769eeee1221fc6d2eca627e4ad98bc26f63f382ea0347aceecadaa61935f93c4198052bff
SSDEEP

786432:43a4EjmnHgFz47/vZCM2/55c2lStV07Abla0gGbiWj+:43a4EjaHgDM2/LjSD07tjG+

Score

9^/10

evasion ransomware spyware stealer

Malware Config

Signatures

Renames multiple (3958) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SevenRecode.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	SevenRecode.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\gmreadme.txt.sos	SevenRecode.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt.sos	SevenRecode.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	raw.githubusercontent.com
2	raw.githubusercontent.com

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\c_system.inf_amd64_9b8d1bdcdb2e7608\c_system.inf.sos	SevenRecode.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Dism\Dism.Types.ps1xml.sos	SevenRecode.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetEventPacketCapture\MSFT_NetEventSession.format.ps1xml.sos	SevenRecode.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Wdac\Wdac.format.ps1xml.sos	SevenRecode.exe
File opened for modification	C:\Windows\SysWOW64\WindowsCodecsRaw.txt.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\bda.inf_amd64_06079223f701d43d\bda.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_hidclass.inf_amd64_d6815bc5111fe8fa\c_hidclass.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ialpss2i_i2c_skl.inf_amd64_9d9dbb01837eba23\iaLPSS2i_I2C_SKL.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmdgitn.inf_amd64_b6abae2a982c570d\mdmdgitn.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmgl004.inf_amd64_6b2424cf323ba8f1\mdmgl004.inf.sos	SevenRecode.exe
File opened for modification	C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.xls.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmmc288.inf_amd64_818632c8a603688f\mdmmc288.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\tsusbhubfilter.inf_amd64_3bf74adaa444f9a2\tsusbhubfilter.inf.sos	SevenRecode.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsClient\DnsCmdlets.Types.ps1xml.sos	SevenRecode.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PrintManagement\MSFT_TcpIpPrinterPort.format.ps1xml.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmcxhv6.inf_amd64_f1a7a2fbd6554d60\mdmcxhv6.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_fsopenfilebackup.inf_amd64_8424300b27b24147\c_fsopenfilebackup.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\heat.inf_amd64_0ab0a9f9e4b15fe4\heat.inf.sos	SevenRecode.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetEventPacketCapture\MSFT_NetEventVmSwitchProvider.format.ps1xml.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\acpitime.inf_amd64_4456a4584af0a603\acpitime.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\cmbatt.inf_amd64_e8ce031773d264db\cmbatt.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\itsas35i.inf_amd64_2dd0adfe5dc63075\ItSas35i.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmrock.inf_amd64_9eca34214130d27e\mdmrock.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmsupr3.inf_amd64_0f74ccf78dc6a4b6\mdmsupr3.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmzoom.inf_amd64_8a55c8b605184b41\mdmzoom.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vdrvroot.inf_amd64_e0a0e444a7ecc8d5\vdrvroot.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\bcmwdidhdpcie.inf_amd64_977dcc915465b0e9\bcmwdidhdpcie.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmke.inf_amd64_7b58ae07452f0e50\mdmke.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmcom1.inf_amd64_32b8d1c2c827f4fb\mdmcom1.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mausbhost.inf_amd64_83ac938674fdf51b\mausbhost.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdm3com.inf_amd64_5d33b9b72b4cc35d\mdm3com.inf.sos	SevenRecode.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents\MSFT_DAClientExperienceConfiguration.format.ps1xml.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ipoib6x.inf_amd64_ef71073a5867971f\ipoib6x.inf.sos	SevenRecode.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Storage\Storage.types.ps1xml.sos	SevenRecode.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSScheduledJob\PSScheduledJob.types.ps1xml.sos	SevenRecode.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetworkTransition\MSFT_NetDnsTransitionConfiguration.format.ps1xml.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmiodat.inf_amd64_38dda8b3ba4d452b\mdmiodat.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_ports.inf_amd64_2b454c24d993590c\c_ports.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\microsoft_bluetooth_a2dp.inf_amd64_75f81f0864dbcd9b\microsoft_bluetooth_a2dp.inf.sos	SevenRecode.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\MsDtc.Formats.ps1xml.sos	SevenRecode.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\Microsoft.PowerShell.ODataAdapter.ps1.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_scmdisk.inf_amd64_6b231d72554c7580\c_scmdisk.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wmbclass_wmc_union.inf_amd64_b999217f400a2ae8\wmbclass_wmc_union.inf.sos	SevenRecode.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetAdapter\MSFT_NetAdapterIPsecOffload.Format.ps1xml.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_netclient.inf_amd64_79909aeb3c3e3209\c_netclient.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmzyxlg.inf_amd64_281df5304fe06482\mdmzyxlg.inf.sos	SevenRecode.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PKI\pki.types.ps1xml.sos	SevenRecode.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetAdapter\MSFT_NetAdapterPowerManagement.Format.ps1xml.sos	SevenRecode.exe
File opened for modification	C:\Windows\SysWOW64\SecurityAndMaintenance_Alert.png.sos	SevenRecode.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\Smb.types.ps1xml.sos	SevenRecode.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetAdapter\MSFT_NetAdapterStatistics.Format.ps1xml.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmgatew.inf_amd64_81bf63547b8bc934\mdmgatew.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\unknown.inf_amd64_8b25be91611870eb\unknown.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_1394.inf_amd64_ad7eef01fc615846\c_1394.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hidir.inf_amd64_eef7756e63d1f574\hidir.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net8187bv64.inf_amd64_bc859d32f3e2f0d5\net8187bv64.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_620c281895426e89\MPDW-constraints.js.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\scmvolume.inf_amd64_5c690f74a44a217f\scmvolume.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usbvideo.inf_amd64_c9d407dd6647871f\usbvideo.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wudfrd.inf_amd64_7e92bb4a6d306eb1\wudfrd.inf.sos	SevenRecode.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetworkTransition\MSFT_NetTeredoConfiguration.types.ps1xml.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hdaudio.inf_amd64_e61357c1a331ecc4\hdaudio.inf.sos	SevenRecode.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmgcs.inf_amd64_c78f664cd08d0111\mdmgcs.inf.sos	SevenRecode.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmprz1zbj.tmp.jpg"	SevenRecode.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\SmallTile.scale-100_contrast-white.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-400_contrast-black.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_neutral_split.scale-125_8wekyb3d8bbwe\Win10\MicrosoftSolitaireSplashScreen.scale-125.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\EmptyView.scale-125.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-256.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\Tented\TentMobile_100x96.png.sos	SevenRecode.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-ae\ui-strings.js.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\GetHelpOffline2.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_10.2.41172.0_x64__8wekyb3d8bbwe\Assets\TipsAppList.targetsize-40.png.sos	SevenRecode.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\Exist.Tests.ps1.sos	SevenRecode.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_replace_signer_18.svg.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\Keytips.js.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsSmallTile.scale-125_contrast-white.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\MediumGray.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderSmallTile.scale-100_contrast-white.png.sos	SevenRecode.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-80.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Google.scale-150.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\Popup.js.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\compat\index.js.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\components\DocumentCard\DocumentCardImage.styles.js.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxCalendarMediumTile.scale-200.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-64_altform-unplated.png.sos	SevenRecode.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hr-hr\ui-strings.js.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib\dom\setSSR.js.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreAppList.targetsize-72_altform-unplated.png.sos	SevenRecode.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_pt_135x40.svg.sos	SevenRecode.exe
File created	C:\Program Files\7-Zip\Lang\th.txt.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2020.503.58.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CameraStoreLogo.scale-125.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PaintMedTile.scale-400.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\contrast-black\PowerAutomateAppIcon.targetsize-24.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-100_contrast-black.png.sos	SevenRecode.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\s_agreement_filetype.svg.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\PaintStoreLogo.scale-200.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\Assets\FileIcons\FileLogoExtensions.targetsize-64.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Dark.scale-250.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\SmallTile.scale-150_contrast-black.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\SplashScreen.scale-400_contrast-black.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\PaintLargeTile.scale-100.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\contrast-black\PowerAutomateSplashScreen.scale-125.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SnipSketchAppList.targetsize-24_altform-lightunplated.png.sos	SevenRecode.exe
File created	C:\Program Files\Windows NT\TableTextService\TableTextServiceTigrinya.txt.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-400.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\Styling.js.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\Separator.js.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\components\Dropdown\Dropdown.js.sos	SevenRecode.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fr-fr\ui-strings.js.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MedTile.scale-200_contrast-black.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-40_altform-unplated_contrast-white.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-36.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptyView.scale-100.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-60_altform-lightunplated.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\contrast-white\FeedbackHubAppList.targetsize-20.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-48_altform-unplated.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-60_altform-unplated.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-30_altform-unplated.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Getstarted_10.2.41172.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\TipsSmallTile.scale-200.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\lib-commonjs\utilities\makeSemanticColors.js.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Getstarted_10.2.41172.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TipsMedTile.scale-125_contrast-black.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-125_contrast-black.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-amd\sessionStorage.js.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsBadgeLogo.scale-100_contrast-white.png.sos	SevenRecode.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxA-GoogleCloudCache.scale-100.png.sos	SevenRecode.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\rhp_world_icon_hover_2x.png.sos	SevenRecode.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ro-ro\ui-strings.js.sos	SevenRecode.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-provisioning-core_31bf3856ad364e35_10.0.22000.65_none_99e34b544b7754a7\IccidToRegion.xml.sos	SevenRecode.exe
File created	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\header\Images\emulationCombo.png.sos	SevenRecode.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.493_none_81cdab704eaad423\n\Assets\GetStartedAppList.targetsize-30_altform-lightunplated.png.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.318_none_82292a5c4e657627\FileExplorerExtensions\Assets\images\contrast-black\windows.opennewwindow.svg.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-powerdiagnostic_31bf3856ad364e35_10.0.22000.37_none_1c5e9e8769a71107\RS_ResetDisplayIdleTimeout.ps1.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ui-shellcommon-core_31bf3856ad364e35_10.0.22000.1_none_320485a967710068\WiFiNetworkManagerWarningToast.scale-125_contrast-white.png.sos	SevenRecode.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.493_none_81cdab704eaad423\f\FileExplorerExtensions\Assets\images\contrast-black\windows.bitlocker.manage.svg.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_netfx4-aspnet_webadmin_b03f5f7f11d50a3a_4.0.15806.0_none_a7c19c2403ed1c0f\error.aspx.sos	SevenRecode.exe
File created	C:\Windows\Media\Windows Background.wav.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.22000.120_none_bb415867ae85d51c\i_chartzoom_in_disabled.png.sos	SevenRecode.exe
File created	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\FileExplorerExtensions\Assets\images\contrast-standard\theme-dark\windows.disconnectnetworkdrive.svg.sos	SevenRecode.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.493_none_81cdab704eaad423\n\FileExplorerExtensions\Assets\images\contrast-black\windows.searchoptionsystem.svg.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.22000.469_none_fdfb724cd2e5c0ff\backstack-chrome-breadcrumb-template.html.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ui-shellcommon-core_31bf3856ad364e35_10.0.22000.1_none_320485a967710068\WiFiNetworkManagerWarningToast.scale-200_contrast-black.png.sos	SevenRecode.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Ratings\RatingStars39.scale-200.png.sos	SevenRecode.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\contrast-black\AppListIcon.targetsize-256_altform-unplated.png.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..e.desktop.searchapp_31bf3856ad364e35_10.0.22000.1_none_e4512f709bf99514\5.txt.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-usertiles-client_31bf3856ad364e35_10.0.22000.1_none_7fd9810a1db77d70\user-40.png.sos	SevenRecode.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\oobeerror-page.js.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.318_none_82292a5c4e657627\n\FileExplorerExtensions\Assets\images\contrast-standard\theme-light\windows.newitem.newfolder.svg.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-fax-mapi_31bf3856ad364e35_10.0.22000.1_none_b0384c73b1117696\mapisvc.inf.sos	SevenRecode.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.22000.120_none_bb415867ae85d51c\f\breakWorker.png.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.318_none_82292a5c4e657627\StartMenu\Assets\FileIcons\32\dotx.svg.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.318_none_82292a5c4e657627\f\Cortana.UI\cache\SVLocal\Desktop\21.js.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.22000.120_none_285ae36df9fb90ad\tokens_frCA.xml.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_systemresource-wind..-ui-accountscontrol_31bf3856ad364e35_10.0.22000.1_none_28587f5d588ad881\Advanced.Theme-Light_Scale-300.png.sos	SevenRecode.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\SplashScreen.contrast-white.png.sos	SevenRecode.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.22000.120_none_bb415867ae85d51c\f\HtmlFormatter.js.sos	SevenRecode.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\contrast-black\SmallTile.scale-125.png.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_dual_mwlu97w8x64.inf_31bf3856ad364e35_10.0.22000.1_none_7c84887371c385ac\mwlu97w8x64.inf.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..esolverux.appxsetup_31bf3856ad364e35_10.0.22000.1_none_11d3424c13546a0a\AppxBlockMap.xml.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.318_none_82292a5c4e657627\Assets\GetStartedAppList.targetsize-16.png.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.318_none_82292a5c4e657627\FileExplorerExtensions\Assets\images\contrast-standard\theme-dark\RunAsAdmin.svg.sos	SevenRecode.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-n..diagnostics-package_31bf3856ad364e35_10.0.22000.37_none_9fb69ca862f02d04\f\HTInteractiveRes.ps1.sos	SevenRecode.exe
File created	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\FileExplorerExtensions\Assets\images\contrast-black\PinToStartScreen.svg.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..er.appxmain.ratings_31bf3856ad364e35_10.0.22000.1_none_9f994bec1559e1ba\RatingStars38.contrast-white_scale-200.png.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.22000.194_none_15db8cfb1c6a6b33\logo.targetsize-30.png.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_10.0.22000.1_none_6d5619d8ba52aa97\Windows Startup.wav.sos	SevenRecode.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\BingConfiguration\BingConfiguration_en-GB.xml.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_dual_prnms008.inf_31bf3856ad364e35_10.0.22000.100_none_df6a6179240002e0\r\prnms008.inf.sos	SevenRecode.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\speech\0411\tokens_jaJP.xml.sos	SevenRecode.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.22000.120_none_f759261c81fa2ed8\f\Square44x44Logo.targetsize-16_altform-unplated.png.sos	SevenRecode.exe
File created	C:\Windows\INF\intelpmax.inf.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.22000.176_none_fded9bd0d2f09976\oobe-chrome-breadcrumb-vm.js.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..monotificationuxexe_31bf3856ad364e35_10.0.22000.282_none_618940d4a376d501\RestartNowPower_80.contrast-black.png.sos	SevenRecode.exe
File created	C:\Windows\SystemApps\ParentalControls_cw5n1h2txyewy\Assets\[email protected]	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_dual_cht4nulx64.inf_31bf3856ad364e35_10.0.22000.1_none_b49e9a23579afe5e\cht4nulx64.inf.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_netfx4-aspnet_webadmin_providers_b03f5f7f11d50a3a_4.0.15806.0_none_9ac1ce956f4e04cc\ManageProviders.aspx.sos	SevenRecode.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-n..diagnostics-package_31bf3856ad364e35_10.0.22000.37_none_9fb69ca862f02d04\f\StartDPSService.ps1.sos	SevenRecode.exe
File created	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Cortana.UI\cache\Local\Desktop\15.js.sos	SevenRecode.exe
File created	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\FileExplorerExtensions\Assets\images\contrast-standard\theme-light\windows.readingpane.svg.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..tings-windowsclient_31bf3856ad364e35_10.0.22000.1_none_d08f2366c88c9e59\windows.diag_ondemand.xml.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\x86_netfx-aspnet_webadmin_b03f5f7f11d50a3a_10.0.22000.1_none_7ca4864e0323ca0d\home2.aspx.sos	SevenRecode.exe
File created	C:\Windows\diagnostics\system\PCW\TS_ProgramCompatibilityWizard.ps1.sos	SevenRecode.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Assets\square150x150logo.scale-100_contrast-black.png.sos	SevenRecode.exe
File created	C:\Windows\diagnostics\system\Video\VF_viddrv_driverblocklist.ps1.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-network-security_31bf3856ad364e35_10.0.22000.438_none_c886d8ddafb935ef\r\wfplwfs.inf.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.493_none_81cdab704eaad423\Assets\contrast-white\GetStartedAppList.targetsize-96_contrast-white.png.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.22000.120_none_bb415867ae85d51c\formatterTypescriptServices.nls.keys.js.sos	SevenRecode.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\Assets\Wide310x150Logo.contrast-black_scale-125.png.sos	SevenRecode.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.493_none_81cdab704eaad423\f\FileExplorerExtensions\Assets\images\contrast-white\SearchAdvancedOptions.svg.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..talcontrolssettings_31bf3856ad364e35_10.0.22000.65_none_d600b69a2b616bce\MicrosoftFamily.scale-400_contrast-white.png.sos	SevenRecode.exe
File created	C:\Windows\WinSxS\amd64_microsoft.configci.commands_31bf3856ad364e35_10.0.22000.51_none_8f36ed7cfebd2222\AllowAll_EnableHVCI.xml.sos	SevenRecode.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Ratings\RatingStars44.contrast-white_scale-200.png.sos	SevenRecode.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1904	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4200	SevenRecode.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4200 wrote to memory of 4492	4200	SevenRecode.exe	82
PID 4200 wrote to memory of 4492	4200	SevenRecode.exe	82
PID 4200 wrote to memory of 4492	4200	SevenRecode.exe	82
PID 4200 wrote to memory of 1604	4200	SevenRecode.exe	84
PID 4200 wrote to memory of 1604	4200	SevenRecode.exe	84
PID 4200 wrote to memory of 1604	4200	SevenRecode.exe	84
PID 1604 wrote to memory of 3328	1604	cmd.exe	86
PID 1604 wrote to memory of 3328	1604	cmd.exe	86
PID 1604 wrote to memory of 3328	1604	cmd.exe	86
PID 4200 wrote to memory of 2508	4200	SevenRecode.exe	87
PID 4200 wrote to memory of 2508	4200	SevenRecode.exe	87
PID 4200 wrote to memory of 2508	4200	SevenRecode.exe	87
PID 4200 wrote to memory of 1120	4200	SevenRecode.exe	89
PID 4200 wrote to memory of 1120	4200	SevenRecode.exe	89
PID 4200 wrote to memory of 1120	4200	SevenRecode.exe	89
PID 1120 wrote to memory of 4656	1120	cmd.exe	91
PID 1120 wrote to memory of 4656	1120	cmd.exe	91
PID 1120 wrote to memory of 4656	1120	cmd.exe	91
PID 4200 wrote to memory of 4460	4200	SevenRecode.exe	92
PID 4200 wrote to memory of 4460	4200	SevenRecode.exe	92
PID 4200 wrote to memory of 4460	4200	SevenRecode.exe	92
PID 4200 wrote to memory of 4192	4200	SevenRecode.exe	94
PID 4200 wrote to memory of 4192	4200	SevenRecode.exe	94
PID 4200 wrote to memory of 4192	4200	SevenRecode.exe	94
PID 4192 wrote to memory of 1280	4192	cmd.exe	96
PID 4192 wrote to memory of 1280	4192	cmd.exe	96
PID 4192 wrote to memory of 1280	4192	cmd.exe	96
PID 4200 wrote to memory of 2408	4200	SevenRecode.exe	97
PID 4200 wrote to memory of 2408	4200	SevenRecode.exe	97
PID 4200 wrote to memory of 2408	4200	SevenRecode.exe	97
PID 2408 wrote to memory of 2736	2408	cmd.exe	99
PID 2408 wrote to memory of 2736	2408	cmd.exe	99
PID 2408 wrote to memory of 2736	2408	cmd.exe	99
PID 4200 wrote to memory of 2220	4200	SevenRecode.exe	100
PID 4200 wrote to memory of 2220	4200	SevenRecode.exe	100
PID 4200 wrote to memory of 2220	4200	SevenRecode.exe	100
PID 2220 wrote to memory of 2000	2220	cmd.exe	102
PID 2220 wrote to memory of 2000	2220	cmd.exe	102
PID 2220 wrote to memory of 2000	2220	cmd.exe	102
PID 4200 wrote to memory of 2304	4200	SevenRecode.exe	103
PID 4200 wrote to memory of 2304	4200	SevenRecode.exe	103
PID 4200 wrote to memory of 2304	4200	SevenRecode.exe	103
PID 4200 wrote to memory of 440	4200	SevenRecode.exe	105
PID 4200 wrote to memory of 440	4200	SevenRecode.exe	105
PID 4200 wrote to memory of 440	4200	SevenRecode.exe	105
PID 440 wrote to memory of 900	440	cmd.exe	107
PID 440 wrote to memory of 900	440	cmd.exe	107
PID 440 wrote to memory of 900	440	cmd.exe	107
PID 4200 wrote to memory of 3760	4200	SevenRecode.exe	108
PID 4200 wrote to memory of 3760	4200	SevenRecode.exe	108
PID 4200 wrote to memory of 3760	4200	SevenRecode.exe	108
PID 4200 wrote to memory of 2572	4200	SevenRecode.exe	110
PID 4200 wrote to memory of 2572	4200	SevenRecode.exe	110
PID 4200 wrote to memory of 2572	4200	SevenRecode.exe	110
PID 2572 wrote to memory of 2740	2572	cmd.exe	112
PID 2572 wrote to memory of 2740	2572	cmd.exe	112
PID 2572 wrote to memory of 2740	2572	cmd.exe	112
PID 4200 wrote to memory of 688	4200	SevenRecode.exe	113
PID 4200 wrote to memory of 688	4200	SevenRecode.exe	113
PID 4200 wrote to memory of 688	4200	SevenRecode.exe	113
PID 4200 wrote to memory of 5088	4200	SevenRecode.exe	115
PID 4200 wrote to memory of 5088	4200	SevenRecode.exe	115
PID 4200 wrote to memory of 5088	4200	SevenRecode.exe	115
PID 5088 wrote to memory of 3716	5088	cmd.exe	117

Views/modifies file attributes 1 TTPs 13 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1280	attrib.exe
2740	attrib.exe
1092	attrib.exe
4556	attrib.exe
4656	attrib.exe
2736	attrib.exe
2000	attrib.exe
900	attrib.exe
228	attrib.exe
4204	attrib.exe
3328	attrib.exe
3716	attrib.exe
4816	attrib.exe

C:\Users\Admin\AppData\Local\Temp\SevenRecode.exe
"C:\Users\Admin\AppData\Local\Temp\SevenRecode.exe"
1⤵
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Drops file in Drivers directory
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4200
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\SevenRecode.exe" "C:\Windows\System32\Winhttp.exe"
  2⤵
  PID:4492
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C attrib +h "C:\Windows\System32\Winhttp.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1604
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Windows\System32\Winhttp.exe"
    3⤵
    - Views/modifies file attributes
    PID:3328
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\SevenRecode.exe" "C:\Windows\System32\SevenRecode.dll"
  2⤵
  PID:2508
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C attrib +h "C:\Windows\System32\SevenRecode.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Windows\System32\SevenRecode.dll"
    3⤵
    - Views/modifies file attributes
    PID:4656
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\SevenRecode.exe" "C:\Users\Public\Documents\Winhttp.exe"
  2⤵
  PID:4460
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C attrib +h "C:\Users\Public\Documents\Winhttp.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4192
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Users\Public\Documents\Winhttp.exe"
    3⤵
    - Views/modifies file attributes
    PID:1280
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C attrib +h "C:\Windows\System32\Winhttp.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Windows\System32\Winhttp.exe"
    3⤵
    - Views/modifies file attributes
    PID:2736
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C attrib +h "C:\Users\Public\Documents\Winhttp.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Users\Public\Documents\Winhttp.exe"
    3⤵
    - Views/modifies file attributes
    PID:2000
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\SevenRecode.exe" "C:\Windows\System32\SevenRecode.exe"
  2⤵
  PID:2304
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C attrib +h "C:\Windows\System32\SevenRecode.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:440
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Windows\System32\SevenRecode.exe"
    3⤵
    - Views/modifies file attributes
    PID:900
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\SevenRecode.exe" "C:\Users\Public\Documents\SevenRecode.dll"
  2⤵
  PID:3760
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C attrib +h "C:\Users\Public\Documents\SevenRecode.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Users\Public\Documents\SevenRecode.dll"
    3⤵
    - Views/modifies file attributes
    PID:2740
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\SevenRecode.exe" "C:\Windows\System32\SevenRecode.runtimeconfig.json"
  2⤵
  PID:688
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C attrib +h "C:\Windows\System32\SevenRecode.runtimeconfig.json"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5088
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Windows\System32\SevenRecode.runtimeconfig.json"
    3⤵
    - Views/modifies file attributes
    PID:3716
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\SevenRecode.exe" "C:\Users\Public\Documents\SevenRecode.runtimeconfig.json"
  2⤵
  PID:2928
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C attrib +h "C:\Users\Public\Documents\SevenRecode.runtimeconfig.json"
  2⤵
  PID:2436
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Users\Public\Documents\SevenRecode.runtimeconfig.json"
    3⤵
    - Views/modifies file attributes
    PID:228
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C attrib +h "C:\Windows\System32\SevenRecode.exe"
  2⤵
  PID:3544
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Windows\System32\SevenRecode.exe"
    3⤵
    - Views/modifies file attributes
    PID:4204
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C attrib +h "C:\Windows\System32\SevenRecode.runtimeconfig.json"
  2⤵
  PID:1740
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Windows\System32\SevenRecode.runtimeconfig.json"
    3⤵
    - Views/modifies file attributes
    PID:4556
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C attrib +h "C:\Users\Public\Documents\SevenRecode.exe"
  2⤵
  PID:2332
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Users\Public\Documents\SevenRecode.exe"
    3⤵
    - Views/modifies file attributes
    PID:1092
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C attrib +h "C:\Users\Public\Documents\SevenRecode.runtimeconfig.json"
  2⤵
  PID:4600
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Users\Public\Documents\SevenRecode.runtimeconfig.json"
    3⤵
    - Views/modifies file attributes
    PID:4816
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /create /tn "SevenRecode" /tr "C:\Windows\system32\Winhttp.exe" /sc minute /mo 1 /rl highest /f
  2⤵
  - Creates scheduled task(s)
  PID:1904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg.sos

Filesize
720B

MD5
c18be9a6683d4091603e827f96ff19c0

SHA1
93870909eb5fe9946b0dcb8ee47b9d2ec5aa4fef

SHA256
97f0d005fbf7e526e565a3c981386e47fec434374d4f96431afb52bd77824cba

SHA512
19a2d86df2cee824358f364fec37737a2a9e987c69ce9318037db2e310f6a36c2e9b4058b91aee9a1e5736fe52777a45d44cd3167546cbe24f5e0a89c1b7f072

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons.png.sos

Filesize
7KB

MD5
ac0c5b1f0890f8f7d68f9d73acf82b50

SHA1
d02d3ab9952e1ebedc2b2fcb2e9e8b9f00ee286a

SHA256
4069a844a487c8aefb08119eedbaae8801cea467fb09399a991771de7e8e1811

SHA512
4a9a14a07da87dacceb62492d3d1e712a8f806d25bf304ad956641cdb2faa7dbbcaa64b2fe9f69a5015d75e91ddf5181916d21ccbc4f8d309e8183807dad7849

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_retina.png.sos

Filesize
15KB

MD5
e2c7edb05c3e4e5dee2fdaaadf61f59a

SHA1
c6cbf44697407e40f145ad26629145e390d63864

SHA256
eab5180305a44567b5aac75f6e702f36f051fb10db9e70a8317d546764cad814

SHA512
25ccce12edd2284243bc2edc0906153adfa43ca2a358cf2e46082a0402a51497f264b9493ab8297baab1e81deac8dfa2dcccd27ffc73b26f729e9c550edb0217

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons.png.sos

Filesize
8KB

MD5
25a53c8123df35ebf05c5612fff0cea9

SHA1
6de58e0e636b5008e4762a7380c5ec8338a02fad

SHA256
91d2f884822715f0f6d0b2813f5a68d48d3ca34c561a3faa126d5f37ea48a043

SHA512
f49cf4519194d8044bb8d8dd5e902a750cb9608fde7e682c2ba624d345fdc75c035dce1b7cb24a6f8dfa59051825ccb6e5d7e5d4da91cab3fb2b0a16e6d26569

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons_retina.png.sos

Filesize
17KB

MD5
e7bdac54bc35961274d85cb879cb3a5f

SHA1
17d5e6947bdb5e7dab410dabf20934d1e5d6151d

SHA256
d0d77291b9b4e0e9c27f2d59777f458a4d30aaac18c49914b9d2494e01768a5a

SHA512
62478a8a8faf7e29fe0ff822f88f6c0a22ee9d13dff62d89649806056bb6fd3730fede5b4651311d017696c8dd0de92ee66a79f64db75621f52efcf4a1cf0639

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png.sos

Filesize
448B

MD5
08074361cfaacb9230a37d1ec7f30c42

SHA1
45e2ccf94e69c5a9f83e7be992bb7cf57859ed56

SHA256
e3ce9dc337bc5e9cf1040a9462126beb5cd4d38510d1ebd2bea2110f3ea69c2b

SHA512
2137411f129ecbe9231c8ea7308ab3dd9942f7936648521469801b79147888047725acd383b3908fe3b385044050542b084543f1e68908c74ed5d45df20b414f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png.sos

Filesize
624B

MD5
ac9c2131040639e559a790d6c3325258

SHA1
8c4967481008c67fc76fcb236ad59dc940f46618

SHA256
3e9712251a7e6d4b1927be0c0e7fbfc85c267be4beed4eb23ddd7de24f166d3f

SHA512
46bf0c7b89bd9cc7f4771c64b7eab06ae870f7f95685e12c0541314495352403374899b8ce101b741a1c8da440c27aaddc95e73b3418e263591c386c8e7c7445

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover.png.sos

Filesize
400B

MD5
4916680f2d27bb9d179ebc65b0149a89

SHA1
49d7f6cfd26be12a8d71a83053f13f1e1b605652

SHA256
f7ea397f27665d2d1cfe50681081f761a271930362a948d805b0621ceeba204d

SHA512
4bc6a3c000a01fa4ba4dcdf8c82d3cc0895c6cde292b8dc1921babfe1372fa2a1fb018195151dcbce2c90298444f1ed31d594bdeb76be477b2ebca7ebbdee891

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover_2x.png.sos

Filesize
560B

MD5
7c7462d9ef4a27964ad1a7593fc20edf

SHA1
1e0099323893ad8a48f587bc82e8aded2052b5a7

SHA256
ca5a8a25adb873b3d4ddc423fe22e1a28e034d21e2445e38a36467add52418ea

SHA512
7b4d107d0d3a9c57920f63f75fbbca1e59f3d3e93a660737b8ba69ee29dcbf559ca7aa3a95ad2580b34bb80ac088aaf0a25830ffe86f74037dea481b02db2204

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon.png.sos

Filesize
400B

MD5
c76c9318cddca8db2836119892fb5903

SHA1
67730824af5d01e15f8e6ef377be74b48b00f3dd

SHA256
e1ce640c49ae1e35b423ca761dc5366e58938e3970f9e1cdbde55eec8f9e9f18

SHA512
a0f39011215c9dd529ea5ccd5912c03bd694083ab65189914af53e426994a113ebfd08cd0d1bb3debe85e91ab6be9e204edff45c5b4f6ef79792732299367528

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png.sos

Filesize
560B

MD5
613705c7ce6595df2201dcb4b99cc39a

SHA1
847a82305ad6cf12e4ba3a995de0ff75c66d84fa

SHA256
1f759125550d1b7dd2e9498461c8fc0581f713fa1e8d33ffa8ffeaa56c1b2f3c

SHA512
316602e4262dffd6d93e7e64b9aaf273a3e9286b338a96d936085b374fa4586425f3ece09a3bd892d3aef99c62d556a724f2800196023b1b95956423568de081

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png.sos

Filesize
400B

MD5
c67e600a6145a76ff3a4c2364c4122be

SHA1
a0f69bbb1f3e8f6a273d163b270398df1ad5b2b7

SHA256
a1bddc85d83d700867b97a739fdd30005155fb14e053e97cf0062c682fc6d976

SHA512
7bd1f90a304603d9adee8dfd35acec4a58455a9fb17c67c4a6b0fd774a2fe75f8fa516d5e509e18d73f36fb63cf1e9bccbc8ffc5df073b27c764040d15a45168

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png.sos

Filesize
560B

MD5
cd9efc5912b45ac3485ea82b96a8a471

SHA1
18d38ebff6b98dbc25518faad009143bd37666e9

SHA256
78dcbd9800702bbfd1a26939847087bbc99141872389b011dc1f572424cd3f53

SHA512
a9e2ad0a9d84894d8ee31d5b83812d604038c18e882d41d83b1b40225f594c03d8954305a31b698e118184a080887ae0ee8818a685ae61e116a8db33f041927c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\example_icons.png.sos

Filesize
688B

MD5
8f503a4c5c27953cdfaf495f3a2cf312

SHA1
b83fa2cb356b1ff67f7bcdcfc0783e97cb1fdfff

SHA256
ea1a11c764ec9bc9ba3a2625f03405b87d69e9cd5fd4529fa4395c2b9ebf8d62

SHA512
5db415e95f68afaa5310eeed40fd1d34d03cd5e9f3fdcddc74dfc6c3705a98ed2036854b9f25f9ac6acac808458ba6fc66567688f2db9cae876e29873996a750

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\example_icons2x.png.sos

Filesize
1KB

MD5
82cbbe22b879510cb83e680f14214891

SHA1
abf71eb55c92042d43086e69b6d1c93959162df8

SHA256
b761ba91fcd5cd416eee0d98bb47bb30305221831c6ff962740da6c4f95dc8f9

SHA512
ef602fd0e3d37019278b83afb0513b1cb20832f7917fc0b99030a01e0a0e55c9e38b8fd1f6e624bf1603f962fe811b1ed745d524183b24f5279e3232190e6523

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_pattern_RHP.png.sos

Filesize
192B

MD5
30dd292b9f8a8f9b7a0c52bbbd2c87ff

SHA1
7dc393330fe95745ff6337e9d404d6fb29097c59

SHA256
dc8c360d48e5243b544ccf4077b34a620bb6ae24d8979f7c1f41c1c757f45f71

SHA512
9f404d3c1dc03c95ff1866fd81e56041ec548837436849c75884622d68065defa2afa27ec61c6aa004b3a6fb1a76e4f1d5d3b6fa6d015bab9f0fbf2acb134424

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_patterns_header.png.sos

Filesize
704B

MD5
08f61f1459f9119573eb2ca4df40e34b

SHA1
e440b4725102d014f16519b290f97d30b3d69ea9

SHA256
f608bdce4663484ae2dcdc60bc26a8eb30d854d52f2cebaf732fba1f938a0698

SHA512
10ffa3a7c07d8ddcafaf1df5a89bba589e1b4c6650c925a7c67e2e28b786b7d3500f7953c67c9595476cf7b4e91dd21a0b55ac3a6b7540fed8e0dc1722c4c415

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\illustrations.png.sos

Filesize
8KB

MD5
2d520312907aa40bbebcff24679124b8

SHA1
18c55d21efa6b3fb60806d9848cdf51fe4519c5d

SHA256
093cd5df3fcca311ca5058ee81a08ad9ca531af4fadf1bd341ed963faa358e29

SHA512
a4cecc5d22c47fd016bd81967d3ede827409ca8287dac17af8bc58de0ec05d6a708767d852efa219898120c573c5be91ecada92126ea7c2237200e842bb440a1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\illustrations_retina.png.sos

Filesize
19KB

MD5
78044eadbbef5c20b310b81edb9cc7f4

SHA1
de309213395a15269ab97bbc09f39f6154f05063

SHA256
86d6a1ac67f30108c4aa9c396a2b7179c97cb5c11e0305c10f1a134673a90b93

SHA512
8e10b45dd88bc4cca4260ccade1fd83dc99c756b0582f14d3f73860788cc550bf8c6d2b86eb08da93d96d0b47c51774211cdaf0fc5cda0cde7c0be7d43194a61

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\ui-strings.js.sos

Filesize
832B

MD5
ff610472329e209c971e61bf83b081dd

SHA1
11a1271bb02a5a8b04a6e0633d246f51296461bc

SHA256
9379c40601a2b61cc450295953ca64e352b97c2e9f8bd002c4b715981c576898

SHA512
5f7d7f51b23644921f1fe44dd783dd9637a4d2d11702fb16db06f98d17ec60513e1e6985f16d9b57a516b5acbe009bb6a5f303a877ba4d2e96987f5bec9114e0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ui-strings.js.sos

Filesize
1KB

MD5
6057b17df09a6e80ef03de5882e21640

SHA1
828c97c49f43dbca2b808070fbc0f2f62b6c976e

SHA256
f7b0619bd459d7bf359c1f4cedd34e4695dd493c647456987dcdfc5f60aaaf53

SHA512
250986527b07344dffe0ea71bac216e33b004bb84a67fa3527cea048b2cbb786186cc77547b8bca31290ea51a4b12cf132c87eb741c5766bccf672e90ecabd69

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ui-strings.js.sos

Filesize
1KB

MD5
8e4ec8fd6b69ebacaebfd10d7b808591

SHA1
9f9721ac08bcd35b049f8b0d1686e1f1bd914c63

SHA256
b38eb1f98cb7b0c5ba0e5d0ea93269a3ccd1e782fd853c9f9fba0d852bfdc32a

SHA512
ae67781d69de0ed76556aa0a996952723d3476399833a2c852e2ce9513e100096229fee8606caf0acb930198ff9b146164d643d705d4a6086c5094e39e275ee6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png.sos

Filesize
2KB

MD5
7e8706f91781fcb94782d9604d6947d6

SHA1
f1830fb9657171f186449b9a1bc244d18c54a15c

SHA256
7d0935e8783b3e1378ed8e6f7a706e02c00f05fb52899edb83c243c2e3645a5b

SHA512
c3fcb8a29c9e53111462f35916bc8b753e1b149804e833dcc3257055e6eed9c61109ffacd7bb38951a0da13ca6a41062e774d267011a4bfb904b201ac7ccdf0c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png.sos

Filesize
2KB

MD5
1bc411ca226061d39743bc69a43e3135

SHA1
4aafcfde3a1077e6adce4c6fa1028b4560c5e197

SHA256
e23894e617fd7bf0c0dba16a599d1da7e83bdb20b90d4c9d18f59a192b22ab22

SHA512
845996db242a8ebe6f77ab86b8ea30182a868c727537383b7de2110040f1e9bac73411ac666a56f08a3a6dd89f2af1eb490c744ee75ef671e3f3da1bc90a0cb2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png.sos

Filesize
4KB

MD5
e430a09b73fd306087badef4ab13b8f1

SHA1
df428dbefb5d73112f599d80bbc0716c5ae9bfa2

SHA256
d51178cc512f61c428205ad94db424602861077669d7b8913e14f037bb218a3b

SHA512
6d5f345817bcbdcfd7083bf85cef871af74b2c840cabe2fa04dc11e0a2e299d6ada676d94374e2bef0cafa054e3bad7b306d725d4ca943918ace9a88e93753d6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small.png.sos

