Overview

overview

10

Static

static

de51ca8c61...9b.exe

windows7-x64

10

de51ca8c61...9b.exe

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    de51ca8c619a690007fef423d20379d4e949997da159ec037d65bcc444bdf09b

  • Size

    637KB

  • Sample

    221126-nh81gabb76

  • MD5

    17740a31da003de7d03e1a89ffa01b40

  • SHA1

    1c7089eb6f37035a18cee7a7bda7fa83c85d18c1

  • SHA256

    de51ca8c619a690007fef423d20379d4e949997da159ec037d65bcc444bdf09b

  • SHA512

    41683bc9c98a5f2fdb75d815cb866a03166cf56d745d1876ebb1d4bfbabaa5df32ca3fdb6d291f793acc4266231688e5a9b9d4b18113a47f21ebb7f1b39c5d61

  • SSDEEP

    12288:7Wbr5dYHRCfp7cJY2nj9pH9G3qMc7qJUHrlm63yCkhep9Mkkf:6bddfhIJN7dG3O7XH53ybheLDkf

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\Decrypt All Files gbtcmzk.txt

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://uwm2wosrob3gplxy.onion.cab or http://uwm2wosrob3gplxy.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://uwm2wosrob3gplxy.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. FTZATU-DTQQWZ-ROZHZP-CUTWQE-XFROHP-NVHVUR-U24CUW-RJ3KLK QSGEHR-VELHLP-PV7YN2-DMWZE4-4FLJDP-2YWCPR-52XJQL-6QAGIH K2TZIO-47EBZL-QWP6DO-ZL6SNT-KTJEIR-3WJQNX-BUKEIG-I6DRP7 Follow the instructions on the server.
URLs

http://uwm2wosrob3gplxy.onion.cab

http://uwm2wosrob3gplxy.tor2web.org

http://uwm2wosrob3gplxy.onion/

Extracted

Path

C:\ProgramData\orxfdbk.html

Ransom Note
<html><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8'> </head><body bgcolor=#424242 onLoad="window.location='#list';"> <p style='font-family:Tahoma;font-size:14px;color:#FFFFFF'> Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer.<br> Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key.<br> If you see the main locker window, follow the instructions on the locker.<br> Overwise, it's seems that you or your antivirus deleted the locker program.<br> Now you have the last chance to decrypt your files.<br><br> Open <a style='font-family:Tahoma;font-size:14px;color:#20FFFF' target=_blank href='http://uwm2wosrob3gplxy.onion.cab'>http://uwm2wosrob3gplxy.onion.cab</a> or <a style='font-family:Tahoma;font-size:14px;color:#20FFFF' target=_blank href='http://uwm2wosrob3gplxy.tor2web.org'>http://uwm2wosrob3gplxy.tor2web.org</a> in your browser. They are public gates to the secret server. <br><br> If you have problems with gates, use direct connection:<br><br> 1. Download Tor Browser from <a style='font-family:Tahoma;font-size:14px;color:#20FFFF' target=_blank href='http://www.torproject.org/download/download-easy.html.en'>http://torproject.org</a>.<br> 2. In the Tor Browser open the <a style='font-family:Tahoma;font-size:14px;color:#20FFFF' target=_blank href='http://uwm2wosrob3gplxy.onion'>http://uwm2wosrob3gplxy.onion</a><br> &nbsp;&nbsp;&nbsp;&nbsp;Note that this server is available via Tor Browser only.<br> &nbsp;&nbsp;&nbsp;&nbsp;Retry in 1 hour if site is not reachable.<br> Copy and paste the following public key in the input form on server. Avoid missprints.</p><pre style='font-family:Courier New;font-size:16px;color:#FFFFFF'>FTZATU-DTQQWZ-ROZHZP-CUTWQE-XFROHP-NVHVUR-U24CUW-RJ3KLK QSGEHR-VELHLP-PV7YN2-DMWZE4-4FLJDP-2YWCPR-52XJQL-6QAGIH K2TZIO-47EBZL-QWP6DO-ZL6SNT-KTJEIR-3WJQNX-BUKEIG-I6DRP7</pre> <p style='font-family:Tahoma;font-size:14px;color:#FFFFFF'> Follow the instructions on the server.<br><br> <a name='list'>The list of your encrypted files:</a></p> <table style='font-family:Tahoma;font-size:12px;color:#FFFFFF;border-color:#A0A0A0' cellspacing=0 cellpadding=5 border=1> <tr><th><b>File</b></th><th><b>Path</b></th></tr> <tr><td>VERSION.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\</td></tr><tr><td>VERSION.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\</td></tr><tr><td>README.TXT</td><td>C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\</td></tr><tr><td>README.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\jre\</td></tr><tr><td>README.TXT</td><td>C:\Program Files\Java\jre7\</td></tr><tr><td>Mso Example Setup File A.TXT</td><td>C:\Program Files\Microsoft Office\Office14\</td></tr><tr><td>Mso Example Intl Setup File B.TXT</td><td>C:\Program Files\Microsoft Office\Office14\1033\</td></tr><tr><td>Mso Example Intl Setup File A.TXT</td><td>C:\Program Files\Microsoft Office\Office14\1033\</td></tr><tr><td>README.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\</td></tr><tr><td>Xusage.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\</td></tr><tr><td>Xusage.TXT</td><td>C:\Program Files\Java\jre7\bin\server\</td></tr><tr><td>readme.TXT</td><td>C:\Program Files\7-Zip\</td></tr><tr><td>README.TXT</td><td>C:\Program Files\VideoLAN\VLC\</td></tr><tr><td>License.TXT</td><td>C:\Program Files\7-Zip\</td></tr><tr><td>jvm.hprof.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\jre\lib\</td></tr><tr><td>jvm.hprof.TXT</td><td>C:\Program Files\Java\jre7\lib\</td></tr><tr><td>io.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>af.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ms.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>cy.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>eo.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ast.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>README.TXT</td><td>C:\Program Files\VideoLAN\VLC\lua\http\requests\</td></tr><tr><td>br.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>lv.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>THANKS.TXT</td><td>C:\Program Files\VideoLAN\VLC\</td></tr><tr><td>ku.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>nn.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sq.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>nb.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>fy.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>va.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sr-spl.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>et.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sv.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>uz.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ro.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>fur.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ext.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>lij.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>an.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>zh-tw.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>kaa.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>zh-cn.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>hu.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>da.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ga.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>id.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>vi.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>kab.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>hr.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sl.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ps.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>mn.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>fi.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>is.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>eu.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>mk.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>pl.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>nl.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>cs.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>gl.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sk.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ca.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>pt.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>pt-br.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>lt.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>az.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>de.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>he.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>it.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>es.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>tr.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ko.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>fr.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>co.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>kk.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>fa.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>mr.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>yo.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ba.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>asl-v20.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\</td></tr><tr><td>asl-v20.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\</td></tr><tr><td>asl-v20.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\</td></tr><tr><td>ug.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ja.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sr-spc.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>be.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ku-ckb.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ar.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ky.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ta.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>bg.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ne.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>hy.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>tt.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ru.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>pa-in.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>bn.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>uk.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>th.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>si.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>el.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ka.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>gu.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>hi.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>COPYING.TXT</td><td>C:\Program Files\VideoLAN\VLC\</td></tr><tr><td>sa.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>AUTHORS.TXT</td><td>C:\Program Files\VideoLAN\VLC\</td></tr><tr><td>mng.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>mng2.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>THIRDPARTYLICENSEREADME.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\</td></tr><tr><td>History.TXT</td><td>C:\Program Files\7-Zip\</td></tr><tr><td>THIRDPARTYLICENSEREADME-JAVAFX.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\jre\</td></tr><tr><td>THIRDPARTYLICENSEREADME-JAVAFX.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\</td></tr><tr><td>THIRDPARTYLICENSEREADME-JAVAFX.TXT</td><td>C:\Program Files\Java\jre7\</td></tr><tr><td>THIRDPARTYLICENSEREADME.TXT</td><td>C:\Program Files\Java\jre7\</td></tr><tr><td>THIRDPARTYLICENSEREADME.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\</td></tr><tr><td>THIRDPARTYLICENSEREADME.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\jre\</td></tr><tr><td>NEWS.TXT</td><td>C:\Program Files\VideoLAN\VLC\</td></tr><tr><td>vcredist2010_x64.log-MSI_vc_red.msi.TXT</td><td>C:\</td></tr><tr><td>vcredist2010_x86.log-MSI_vc_red.msi.TXT</td><td>C:\</td></tr><tr><td>METCONV.TXT</td><td>C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\</td></tr><tr><td>VeriSign_Class_3_Public_Primary_CA.CER</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\</td></tr><tr><td>SignedManagedObjects.CER</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\ManagedObjects\</td></tr><tr><td>Thawte Root Certificate.CER</td><td>C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\</td></tr><tr><td>SignedComponents.CER</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Components\</td></tr><tr><td>VS_ComponentSigningIntermediate.CER</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\</td></tr><tr><td>VeriSign_Class_3_Code_Signing_2001-4_CA.CER</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\</td></tr><tr><td>Management.CER</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\</td></tr><tr><td>RELAY.CER</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\</td></tr><tr><td>Adobe Root Certificate.CER</td><td>C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\</td></tr><tr><td>AdobeAUM_rootCert.CER</td><td>C:\Program Files (x86)\Common Files\Adobe\Updater6\</td></tr><tr><td>AdobeUpdate.CER</td><td>C:\Program Files (x86)\Common Files\Adobe\Updater6\</td></tr><tr><td>AdobeUpdater.CER</td><td>C:\Program Files (x86)\Common Files\Adobe\Updater6\</td></tr><tr><td>PROTTPLN.DOC</td><td>C:\Program Files (x86)\Microsoft Office\Office14\1033\</td></tr><tr><td>PROTTPLV.DOC</td><td>C:\Program Files (x86)\Microsoft Office\Office14\1033\</td></tr><tr><td>AccessBridgeCalls.C</td><td>C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\</td></tr><tr><td>viewDblClick.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\</td></tr><tr><td>autoconfig.JS</td><td>C:\Program Files\Mozilla Firefox\defaults\pref\</td></tr><tr><td>viewSelectionChanged.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\</td></tr><tr><td>channel-prefs.JS</td><td>C:\Program Files\Mozilla Firefox\defaults\pref\</td></tr><tr><td>MENUS.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\</td></tr><tr><td>ui.JS</td><td>C:\Program Files\VideoLAN\VLC\lua\http\js\</td></tr><tr><td>PublicFunctions.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\</td></tr><tr><td>utilityfunctions.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\</td></tr><tr><td>common.JS</td><td>C:\Program Files\VideoLAN\VLC\lua\http\js\</td></tr><tr><td>FormsHomePageScript.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\</td></tr><tr><td>Hierarchy.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\</td></tr><tr><td>VIEW.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\</td></tr><tr><td>FormsHomePageScript.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\</td></tr><tr><td>FormsHomePageScript.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\</td></tr><tr><td>VIEW.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\</td></tr><tr><td>PublicFunctions.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\</td></tr><tr><td>form_edit.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\</td></tr><tr><td>form_edit.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\</td></tr><tr><td>form_edit.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\</td></tr><tr><td>PublicFunctions.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\</td></tr><tr><td>validation.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\</td></tr><tr><td>VIEW.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\</td></tr><tr><td>controllers.JS</td><td>C:\Program Files\VideoLAN\VLC\lua\http\js\</td></tr><tr><td>validation.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\</td></tr><tr><td>validation.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\</td></tr><tr><td>utilityfunctions.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\</td></tr><tr><td>validation.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\</td></tr><tr><td>SUBMIT.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\</td></tr><tr><td>utilityfunctions.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\</td></tr><tr><td>utilityfunctions.JS</td><td>C:\Program Files (x86)\Microsoft
URLs

http-equiv='Content-Type

Targets

    • Target

      de51ca8c619a690007fef423d20379d4e949997da159ec037d65bcc444bdf09b

    • Size

      637KB

    • MD5

      17740a31da003de7d03e1a89ffa01b40

    • SHA1

      1c7089eb6f37035a18cee7a7bda7fa83c85d18c1

    • SHA256

      de51ca8c619a690007fef423d20379d4e949997da159ec037d65bcc444bdf09b

    • SHA512

      41683bc9c98a5f2fdb75d815cb866a03166cf56d745d1876ebb1d4bfbabaa5df32ca3fdb6d291f793acc4266231688e5a9b9d4b18113a47f21ebb7f1b39c5d61

    • SSDEEP

      12288:7Wbr5dYHRCfp7cJY2nj9pH9G3qMc7qJUHrlm63yCkhep9Mkkf:6bddfhIJN7dG3O7XH53ybheLDkf

    Score
    10/10
    ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Drops desktop.ini file(s)

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks