Analysis
-
max time kernel
147s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
15-11-2024 01:23
Static task
static1
Behavioral task
behavioral1
Sample
2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe
-
Size
6.9MB
-
MD5
003a07edaa89b9eea34af223b4f41b49
-
SHA1
8d849af2da15c5e276c82cc7387df6765f788055
-
SHA256
c669cb70d13fc719fdc4fc3f95666761558a51609eb03e60b8443b81ada25469
-
SHA512
8cf5428b2840fdb54a13844ce3d9e60a4fe041af4fb6a9111b1a017bee56de2cfc2bd70406bd70e0d6bcc838af0b3d034e2c41ddb535bed0439cc848bcce8c06
-
SSDEEP
98304:QKfpHgI1ZYM+bklVoPsurTLtYUG8BqYu374CD:QKrZp+oXoBYUG8wlLRD
Malware Config
Signatures
-
Clears Windows event logs 1 TTPs 3 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exepid Process 2980 wevtutil.exe 2060 wevtutil.exe 564 wevtutil.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid Process 1740 bcdedit.exe 2552 bcdedit.exe -
Renames multiple (10071) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Processes:
wbadmin.exewbadmin.exepid Process 2796 wbadmin.exe 2652 wbadmin.exe -
Processes:
wbadmin.exepid Process 2476 wbadmin.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 2 IoCs
Processes:
2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exedescription ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.encrypted 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 64 IoCs
Processes:
2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exedescription ioc Process File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SEGJVAZC\desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ADWO43R6\desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\4KNYJNXZ\desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BBWU148F\desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G0UQMQ1C\desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Users\Admin\Music\desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Users\Public\Music\desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Users\Public\Videos\desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\1U7Y9BT8\desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4TDQSVWU\desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Ringtones\desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Users\Public\desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Program Files (x86)\desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Users\Admin\Links\desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Users\Public\Documents\desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Program Files\desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe -
Drops file in System32 directory 1 IoCs
Processes:
2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\regedit.exe 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\Wallpaper = "C:\\killnet.bmp" 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe -
Drops file in Program Files directory 64 IoCs
Processes:
2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exedescription ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text.nl_ja_4.4.0.v20140623020002.jar 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File created C:\Program Files\Java\jre7\lib\zi\America\Mexico_City.encrypted 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\Microsoft.Build.Engine.resources.dll 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl.css.encrypted 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\clock.html 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\blacklist.encrypted 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Program Files\Windows Journal\jnwdui.dll 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\OPTINPS.DLL 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00486_.WMF 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02074_.GIF 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0149627.WMF 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR10F.GIF.encrypted 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\PublicFunctions.js 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\bckgzm.exe.mui.encrypted 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL001.XML.encrypted 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Program Files\Common Files\System\ado\msado25.tlb 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Program Files\Internet Explorer\msdbg2.dll 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Program Files\Microsoft Office\Office14\NPAUTHZ.DLL 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\WindowsFormsIntegration.resources.dll 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\mspub.exe.manifest 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File created C:\Program Files\7-Zip\7-zip.chm.encrypted 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe.encrypted 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\US_export_policy.jar 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\MANIFEST.MF.encrypted 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Program Files\Windows Media Player\Media Renderer\avtransport.xml 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe.config.encrypted 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01152_.WMF.encrypted 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-api.jar 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File created C:\Program Files\VideoLAN\VLC\plugins\codec\librawvideo_plugin.dll.encrypted 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\settings.css 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR5B.GIF 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGBOXES.DPV 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Enderbury 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_basestyle.css 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\Reykjavik 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File created C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libpodcast_plugin.dll.encrypted 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll.encrypted 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WEBPAGE.XML 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\cpu.css 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\YST9 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Taipei 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File created C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe Root Certificate.cer.encrypted 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01160_.WMF.encrypted 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02405_.WMF.encrypted 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Waveform.xml.encrypted 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File created C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\FAXEXT.ECF.encrypted 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\MENUS.JS.encrypted 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-compat.xml 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\service.js 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\RIPPLE.ELM.encrypted 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00172_.GIF.encrypted 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01330_.GIF.encrypted 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0240695.WMF.encrypted 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\CalendarToolIconImages.jpg 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-crescent_partly-cloudy.png 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_zh_4.4.0.v20140623020002.jar 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\ELPHRG01.WAV 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\WTSP61MS.DLL 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01747_.GIF.encrypted 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00046_.WMF.encrypted 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File created C:\Program Files\VideoLAN\VLC\uninstall.exe.encrypted 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dial_sml.png 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe -
Drops file in Windows directory 46 IoCs
Processes:
2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exewbadmin.exewbadmin.exedescription ioc Process File opened for modification C:\Windows\write.exe 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File created C:\Windows\bootstat.dat.encrypted 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Windows\DtcInstall.log 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File created C:\Windows\DtcInstall.log.encrypted 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File created C:\Windows\msdfmap.ini.encrypted 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File created C:\Windows\Ultimate.xml.encrypted 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File created C:\Windows\WindowsUpdate.log.encrypted 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Windows\WMSysPr9.prx 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Windows\mib.bin 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Windows\bootstat.dat 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Windows\explorer.exe 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File created C:\Windows\Starter.xml.encrypted 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File created C:\Windows\system.ini.encrypted 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Windows\msdfmap.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Windows\splwow64.exe 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File created C:\Windows\TSSysprep.log.encrypted 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Windows\WindowsUpdate.log 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Windows\Ultimate.xml 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl wbadmin.exe File opened for modification C:\Windows\bfsvc.exe 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Windows\fveupdate.exe 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File created C:\Windows\setupact.log.encrypted 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Windows\system.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Windows\TSSysprep.log 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Windows\win.ini 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Windows\WindowsShell.Manifest 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File created C:\Windows\setuperr.log.encrypted 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Windows\twain_32.dll 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Windows\twunk_32.exe 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Windows\winhlp32.exe 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl wbadmin.exe File opened for modification C:\Windows\PFRO.log 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Windows\Starter.xml 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Windows\twain.dll 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Windows\twunk_16.exe 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File created C:\Windows\win.ini.encrypted 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl wbadmin.exe File opened for modification C:\Windows\hh.exe 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl wbadmin.exe File opened for modification C:\Windows\HelpPane.exe 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Windows\notepad.exe 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File created C:\Windows\PFRO.log.encrypted 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Windows\setupact.log 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe File opened for modification C:\Windows\setuperr.log 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.execmd.exeWMIC.execmd.exeWMIC.execmd.exeIEXPLORE.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid Process 2924 vssadmin.exe -
Processes:
IEXPLORE.EXEiexplore.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{81DB1C71-A2F0-11EF-AA78-72B5DC1A84E6} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
vssvc.exewbengine.exewevtutil.exewevtutil.exewevtutil.exeWMIC.exeWMIC.exedescription pid Process Token: SeBackupPrivilege 2140 vssvc.exe Token: SeRestorePrivilege 2140 vssvc.exe Token: SeAuditPrivilege 2140 vssvc.exe Token: SeBackupPrivilege 2216 wbengine.exe Token: SeRestorePrivilege 2216 wbengine.exe Token: SeSecurityPrivilege 2216 wbengine.exe Token: SeSecurityPrivilege 2980 wevtutil.exe Token: SeBackupPrivilege 2980 wevtutil.exe Token: SeSecurityPrivilege 2060 wevtutil.exe Token: SeBackupPrivilege 2060 wevtutil.exe Token: SeSecurityPrivilege 564 wevtutil.exe Token: SeBackupPrivilege 564 wevtutil.exe Token: SeIncreaseQuotaPrivilege 1096 WMIC.exe Token: SeSecurityPrivilege 1096 WMIC.exe Token: SeTakeOwnershipPrivilege 1096 WMIC.exe Token: SeLoadDriverPrivilege 1096 WMIC.exe Token: SeSystemProfilePrivilege 1096 WMIC.exe Token: SeSystemtimePrivilege 1096 WMIC.exe Token: SeProfSingleProcessPrivilege 1096 WMIC.exe Token: SeIncBasePriorityPrivilege 1096 WMIC.exe Token: SeCreatePagefilePrivilege 1096 WMIC.exe Token: SeBackupPrivilege 1096 WMIC.exe Token: SeRestorePrivilege 1096 WMIC.exe Token: SeShutdownPrivilege 1096 WMIC.exe Token: SeDebugPrivilege 1096 WMIC.exe Token: SeSystemEnvironmentPrivilege 1096 WMIC.exe Token: SeRemoteShutdownPrivilege 1096 WMIC.exe Token: SeUndockPrivilege 1096 WMIC.exe Token: SeManageVolumePrivilege 1096 WMIC.exe Token: 33 1096 WMIC.exe Token: 34 1096 WMIC.exe Token: 35 1096 WMIC.exe Token: SeIncreaseQuotaPrivilege 1064 WMIC.exe Token: SeSecurityPrivilege 1064 WMIC.exe Token: SeTakeOwnershipPrivilege 1064 WMIC.exe Token: SeLoadDriverPrivilege 1064 WMIC.exe Token: SeSystemProfilePrivilege 1064 WMIC.exe Token: SeSystemtimePrivilege 1064 WMIC.exe Token: SeProfSingleProcessPrivilege 1064 WMIC.exe Token: SeIncBasePriorityPrivilege 1064 WMIC.exe Token: SeCreatePagefilePrivilege 1064 WMIC.exe Token: SeBackupPrivilege 1064 WMIC.exe Token: SeRestorePrivilege 1064 WMIC.exe Token: SeShutdownPrivilege 1064 WMIC.exe Token: SeDebugPrivilege 1064 WMIC.exe Token: SeSystemEnvironmentPrivilege 1064 WMIC.exe Token: SeRemoteShutdownPrivilege 1064 WMIC.exe Token: SeUndockPrivilege 1064 WMIC.exe Token: SeManageVolumePrivilege 1064 WMIC.exe Token: 33 1064 WMIC.exe Token: 34 1064 WMIC.exe Token: 35 1064 WMIC.exe Token: SeIncreaseQuotaPrivilege 1064 WMIC.exe Token: SeSecurityPrivilege 1064 WMIC.exe Token: SeTakeOwnershipPrivilege 1064 WMIC.exe Token: SeLoadDriverPrivilege 1064 WMIC.exe Token: SeSystemProfilePrivilege 1064 WMIC.exe Token: SeSystemtimePrivilege 1064 WMIC.exe Token: SeProfSingleProcessPrivilege 1064 WMIC.exe Token: SeIncBasePriorityPrivilege 1064 WMIC.exe Token: SeCreatePagefilePrivilege 1064 WMIC.exe Token: SeBackupPrivilege 1064 WMIC.exe Token: SeRestorePrivilege 1064 WMIC.exe Token: SeShutdownPrivilege 1064 WMIC.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid Process 1120 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid Process 1120 iexplore.exe 1120 iexplore.exe 2452 IEXPLORE.EXE 2452 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.execmd.execmd.execmd.exeiexplore.exedescription pid Process procid_target PID 2248 wrote to memory of 1740 2248 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe 30 PID 2248 wrote to memory of 1740 2248 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe 30 PID 2248 wrote to memory of 1740 2248 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe 30 PID 2248 wrote to memory of 1740 2248 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe 30 PID 2248 wrote to memory of 2552 2248 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe 32 PID 2248 wrote to memory of 2552 2248 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe 32 PID 2248 wrote to memory of 2552 2248 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe 32 PID 2248 wrote to memory of 2552 2248 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe 32 PID 2248 wrote to memory of 2924 2248 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe 34 PID 2248 wrote to memory of 2924 2248 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe 34 PID 2248 wrote to memory of 2924 2248 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe 34 PID 2248 wrote to memory of 2924 2248 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe 34 PID 2248 wrote to memory of 2796 2248 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe 38 PID 2248 wrote to memory of 2796 2248 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe 38 PID 2248 wrote to memory of 2796 2248 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe 38 PID 2248 wrote to memory of 2796 2248 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe 38 PID 2248 wrote to memory of 2652 2248 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe 40 PID 2248 wrote to memory of 2652 2248 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe 40 PID 2248 wrote to memory of 2652 2248 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe 40 PID 2248 wrote to memory of 2652 2248 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe 40 PID 2248 wrote to memory of 2476 2248 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe 42 PID 2248 wrote to memory of 2476 2248 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe 42 PID 2248 wrote to memory of 2476 2248 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe 42 PID 2248 wrote to memory of 2476 2248 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe 42 PID 2248 wrote to memory of 2980 2248 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe 47 PID 2248 wrote to memory of 2980 2248 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe 47 PID 2248 wrote to memory of 2980 2248 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe 47 PID 2248 wrote to memory of 2980 2248 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe 47 PID 2248 wrote to memory of 2060 2248 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe 49 PID 2248 wrote to memory of 2060 2248 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe 49 PID 2248 wrote to memory of 2060 2248 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe 49 PID 2248 wrote to memory of 2060 2248 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe 49 PID 2248 wrote to memory of 564 2248 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe 51 PID 2248 wrote to memory of 564 2248 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe 51 PID 2248 wrote to memory of 564 2248 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe 51 PID 2248 wrote to memory of 564 2248 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe 51 PID 2248 wrote to memory of 2024 2248 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe 53 PID 2248 wrote to memory of 2024 2248 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe 53 PID 2248 wrote to memory of 2024 2248 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe 53 PID 2248 wrote to memory of 2024 2248 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe 53 PID 2024 wrote to memory of 1096 2024 cmd.exe 55 PID 2024 wrote to memory of 1096 2024 cmd.exe 55 PID 2024 wrote to memory of 1096 2024 cmd.exe 55 PID 2024 wrote to memory of 1096 2024 cmd.exe 55 PID 2248 wrote to memory of 1156 2248 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe 56 PID 2248 wrote to memory of 1156 2248 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe 56 PID 2248 wrote to memory of 1156 2248 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe 56 PID 2248 wrote to memory of 1156 2248 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe 56 PID 1156 wrote to memory of 1064 1156 cmd.exe 58 PID 1156 wrote to memory of 1064 1156 cmd.exe 58 PID 1156 wrote to memory of 1064 1156 cmd.exe 58 PID 1156 wrote to memory of 1064 1156 cmd.exe 58 PID 2248 wrote to memory of 1480 2248 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe 63 PID 2248 wrote to memory of 1480 2248 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe 63 PID 2248 wrote to memory of 1480 2248 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe 63 PID 2248 wrote to memory of 1480 2248 2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe 63 PID 1480 wrote to memory of 1120 1480 cmd.exe 65 PID 1480 wrote to memory of 1120 1480 cmd.exe 65 PID 1480 wrote to memory of 1120 1480 cmd.exe 65 PID 1480 wrote to memory of 1120 1480 cmd.exe 65 PID 1120 wrote to memory of 2452 1120 iexplore.exe 66 PID 1120 wrote to memory of 2452 1120 iexplore.exe 66 PID 1120 wrote to memory of 2452 1120 iexplore.exe 66 PID 1120 wrote to memory of 2452 1120 iexplore.exe 66 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-15_003a07edaa89b9eea34af223b4f41b49_lockbit_luca-stealer_revil.exe"1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\system32\bcdedit.exeC:\Windows\Sysnative\bcdedit /set {default} recoveryenabled No2⤵
- Modifies boot configuration data using bcdedit
PID:1740
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\Sysnative\bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:2552
-
-
C:\Windows\system32\vssadmin.exeC:\Windows\Sysnative\vssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:2924
-
-
C:\Windows\system32\wbadmin.exeC:\Windows\Sysnative\wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest2⤵
- Deletes System State backups
- Drops file in Windows directory
PID:2796
-
-
C:\Windows\system32\wbadmin.exeC:\Windows\Sysnative\wbadmin DELETE SYSTEMSTATEBACKUP2⤵
- Deletes System State backups
- Drops file in Windows directory
PID:2652
-
-
C:\Windows\system32\wbadmin.exeC:\Windows\Sysnative\wbadmin delete catalog -quiet2⤵
- Deletes backup catalog
PID:2476
-
-
C:\Windows\system32\wevtutil.exeC:\Windows\Sysnative\wevtutil cl system2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2980
-
-
C:\Windows\system32\wevtutil.exeC:\Windows\Sysnative\wevtutil cl security2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2060
-
-
C:\Windows\system32\wevtutil.exeC:\Windows\Sysnative\wevtutil cl application2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:564
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C wmic SHADOWCOPY /nointeractive2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic SHADOWCOPY /nointeractive3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1096
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C wmic shadowcopy delete2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1064
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c start iexplore.exe -k "file:///C:\Users\Admin\Desktop\README.html"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -k "file:///C:\Users\Admin\Desktop\README.html"3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1120 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2452
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2140
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2216
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:1864
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:2952
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding1⤵PID:1972
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Direct Volume Access
1Indicator Removal
5Clear Windows Event Logs
1File Deletion
4Modify Registry
2Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136B
MD5f1658ceb7009a9698b8c201c92ca9f38
SHA10b7f9390c18f9f21cf75c2481160263a554408c4
SHA256fbc00c27d1db618b8da1aad49dc540dff67d8eff98a7db98c21424b55ec3140c
SHA5122009d9442780c8e1ef28c3f4a77a00977fbe7368414968da13b88ba5e695903882534f334ddbaf5799f303db4e4656aba4e54e6b03697aee78c31596146e8082
-
Filesize
7KB
MD5eb938e94656b0b9109641a6a4f3004d4
SHA15e84cef3867e3e88bd884106ed9275e68c5d93ab
SHA2569ea58fc8e2c60c721bcc3400e58f09b9053c1f3cd8ca41cd84e726a9a3a87092
SHA5124667f5a55a6a341833671dc5297a4a53ec8a8ecfc15de7ddab5dbd620e42da1049c5d00845e80901e7742f542c08099a4e8e6fc24870f18916177cdcbbe9071e
-
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\BRANDING.XML.encrypted
Filesize582KB
MD5718d5ceb0b7a6141fdfe3ea6a76c7f0f
SHA14a806c35412158197e57329347333d4795c995cb
SHA256d51a1ddafbcafd7f1127002271466da49d344a8059e4877d741bda83147b7284
SHA5128387a00ed8c754cf1e57640c047d2833255fba1c42640a466b92344388f2f92bfd551b056a63fc66e7ce40838c8abcae8600636a910fa09e734c1bd574129b8f
-
Filesize
121B
MD5007dbe8ef0c373805d7a48f374d0794e
SHA19598005e9e1523db6a677553059bb6fb61323540
SHA25626d37b1845e17627a8befdd03e12ec4077e261487c5199b2090d363ba4fb00d0
SHA5129f442282edc179f7e8f3b205e5c2471fcab7307d4e502eb4ad8e2c91ab65ab5beeee679fa5ce200a39309b948bc98efd4b1834e1f9cdfa72c12100aeb9dd0f7d
-
Filesize
120B
MD5b48e42eca3ddbe75912c9f162acb635f
SHA1ba14089cd1b5bb4c9e36d2e2853c69179cf61c68
SHA25676920fa84ea2b19ac1871b80f0d0166a668969d03400a52f739c7b0ee7c2da8c
SHA51201d916bfc78a0872caae0161badee491cdd4fd831b5bce4b136a7325db59a77af6faf164ba1e339d62088f3f50554aec0cef641a92768d28c23fa7636367a52d
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF.encrypted
Filesize348B
MD55d7f9c8f7ad7f8fc2a28bdf63a986bb1
SHA1921b1c2742b3acef4c089320c2eaac8ee0d8ce3c
SHA25699a06e3aaa1ec96a5b803057dddee9d0177d99d091742d53157cf32874987dd3
SHA512d1c242784d8f8cde27ac08cd65160b796d463dbeeb4befc688db93e589df21718ac57e1fcc9be04daae5e730e33a573f363f01c3f9e267af534fd8295e1a1bef
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF.encrypted
Filesize229B
MD58769e0b71bdf88356d8068d473cadee2
SHA1543781b91dbfb9b07c24f3fa7a152ebc81de1a71
SHA2563b5236ac871f9f9685886bbf38ef52814115fb18f88da8f6d5635a9b9e458dd4
SHA5128a8b1ca5c356e4f5323f79e93667321aac650d23003414b5a405e93c0eaead278ea088a6e4176dd3ce5f693dddf2a1401c821395a9317a75bd87c892bf362b40
-
Filesize
239KB
MD52c108a1bd0a09fcc09ec981f6187ea50
SHA1867f3ba9ddff3f97a76a484ff9fc452270fbe18a
SHA256d5ca4e913f95f4a155825e622430c879189c977bde8494b9085ee02950581f96
SHA512994f62d5a9d7f370f0ebff35ebeafa18f998e5b00a62acb44f77901457ddbd7ae17c0bce795e0ddfdefed63d3272602c6d14be49d0c7663a4d1ef0730065abda
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF.encrypted
Filesize24KB
MD55dc68f23e32a052f990fe16a01e9c766
SHA1a45f96ee99ae5ddf1e0ea4eceddb09f838daa64b
SHA256b075cc7063bdd2f68148d26f0b0544f5d5ff94e0d640ea2c27fa0c39d4c0b503
SHA5123488587a570f1cb45dee7578cf58b9e6cfef25caf9774b711989a91fcaf8a2411fc1f9af4425c2fb64a06adb08480e3309940a321ec2f183cd236092a4b29b2b
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF.encrypted
Filesize192B
MD54b50a730debb800814194f35759d96d7
SHA1165a276f69d4f1027290746b91886fc1911d0e4d
SHA25647b542437f5ba81150c457f27dc64d6d19e55bad4cc620f75d0de71149dacb06
SHA5126e271e9b4295cb34e47e9bbf978862f1d8d709300f8ce9cd688ff4d21647bb151a7630bb23b288a6a9963ec82fff178166662c10f950bef6fc3c3647ba4eceac
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF.encrypted
Filesize503B
MD5820e94ac7be7205380c9775427bdbd3c
SHA18bcd46e0d1cd9819214098059a04e37b88667277
SHA256216bf668c0e605903850a9c5de746b5381d236b13acf788779b3077a3a8ffd2a
SHA512c20899a2ff6fb4857023c3bec93e0d4f8e2e3e1dcf3803cefbd1b97508fe32d717c7450cafccac1d9520cab9b723753c86c98f091955a2389d3aabba70249d48
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF.encrypted
Filesize1KB
MD5cbd455fb1a7810eb51ff03ced1d7adce
SHA1cad8ab640c802ccba57cc9cfc017dbef2ca48822
SHA256fc02eaff5d636c8dfb82f5e804464e354b09cc8bae61bd7b5749c8574f13344e
SHA51272af62aa4f1218c56fc6bbf9808a81a4b423bb66bf77480628d3461a812efbf507e29421dcd6aee8355f7f8d8065634470c1e2894fc83a4bc868dc60e425578f
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif.encrypted
Filesize5KB
MD57c03b98224f8bca63567f1d2b7392672
SHA144b42c3d97b17ff736ca469047c7eac52df0226b
SHA25632e107fc8a7495a0796cb8129afaa0090b88835f15352ba47a278da62dfb9dc7
SHA512176edc591ed2db9e07bfc8cb11e82dd0f84095c1ad9d517022f4ae67d32c34ae50f51d3c009e81c9e3a08b5fd86c7616863748ff6f5309d1556f9396d3f2d0f8
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif.encrypted
Filesize31KB
MD5e4aec09008b4506aea5891927d66d794
SHA1d58444f8ca2c112c2ff1adc1d6821858e87764fe
SHA256407b5465acb2990e23e0b6f7faea64efe0ea2790564e8dced20a2c6be9f08188
SHA5127ebc15d04692923cfd2be03952c7a4ef957a151a6173b8e7332e413629330db7cad0769f4531de1c19fdd1e059190ed902e6b8a3942a8daec1396f1453c6c87a
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif.encrypted
Filesize4KB
MD5e10ac22a31693d2aa611d619e3e13352
SHA19848e110e0eb2161a9713cff8dd93d2a8552c04e
SHA25690e1f6f90fca3ed947596ae40fca5aea249920b2ba5c8dd5a8ae67a56de04fe7
SHA512b27a81c6167cead43b5934889811f1af2f6b9ab4d24fa5895bc9e186fdb3e0a2a832664c5741b26c300638227b29bf6611fa6f3533da4eb9ff1400a4ddf79eb4
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif.encrypted
Filesize21KB
MD5a7acde37ccc4451030284f1e2223b3ff
SHA17174dc0d22751d2a3667e1b59138df705782638f
SHA25629a636581fe00ac1e6d5b0de06198512fcf8c05e84b44ff4467fc2242b96498a
SHA5121aa82afac83bee7ec69948b928d42aae7d667df9ffbe8d7f9ece382b2e78cb255d1e84f346cfff45e6086ce961100eabe5ed70065f44fbb243622bafa0d854d1
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif.encrypted
Filesize113B
MD52e13905da315aa5a14782169d5f3a4c8
SHA182fc414d001c376f38f7a8e2c06afbb2c44b5997
SHA256c8d4d966dd259c3aefcef200bb55cfaed695df3f86757309ff6222bebc46b8fb
SHA51250e547c9cc60a91ef3b2ddce14bddddc1029572a89db2899a0b8d0842499a7365e5dbe22fb543e881c55730a1ba73eb505991d76af2ba81b75a90a7e3969280c
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif.encrypted
Filesize8KB
MD5e5536919568086bc7eb0b35192f8438b
SHA1ce19edcfbb27b62c8b7dd37ff31156e3118f545f
SHA2562d0acd168057a36a06c66e48b44ba26b19977a8bc64f634ded71397842bfde77
SHA51202a6c097b87f2f26ba713e7ed444a3322cd9bf3e9fcdb8b3772b9f6cb052ab85af012f59ac192d05d13f05f629bb7c4e59b42bc241aa0a3ac02be714356c4217
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif.encrypted
Filesize15KB
MD5d11d5970d0379e9fdb2d0d82a8f64115
SHA1f3bf697f30cdda85f61e18ce23f477a167b4b15c
SHA256b95ccef33ca32b80fff5b9549ee2f9ab101036971b64832658b6d48c79fe50a9
SHA512b058a79c1cdb9a8c8640080d7f34bf77d85833b02333cf47d36861ffedf4862a50f8d06dcf7605983ff2a8c176fcdfde00b4eda97031c9d410c98c3bf19d75ac
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif.encrypted
Filesize6KB
MD5a6ef1d83b605d160689e699ee43d61b5
SHA18623d704d01458818ae456252b84f243c4ad2d27
SHA2567ca4844b515b3c875aaacc4e5ed557d6a661f94f65c34a01f3181bc8ca4eb5ad
SHA5123639d276f42d2fc5ac71113857949bc069dda9612739631d71292fdad6c66ad55979192a924ae97feebfd669c1161d01ed1d2522fea8ec4196b4673423f74c31
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif.encrypted
Filesize20KB
MD5adfe8b25b1bb91a4b1750eb89defbd68
SHA1795a20799109a4fe58dc284cc038eb3cbe24038b
SHA2561beb5ad5dfc2376bfc99ddd5983a678713032c20fad0e9bd8962791ad883d4d4
SHA51280942a1e2712167fdbd9f29738760cca1722d6f5bb74d9c71f2ccc866e72b6839a369b8e3aa84442d76c797f35f4a1890ff1805951520c5a9f099a808eef69e7
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif.encrypted
Filesize6KB
MD5e9b0c0bca6e89aa7898e8840a5db3473
SHA174e17c9e8542dfe688df75a304416149f29b4c38
SHA2569c0c6ada0efe553de56b78dc2b249dfddbe9ace0b7fed18e2314b0a0abe245ce
SHA512c4543bcb23032b7c0965378dae5ff43e2048a6ab27c3c53efaacd6ef9399d845793fdf55fccddf7fcf6944a1263882f9ff8594293b8eaf388b3359d353e43f0f
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif.encrypted
Filesize15KB
MD5ce37a6dd3c6d5707db75036976ae2591
SHA1f50324ad4dac8b4104f6da3fae59052ea2592684
SHA256564c3373c60d820b40ab61b3ef889a7972bd26e5dd0afa0bd586be82c3c1a87b
SHA5125a64063685df89ba867a58464352130aaa1174625aded3f13e55430aef60f3435979e856346e1b47e68e96cd004553fddb30976aada387323b2e42ebf8b6131f
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg.encrypted
Filesize2KB
MD54d83c3d9cc333a79427a6e7a47aa6eba
SHA1e9b1076ccb63c7c20c63e4bca6422d0eb878274c
SHA2563a6685932aa937b5d7e7a762008df8f8e5297d0f0718eab8ee0235ab4ab1bac5
SHA51289116b308a4be73ad9fd7dd4a99e3b8134028101260dacd324c1db192629eee683aa2e348bbf752292425738bc9163ac8e0c267efb0100d6576ce38a4313d097
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp.encrypted
Filesize2KB
MD53199227c00e4bb90d51b2865613c59b4
SHA15c5166bd06a565e2fefc5f4436ddf9053864068e
SHA256cc34c628f5ea203f4fdb750729a8a229beead85eb2d12a7bfc4617f1d6181d7d
SHA512e783397620af10f927a57ce05a9f5f6716b999675d3f5bc8c59e602a326f53ec8eb63efd64888222d091ae052c339f0b88da09a4c52bc4d1c381e08b9b284ba7
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FORM.ICO.encrypted
Filesize325B
MD5b18f23a22acbd1e52215a6849efea7df
SHA116dacad603d2340ad9ac2755d4c763fe86734104
SHA256a147fb59cd098c242657c04ffc8d638a91e864d8ce06cd12a9640cdb57703543
SHA512c82b8564637dc7d6c14c56983d587ae65935ca3aa5db8918b3366ebd29674589f59c05bbf61bfcf27e4142c7a06914b68f23fb2983a5d277fd8c685f8ce87430
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg.encrypted
Filesize7KB
MD5b3ddd3fa017545276cb1c63da91d8d68
SHA161906e07ea6a76c065397d65dd3ff34c777accb9
SHA256246ff763f36c7e8e9cd5017746cd9af456f4302649d06d801e433cf6e50c58cc
SHA5126cf8ed0199c4277d3777470c0b982733d6ef398b839325defd1b97000043dce433891cb01678864838186ef964e8e5628e9778e6820c328ca89725f7b2e1f057
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF.encrypted
Filesize262B
MD51fb4e6f4d5872bee28c814c9197e8e0a
SHA170530b15ed35afd2c4aa56756a1c46e6370a72f3
SHA256d4903c266ca32e64534c3ebfa5a9b204a9521f8b987368869c74f51fb94393a1
SHA51202e9eb2ae66188eb5ec7f4b88992dd4ac5d01801b307f7f98af19eac84d758f6b9d976f7c422d1bbe532287ec2667231108e6dc1c56fbc65a44a661b1746bf2e
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif.encrypted
Filesize330B
MD5083e41b67b1462159c422cd56b72e890
SHA1feceb7ea8124c1ca07d106dae7b9f22cc95ea0ea
SHA256957c77c2897c4cd953ceef44e7348fa3362fb51cf2fc92f02f94dd77b39a420c
SHA5124f3ccfa06e0bab553568c79e2eda2ae582e731fa8312e0fc7fb427d95734a8e1ed1cb7b39050c48b04d112908be753db6edbcafc29b2f66f446c76b5856bed17
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF.encrypted
Filesize374B
MD504020a730d3dc96a498cbb7f8d766b25
SHA100bb0312a817fd78ec38a5858cfaacbf2014db1a
SHA256afa35e9bfb42d94416ab11921fe8d0358de596f75b64fd55f881cb6ae1728b02
SHA5128ad12a05b9a1def6f38a230ee0569784ba32811d701a3a54d03b7bd464bb51ba0b7223c40a20056980ca20489c9bb8533f632fa16e75969271d7eca44de784fe
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF.encrypted
Filesize155B
MD57af2f9c070f8c01f62db190473f7fcc4
SHA1090c3e93476df6f9b64131a0b2cdc32491fe18c0
SHA2561d61ab5624fdb7f805da75d917e99edfdd09511413f1576ee5684d6c0270fa6c
SHA51293231b8bc3ed5222de335fcb934fee27da56a10448ba64ffbdac8b3e6f6f8cc25afd0c0e1bce1ef0c24271662c085af51720bacd09252b4f2828546bd7410a4e
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF.encrypted
Filesize447B
MD5ae5b1953b21ae930d0c60946fcd75ea6
SHA103d83cce3e0b9d853097a3ceeebd35324b297b9f
SHA25649f052823094ec6e4cff7d928f147a6450dce718b044a654e408b85162aacf6b
SHA5124e4385b91c73e74e5c2a8ea85c612260994c3cb78f01bda6e845d9df9cd1574eb1c7a65a24bbbeab9f62f500b84225d3c444c5853480163fedda816a56b7a6a8
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF.encrypted
Filesize469B
MD5120dc1c1cc67c275f431d3cd2dec2242
SHA12496ec97759baa5c28feabcb16820c5acb7ae34c
SHA2567c9872e3ba64f4f94f7dfd994ba15f2f4326828e4ca8b7160eabefe6993cd3ea
SHA5120f8698927b9d0e035657c9d169b71f5fbe9890b5a1ab56095de9ae89dba24cabfe81657dcb19a160537a871bee5377eb7f16b753b692f79d5d17724c9d00ea69
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF.encrypted
Filesize274B
MD5d9bc5950752eb0796984199456325ae8
SHA124d977c43a02ee446b54895507236b2e7bb4b040
SHA2560eb791809e4a28d74dd352fcc77fda30dfe7215154d6e637e1b7b1719e6145ae
SHA5123f12877995109a25004a4f4b3ed373a53d833fd8f7c9e45432f75397e1f2c0208db75d2ba714d77343418e856b7f868089324bf00be0932447c41117ccede0dd
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF.encrypted
Filesize2KB
MD5f0db195041e60808fce5a2c1b0b12d36
SHA1a3bbc839b6e43f0d35905d6516a8489f5c50e918
SHA2569ce0fc75905c69aa4c7fc3f964c2ed6642026f97152b62132c7a24743773644a
SHA5129676ce4a114050fb23a24cb7a1e70e8ae9d03ec5e685b6a47fd3aa7038b627fb8f8f07dba2615544acbc41f711f4ff11f7de8f35ffef7e8d1ffd87b4dc87224b
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\HEADER.GIF.encrypted
Filesize3KB
MD512be3df4ab6622cebbc7448ec945ca44
SHA16e7f550e5b2218267a9190847104eb8dcd11a6c2
SHA256f4f687385653e9ee11b02d3a528af7aee69e0580dfde3353b5f8629da1f510ba
SHA512dc1c8814da108216412add6789f351dc78c8273fe3b81492d0379331a200253e92da1f16c803d19f5ad5d11aabcf28310478c51cacbd621cd01ff59fa17b726e
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_OFF.GIF.encrypted
Filesize469B
MD520826b9f9224862a8bce5a8a80b96a58
SHA13eef37c69e47ec1a10b10ec6f71c68ffaa498446
SHA256054502b6e656e2dc0834a13f86b92bfc4dffb04d928838d0b1c37e4bf9f9a809
SHA5126420790bbee140c1f474aded3cde1328043b8c2ab87de7df0a3b03be784ee943897b2195928471f45769a9850d597845950cf088f840fee64f3472b9590d264e
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_ON.GIF.encrypted
Filesize271B
MD51b8b7cc8c5943b26141d74b79f3cf42d
SHA1f01537a54d92bede3c8775376f9b007e74768d56
SHA25661600a6bdf014f2c8f269fc90b445896c113f6f4535b294f1857102ca9fccd0b
SHA5126116f3ba9c0a869ca82b8f63b119aa8e35730618b591e627067e5758917e46ebf42cf3a4e5432418680de729fd853c4e1b6c6e0c3d4431361f4d4aa4998935a7
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif.encrypted
Filesize240B
MD546e2d940b7c7b553c46dbaf3974ae742
SHA1219d82e28c3f990f01714124a4f15de02a56019c
SHA25671520df6711c0e8944230e1ed6fd1f10e67f3cc9acf31c6e4660d50bd73fcc11
SHA5126cb5954f6d6e18958dda136f53a83a5ac82e88b708620aa990d4ac3f2d475a202d901864c58488493b1a1d076cb22dfd50a00e712e8e42077c6f305ebeea532e
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF.encrypted
Filesize371B
MD546e3b43b64cd76844a098dedb9a2ee87
SHA10cda5c7861f24c6a921677664840ffad39a792c6
SHA256fe69f0976b4fde45acc5f8e43878930fac5372d9419a195456cf50883ae59bf8
SHA512424bca747960f48e6d2c3f800d00c4d8e50f7816ca9f5d9128d7945464bd790eb5e2e32bb8c1ce1a3bdad4a79d844d5b2f45810dd6e039c00971c476bf23675f
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF.encrypted
Filesize371B
MD52078fd947b2a47d21c9da5d58c67b459
SHA1a29e4d7a37d36cf739d82b37ed4850374f6780c2
SHA2566fa5a2ee83d56c64babba196898a4d7c0e4659612d0ceb2e7821d539b6ec1582
SHA512c3cb0b08f652b44fbf22801c3d0cce29e97cd4a89e3d866670001aff92376e271712cce5e1c4aee05b00ceb191928e402893c4100b4fc62b5997018c0bef770d
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif.encrypted
Filesize6KB
MD57cebb1497bb6d0dd582129ff8c7e041b
SHA1d0bcbc9458c6759a73244bf3c92ddcd114ed1cab
SHA256240216db02601a9372f8a2ac82f879955f6caf967b7bcbf4ecc8e0b1bdd11503
SHA5129d32222f8b80eafa0ffe77a0c84f069d9b136c262d770274f53855fb6a5724bec74037f1aa3d3bccd0b33127f371d8ba311b57e691d6695c60ab36b6ab2c93b8
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF.encrypted
Filesize435B
MD50c19fe3a4ec44b5048880043a0bd2bf7
SHA114bc51b233325c232a9bec521b9810fdfa378228
SHA25692093830f83cbb6d4157d87c9ce2b2264dd3978195e740514d67ca13f2f6fefb
SHA512ba9dec959d06974f4b6307358b374811fd9ee1071b842f837f9c7ad19f5ed0024bf185810c8ff70e95a3284b655d16b90cacea77d563a4f033241b39c512f465
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\HEADER.GIF.encrypted
Filesize26KB
MD5d4bce539f16c845ac6963d845530b246
SHA1693e066adf082c0783502730a30aa8883913f614
SHA2568757cf96ddbe01883955aef5c9a4acfed13357f36ca7a50a411eb5f690b6d2b3
SHA5129aef933e1dd5cae29389240689c9e0bfc009fea2215f8fd8cd8f69b96aff6a93726fd56f61681cd8f7d6b2c604eccad915e1787c4d627ca84a40a55a5fb83227
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif.encrypted
Filesize822B
MD5b7fdc1ebb9e3aee1d3d19138ca6beb4b
SHA1532062487d53520de263b1946101bce443df3577
SHA2569a8bac9cebca388ab041574399461bbafac2d19b47bb30129b145c06a911b140
SHA512a7e74559832f443e2821a8494e5ea72236b0e957dfa228922077df75840896d7543569414d83e56a54bffee2459ce76f428524b418936fa6df7f77c4d34d3fb7
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF.encrypted
Filesize877B
MD5d4d09d57e46664c05717fde9c824a3ef
SHA16756716cc159810458d65b6d6839ff282a856067
SHA2567bd5cf94bd32db66cc1769af1a896ceefd07d1a5433c476a5eb278f7f6a7b0a6
SHA51296138de3d6d671057cb4b0048da8dc0e2185e4c29dda5c7f3abefe2d984990b1ff1a0834d69b59863d9bed97e189892008c3b335416eebe017966cf692918069
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\VIEW.ICO.encrypted
Filesize325B
MD5cc4a0da9a035f6b5aa9b4dc446aede39
SHA1a173d3f81eee33e7f4a71fc7086611631e847f6a
SHA2563c01e717ffedd9cc639cb8a432804351497b23dcb68b77d601e90f601db4ef5b
SHA5120e4f987c4444a20f46af7e480136a346f6418ad93fece5a1c7ff2e5272621458737e50ee8deeea95f6be122e08a54663b99d30c98f26335104ce0d01597b3622
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg.encrypted
Filesize3KB
MD53165b10abd77accb0c77509ebfd38b61
SHA13c32677141aa2d1e3feee45eb4b23bd365a41335
SHA2566ab6e96016217d303d2f90d61be3df2a9d5e8dc7477a4905e827a6333f80ceaa
SHA51215b9754cbde646ff8a3a520af42ba56db6896d7f15758d06882969a09007a08b05856d0c52aa8c555054f60a976fba18bacda9af56500680247dc44d71226b18
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif.encrypted
Filesize2KB
MD5b218b522d3dd1b8cc3f7b35017a54756
SHA194c575107f34a23a31a74a88269633750f277f55
SHA256f04d9ab8e6c77069d2bb05cc207170b8d2ce2593e1abf462e18a03fbc771d8c8
SHA5123eac3e1fd9fc44276eb643d22b0179726f0b89d86552c95e5eed7623df9ae1c634dc8bad9127b5e72817c96570595717a7f0b5a7371df08883f6d055587f5ed4
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif.encrypted
Filesize19KB
MD553f40f2a5a778951e2e7f703504bbbda
SHA1b5c92b1bb9ec2d4e3839293c2953322acf4c0834
SHA2567351894a355802e95bb7c4fb3fe3eebecd8ae5627a5e61a5cea211e29e8354bc
SHA512ac41c12bdc7c6d0fab14ddff29681eb26c20a36a59f5be12ba26e9cccd08b36bcaae1a59b70129a3b225ccea79fa1e6582159a6b86e6b2b4a49d2c383cc48452
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif.encrypted
Filesize897B
MD5a6569a67fd649cf88d1a6cee0da519e5
SHA142c5883ed7dd99671f7f49e5972c8b943a208528
SHA2566c4671a38f22e54552277c9f40904dc049357b5db8f3510b9e64c00b62f7a6fe
SHA512c8d7cd36b653f7bd91cf0e7feb25d2f06a6544fc0dd443c0c5bf9486a74e2c8cfee9a798eaf5d03fd70bd8d1dbd8fa6a6616840dcee9086fdf4dc8fd1a1e52dc
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif.encrypted
Filesize859B
MD56eba0875b74fccce84ced66aad8cfe48
SHA186ff08b879317077cc3d888e6380befd74b32cfe
SHA2561559a7e6808d80f54f2c20ed303955007dca32d9ab013726f3f0ce26552f6d94
SHA512f3cf919d793f86212a4447e5928c82fe6f536f26613700b69e4fc9f15900be00927453c04dbe08cdd279b3b0ef389a73375d8231fda8faa89862d48fc953fe4b
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif.encrypted
Filesize867B
MD56ddad81340c36e3c7838dab1de992256
SHA14c8bc7df87de4634e820da0a1afc2cb10a9a8ca5
SHA25664498fb0e85da9c280cc4e6a4d9933a32d8fd26242db801ef616dd7d2dd20724
SHA512c12c4ff4dced53c7656ab0631be1c30d1227e91b444b13c761476ac4bd5aa09205edd5403d6bec2ebcf1b3eef2d621230ee4cd4d32be822498e3f47ddebd4664
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF.encrypted
Filesize587B
MD502b92bcce7c87e471e9ca990d5e83651
SHA1ff0238c643cf8af0c2d7609ed4df5ed1738398da
SHA2560e957676fd8d48ab75ee27d1f0a7c89d46db40a6fffdec78e90b0196929032a5
SHA5123e7d0e7544336854598de29a8a33ec72806c40a5372dab994ab3ec28d90952016f9b176536b4776a92bafd2ba2c9dc9f441f19f7855d072ce52ad5637708af8d
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF.encrypted
Filesize906B
MD59954d7d65e78e658cb6a0cf780867c06
SHA1933a01e9429737b7d4a25d86c0f842b112004be4
SHA2565f4f64605b79085d41ac24d8be7cf852c51cd9aef1556702c7175df399840124
SHA512b30cbf43932fbe723b063fc595539353dd0798f90a42ce8b7abd28d1672ef2ab0d71ba30f8e04826ed26fe00220ba692b4dd07ca917a53f973ce1fb2314f3b5f
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF.encrypted
Filesize632B
MD55ca44de97cf697521ea5f2f31dc2af1a
SHA153c4acd4b5a35f9eac452c05f763c38a0457eef0
SHA2568790b0f1eacadb2c12763541590549bb19565f52508d1e0cc3fa7267b9b502af
SHA51201ef05036037c29340a053d32409f86145fef8c72677f89181260a8b8932722b91ccbda7683854c80219951acdf9ff90f8555791e97ab5d8063f187dcca7893f
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF.encrypted
Filesize880B
MD5dcac15de15daa57d0089eb3c6895246d
SHA101f37ae9f264702d4559befb52b8f1257a00e93f
SHA256228bc3af80a535421404d56f0786158f9ecad0165bfd731e46437dc70f68cce7
SHA512f331f46dfe27372b2a2121d91052a052e6264bd772b40f9d7050dee3ac48d012e476eafff1c6ac63d1755d43538ac71e67306f009ae8e7c8875a3a27aa5e663d
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg.encrypted
Filesize5KB
MD5c9379ca2ccdecea302c318aab8596acb
SHA132353968dfd06d793f2aa5e38c4a426f573be1bc
SHA256374fc939e7dd671c99b8edd36fba05959dd42471be1a817e8d284cce4babd8c9
SHA512b5d1369c1b5f2a0d57055dfa7f50bb38bc21b69de57dd39aab3fcbff3cb56fca6347f4b129c97c31a18a2877905995588701bd755413c46b0cf5bdec9d838d89
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp.encrypted
Filesize1KB
MD5ea33dd8cc1e38148928bb8f08cd7e74a
SHA147567e82e2566bd85bb1f9e1578b922692ad2cf4
SHA2567905d35203bf217313ec3060960f2c55dbb39aba90263d1cc58743013b073289
SHA512a59fe5d1fe0053fa45662a217a4b177760cc673004d12a4e501ee89c25569f141aa4609991df43de0612b991bc817637a4e5fb40ca7b569dd12612276726e980
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF.encrypted
Filesize622B
MD5b921394698f77d0ba5b924e8d73e47ef
SHA1651675e31bed6e60588ce8230162e1ac560a58b0
SHA2563eb60d4659915416525433db347a233617f5786a5d948e18f9eaba43ab58a136
SHA5129656b0db9f3b896b0640ee97e88d3dbe4a28ee4a9ebc2731df15464a100ea39b6c6fcb70784a458f4198adba26c6861ab77c259fc80a3a64fe882f5588d0dafe
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif.encrypted
Filesize855B
MD591988615fa1aae2b1b1d4621be14e060
SHA14dcdb9c690c682477150ddc2ea0958df8bb79515
SHA256ef5638193345f7650a9c00c2fe80a996e05d151ea4d2c7723b9c44231ba6f755
SHA512a2d532fdeb52566b205e92604f14c8aa821e6ba87453cea4349b39c0c7296a3fe3d74f6726c8619d76e30b0f0ab6b4f23ccf197124af8d409aad44b239e5e20f
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif.encrypted
Filesize854B
MD5e45286ec85b50454cca83624535691cd
SHA1e0bbb8b51ad7c8bb1617140e7107b20dca082ea9
SHA256784e4900eb3818148416c9e29cd7c2bfdb3dc935c4dff2d71ff78348959f98bc
SHA512cab1670f3fa1c606f29040e29d7b134c71fd5e23c31a6251668ae738a75441d44363b9fa715d1e11387e49235ca293e416de79571a0d5c406f87922b05c5f2ee
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif.encrypted
Filesize876B
MD533cbb6e5f69203e0c739fe5ef8e91a9c
SHA1820b5bdf8e5163e783ebff419942b7f665f81a55
SHA2568133a950a82f447177a912abd7da638812f55f9687cca82a63771ca95cfd60f5
SHA51249d7414955ae6f5b04f49099fb99bafc340d4317f5722d2c788c5566a6a516ebe56a36309e97d052d6ca8a31091f833590dd91d7e4062c27340ef2dede3efd8c
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif.encrypted
Filesize854B
MD5e5ec75523c9ccaaab0ef37b1b1ba9024
SHA11de9d05a5e793873c5e38ebfc81261574a669603
SHA2568ecfdab6c7bd1193d18bc963a5dd5cb914cf9f9b3ff954eefd259d121bcf662f
SHA512721c2f9ee573e35d8b2de3221545c58343ce63deaba8a0942771ba2b103be40acd606d56e4716a07dd2002f7d975f20def5b75fe459e713c5872445a799db441
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif.encrypted
Filesize870B
MD5f58893596bb60ad0eb78dc54a3b40033
SHA163eff0fea360dbd74707e62256d212b5ab39b603
SHA256a750d73a30ba53667513a4337e955eb52cee9990fd5f6201795effb0d633ce95
SHA512fabd230b6ae913639083c18957eee39e6cc926f5c25592182275d4833fffbc1fdaee9934a1595ac8cdd28a08e8407c8419c573d13f35fba9110d374053d496d5
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif.encrypted
Filesize868B
MD52fc1dc70d7ad2cdcfe4d3fe4fd29255a
SHA1dab0d30f9bbf6fffc41f1779190da16061539e6f
SHA2569638f0c7a9d97668a657041d8c4dfd204335b91b6b3f1d6781a2e0ab97410743
SHA5124a89e131eaaa877db6ecd921ef0ddbd0cce0338d1b70e3d3acc9db4dbaac541f728d6a0f3786080599eb796709c081c5edf163eb511ce202d16209e33983d6b5
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif.encrypted
Filesize857B
MD5924a23390dc0c8f83cd56690ffd639b5
SHA11c5a681f142493d9a719d88730072ce9cb3ad47b
SHA25666114f3372b8fc790a8bac58d7ccd283aae5e3d10444e52670ec50c3c45ef288
SHA512055a16ec2ee7cfb327933d75f704d1bab4a3a06c11e85ee9c3543a88f0901ac3b37ac92265aa55f7beee349598904ddc938575887eef319b81c14d3b67e3ed38
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif.encrypted
Filesize890B
MD55ff819131c394f7409670f94f16b00e3
SHA124e9d89773bb1c8285c4cce9e6ee5c938b8df2cd
SHA256b0fcb6b00cc2269c2bdb5c8cfdb73f573c1419b8e6a66d04726fa129f43e777f
SHA51204c5154afc9a93c3a65e8cd7b3e36f63f4637976767ecd31f63d567a4661def255446f285323e6f8bc55c72463e6e53b793d4ab47d6e44aaf65fa2c357ba298a
-
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml.encrypted
Filesize247KB
MD5c5935f74609b66e0378162b15b828fcb
SHA1ebc6199f3bc0321142f614eb362ec43597902946
SHA25602a70ac865cfcd959e69bd696566bacb7f26e2d74a00059c91635b994f6e0875
SHA51260713e7bfdee2d83ff25e9ab0374aa3402aefd148b0616109b9c517e0d6498e73ff2bbf9874fb85d1822c905800e5d0f3f99d2866d29582e764aabbca2862feb
-
Filesize
814B
MD5003bd7d9397736e30a282c69322356e2
SHA1401907b55600b808f02dcdcd29a6f6c5d76b02ed
SHA25675b7122ba190fa47954ac92378f0f7dff90925a67d80d1a74408041ee41baaa4
SHA512288cdd93ffbfae1184ea854a7bbf8c04cb78e9c035505b26a7a5969a7e407932de38ee2390b4fbef23e276ad75a746b635b83d1ee961af90049de6ffcfa1617b
-
Filesize
813B
MD59b53b688ef0de0c144d6ffb754ffd669
SHA12335e4377125b697c048743d7057b0b53c7e28d2
SHA256f5cf4864f348c2483c52365cd11a75e0d5f82b3e7f64aa1a53b5193edc992eb8
SHA5126003d8d6feb5de6eb0080750734e885ed0f8f82da97108057c12b0a585bb76c74c2dd222e8297d6f47d9ee5085ea78703b030a93397ce19b4812bb735d3cc988
-
Filesize
5KB
MD5c8f24c1d528020b1d0666d5f563a8d9a
SHA1162a09c5645bb2ebb932032f9775d7f503cd530b
SHA2564958004acbc7cd7074a4ccd4a26a5bb109ac084b092fd22ff0abfc0952c71a89
SHA5125bf7104c3242c0bfced429df9728552f7e672d0943483afd10f9745971b55fe69ac804223b609a547ddd974c195aa431d24a8ab56113397e71e8ecd0e01c5a40
-
Filesize
809KB
MD5b78c08dcae3ca9f4df486e705696a750
SHA16c86c462c42b558e2debfed1c7dee9d5d77d666e
SHA25608e9c1b80be1e7d72731340720b97e3f1d03c1cbc87279a349d80bda2115d44d
SHA51272a45acf3ba20c2b60ff140d65a4da7292a102c96c7aa505822c2956a101a42d734d342f29782290a1138d70f68b6fd7a55865cd1747075b1ca5d0b19fbf3a12
-
Filesize
160B
MD51ace8cde1e346903caa8154805062d29
SHA1033b1e525a611b1250d5f7990c53d7d70c03e225
SHA2562b5c9789ed1e335ea77064dceddf608cefd92009fbdf3ffea12e1752bf79ef55
SHA512cc042a8df7226bafeb38c5bc29cbd5de4f8da4dd205bf880ea4ec786268437c16ed752a0d8d625a89ef72c43e2d226817d89388afd07283cd27eb3675998e27d
-
Filesize
34B
MD5f6004d108b74d14fec1917b71c2e78ae
SHA14f396193c65ca8e82a4ffc4646b641bcb50b7247
SHA2567415e75e69fa746efb4e693913051793ce135cc430edec727eafc17c2ecf404c
SHA5127b4577b4d7af4f378656853bb5761ddedd9c69c369fe18351d0d98cad1932342abfd407027855990b2024d13373e7e65a132cd72baf371b4b70e5f828b4f9d45
-
Filesize
34B
MD522f8813effa5dfb11e7f734ba3f2976e
SHA17a00e31b8c27b87db1e9cb846b5dec17a0f1142c
SHA25649581c40ec9fe805b1eb6424aad155ec05cf126a2cdbde211743e2afe2377c52
SHA512da9574b344542b2d29084279ef0b7a11ccb0e9a983def5666e50d110ede