Filesize
304B

MD5
43360c8a22318b802f18c14e3b242815

SHA1
985ac1af40b2f8d8dca9ccc6caebd5a4d4aefabf

SHA256
4531142493b217a681aeda4494638e3dbe49398e6f3baa918ecc1b137ce14f97

SHA512
60ed43315c376b9579a2a6e9e229595c0d49006e1317bdcf5e581a157a8f72de09df6fd28c5b2ab7a06742bdf0c2533d2760ce5bcd6ae3722f70740688a3d1b2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png.sos

Filesize
400B

MD5
62600940148a9b0280d1dce7b6cad17d

SHA1
3acf197ab502a0897629e3d1cb5fb40082463625

SHA256
2ca428218281e36b3035a54e028218199a7573c7e16f0d34662bfb288ca8be6b

SHA512
5164078adbf76b472f9b1dfb7630151b025c9c81b77e28058c56aa5953f2812ca78328d103479018d59fac7f81ceb266fb08e77b7020545a3d7058b9d7634c3b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png.sos

Filesize
1008B

MD5
e11798558b5a65488f7f2feed32de67b

SHA1
cb9e3df6c0460aa85f552f73ccef7796b64f2e17

SHA256
ffd421974ec7f70754b8b959b2196bb1234da28ecd8fb6249f5f0df2db94c076

SHA512
d2ad11895de5e83ffe9d0e81ef5927e4ead0e851cdadc32799c4ee20c50198e2660f5a42ff31dcfcbe8a1cd3b6751d8b432ad70ac9ca38fb12ae31da19ffacc9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons.png.sos

Filesize
1KB

MD5
45227ed19c66bec018fbb3dc7f533a78

SHA1
831359a1b0c4b33451060e7a827eee3eec9076e4

SHA256
dd28611d0cc4283e5d7fbd7dea8afcd3f2abdd2c3a440afcb7600ad90878e5e1

SHA512
0a160b325295661c1b370c07f37e49607e5ec1ba9cbab26f641ab4cd750debdb38a67f8ed2446580731046968d3eb7f495a156fe6727c8097de364dae65f224e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png.sos

Filesize
2KB

MD5
eb5842e387a663d67499b7607c2dce3e

SHA1
3c85098c881016e05dcc952c679471bb3b5da081

SHA256
c76e8b582372037b051c691298efb8f83162f93092b54fb026b932ce6320db35

SHA512
6bbb72b0c00c0b1fe305bbb3f82df73738a6b2038012db1cd67ff6d1ad50a0e7948309760657e131358fd49cc88193bc3537eca55136f1e02fea878ae88963c5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\ui-strings.js.sos

Filesize
848B

MD5
ddd098d75cec06a603843ac0f673353a

SHA1
4f55228132599f3f9de79fe1019f18e77f2ea3f3

SHA256
5d99f1eac3f360b24861ac5ed9db6f15fde42bcd7438d05a4ecd125c7c9c08fa

SHA512
f2654aeda60a3f7cb8f768f4ffc459ed671f4cece88bcc0207abe64597ea7509d556bf73f7cd7761fdd9d95e43abacef5cfec8448edffa04c491061939110131

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.sos

Filesize
32KB

MD5
381707adf1deb580b40372d15884523e

SHA1
72036a3e82877cfb5cfc7f9e234d5e2efc198589

SHA256
44f8449b151f31462057775dd1123fbf9fec5216764842eda748fe516db79572

SHA512
641c7b80ee80c6dffcfb249d2faf6294513b716b1a6626e5c90294ee24678d54f98335a584d323464756482be19293b90337b5fde5940d8dce3ab3288e5aedf2

Download Submit
C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\Simple\Example3B.Diagnostics.Tests.ps1.sos

Filesize
256B

MD5
930a4e8c1d3596094c54a01bf3cdfe60

SHA1
d150ba0e5b0fbc67ed246b0f3eed0ee31d6c9045

SHA256
a886d27b8c4cfd50aa0fea1822e11da2eb3a6b5248efb2c218778d416b16cbab

SHA512
2c14f00f10c4cd7116dfda3630c0af12cadad148d04a78ac59cb5397e0db22971fc86fdcc2e796f71d5c4ee6cc8a0bc56f70952d5a39739a034aa18665034686

Download Submit
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\File Explorer.lnk.sos

Filesize
416B

MD5
e25baa9f0fc68e966dbc27cd591f6d34

SHA1
e1635c45bceadf6c9c2a14728ae09e8eb17d4d28

SHA256
ad4144c82162c13f0aa4dafc0f2cf5b56053b5adcbb4d499541c1d22a77467db

SHA512
851e7103742d44c1d8990548a09c0f150aebcbe1839928b105ca3abe51151cd7045ade17097677155128ec37baa080e8a4e240c8a4628da80d4b41c81d9a4157

Download Submit
C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\Assets\StoreLogo.scale-100.png.sos

Filesize
80B

MD5
33a9f17dd8e50ab0b614dfba8a577e12

SHA1
dcaba228b37abe75bea3611358d7ca42708ad369

SHA256
6d00b5a0ee9b03c5710969b830b0e8aab9e7936ad8ba0c44e706356a1b095774

SHA512
b3290be259fc9847ddd69126ce15508f423e7d34dcedb0bb7d0f1837137572a9db59da21b6b1ca2e7c5a9ab47c38487d24a1dd76259b7d4104f54f62cff425af

Download Submit
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Cortana.UI\Assets\Icons\AppListIcon.targetsize-16.png.sos

Filesize
176B

MD5
1bf1b625149fa827e4cdae9f7048ed2f

SHA1
cce332cfa01d2c4a9bd754b23a1ea0e6ae544232

SHA256
daeb6533e45cb09bebdbe2a3384c11dc2270635c3e3341bc6f2d5d6c5849b660

SHA512
1235eca664e83d6da595486ef00e7302a9dbdf0f86d37639b880e3febea93c068bb5c7decb921a03e950594879a2eff195c0f3eb4dc19fbf753f8857ffca311d

Download Submit
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Cortana.UI\Assets\Icons\AppListIcon.targetsize-20.png.sos

Filesize
208B

MD5
342a1b9a826494c61f5d9a24242e5269

SHA1
903911e9010e7f7bf7ac900dfc91b94957916a55

SHA256
e0e9434259bb5fb3cf1277a11654deaa0b62760bf4cb3e07a3b8cbb4fe9cdee0

SHA512
44ee3093c9e915e620be524b8dc42e72acca2fdf781d6c0c7a4fedc32d3c6b27fe0f2a43de84a57ae6ffa3aeca63fff64e99f3b2c2005bf0ddfd537eec06ee66

Download Submit
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Cortana.UI\Assets\Icons\AppListIcon.targetsize-24.png.sos

Filesize
224B

MD5
45ec1e072f352bcaca3983d0d12fe2c3

SHA1
ae8e58de0be58b45ef2b6cf6edd85221a76eb9ba

SHA256
9203f516123bc2c62b775860b2b767acbde4355f059dd3fc72e035b745b5943c

SHA512
f8218b17a9652caf2841fef573658c99029fb717f47f422ba7ac8f91930dcb24da06a8df988a614ba5ed6d328defc7104bb5a26ed1d3aceb916087ab08b84c83

Download Submit
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Cortana.UI\Assets\Icons\AppListIcon.targetsize-256.png.sos

Filesize
2KB

MD5
23c7738117819eba487f525cecbc5156

SHA1
8652ddfa77d6ac71274d67ae87845dd019af9e48

SHA256
2e203d03f825348633987ff25bb6f4f2944e1f49e9917d591fe827067abb01f8

SHA512
6259e9c1454c274bf20b0a401b17faa61c887df915aaa353dd1542999acd6e7530a0d184625266c2a3679fe4c3479c7e7aef07de4952bbd5dbaf9a71f915f4fd

Download Submit
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Cortana.UI\Assets\Icons\AppListIcon.targetsize-32.png.sos

Filesize
304B

MD5
ac2a40fd670659cc02825bb5cb572d05

SHA1
c708c99cc04c41830e6d830b50187308cf42181b

SHA256
50775ea86fe4ac051f2825d1cc25c783cafaa778fbd21bae59abfb3c954995fc

SHA512
bde6a4eeafbe509852ac4735e1fbf872ebf8cc52936adec75037d3b061d401e9290c4d7f1f50a7c55ddce5b69cb8cd44e270bd8267c161dd81fccf6e08ce15d8

Download Submit
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Cortana.UI\Assets\Icons\AppListIcon.targetsize-40.png.sos

Filesize
336B

MD5
c762fb9413f115bb3e648e68f3caf165

SHA1
3122118b367aa8b01be549a4704ffa6d211e1f64

SHA256
c5c62d327b9d04ad073cb4ab48c657fcc34625c7e431b87080a0a1c90a40ff05

SHA512
eadc7866f59a2e7d8453afc3ee473d834c08fdcc140b80848fafa15d3aafa3c53112a98430875575be560e436f773488c63ee4a6d0fc1df114cafcceefe8d5ba

Download Submit
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Cortana.UI\Assets\Icons\AppListIcon.targetsize-48.png.sos

Filesize
416B

MD5
aac6fa0cb9b839b3b10a06f835320995

SHA1
32d1c3da363d76d7cf01ca7c86f17fbf888811f5

SHA256
24e07dd202a3d6c1679d6294544a0184900d67a37a1634a4b136b18543330e01

SHA512
8b6e7627a26b44fde7aed7006dd2f48809a8c3676328cd6f303ff8b9005460db1ed8ee3dfae426a087c9099eb0447a7c89a9afc54cd4cb9e94e7d3207f802204

Download Submit
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Cortana.UI\Assets\Icons\AppListIcon.targetsize-64.png.sos

Filesize
496B

MD5
81ec62a261c32a184d09c8946d07f84d

SHA1
cfe9324d98c346606ea4f5dbf53e83eb15dde523

SHA256
3fdc3c689754af592a4301000758d68cfa7a2e83198388db80e90b06f8d3d77b

SHA512
a31e35e14bea03b2f6d4fed351b3d018960aae117e4df286a98530ab4ad17bbbbad59026cd3ed11135cfed4dac5159f899fca41d04592044666ffe5cb5f2b87f

Download Submit
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Cortana.UI\Assets\Icons\AppListIcon.targetsize-80.png.sos

Filesize
592B

MD5
298d73ec3e739ab80640b930b77def34

SHA1
4d348ca8d2ad81a0822282bc64a8ae461ceb39a2

SHA256
028a3b9f52248843ec05542abb7e49dc6b72e94c1e1dd9009da97cd8a699e245

SHA512
db95d7b78b4b1f28c9c1efb62ece2d97a90e756c3d45e4beee394e482ccee1034c14a80555d611ea6e4877bb6ab36342581a04d4bb294a9019ea007765dabda7

Download Submit
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Cortana.UI\Assets\Icons\AppListIcon.targetsize-96.png.sos

Filesize
736B

MD5
5f267df1fd68168a8f34cecf60ff5e22

SHA1
6a6adc303a252757a4a20a1d87437cfa600b4cbc

SHA256
def28bef15210e8f5e499b340070aac4621d6fc6627bf347511084666cbd02da

SHA512
a0e7c9cab550dec71a215e115fddbc5a3165a91d84cc8cc7f3eeaef61096b6a678db475e753e685ef42f362e9c7acd773e25a7a0b364f5ad2592d0e5182d8bb6

Download Submit
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Cortana.UI\Assets\splashscreen.contrast-black.png.sos

Filesize
1KB

MD5
e0dfd340a5b924169eb71f7d70834f1e

SHA1
5f008fe93103ea8ce9a39c99de7bde23063074ec

SHA256
4e777a3ed3ca7b8094352b85d784e973fb0c9716307586d044ef953b220bef83

SHA512
2d081283ec837febe522b94c589fb6a7c084a46fd3dab9f4f5401fac48d12fafad0cb03b27469c7fe9df06e01cc2e3555c5746dc4d96debaf69a3fe0d29e872e

Download Submit
C:\Windows\servicing\Editions\ProfessionalEducationEdition.xml.sos

Filesize
23KB

MD5
1a1febda702fda4341b4d5e1002120ee

SHA1
4f6b8309c57b156baa8dc1b75cf240100c102be4

SHA256
5313f15560b8e957df3a7b84e3b0a9be2a4f1d49773a7250c2c288ea9a239807

SHA512
e09493f7e985be6c3c57a4bd1b3f9d91bea9e356ee65f8cb577358e9eeb31f57292947bfba505c402ba849bd043873fab2c09fd37e58b41d64ed0e5e5eab4c0f

Download Submit
memory/4200-8534-0x0000000046820000-0x0000000046848000-memory.dmp

Filesize
160KB

Download
memory/4200-8537-0x00000000468B0000-0x00000000468BE000-memory.dmp

Filesize
56KB

Download
memory/4200-8535-0x0000000046850000-0x0000000046872000-memory.dmp

Filesize
136KB

Download
memory/4200-8536-0x0000000046880000-0x00000000468A0000-memory.dmp

Filesize
128KB

Download
memory/4200-8538-0x000000005AB10000-0x000000005AB92000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads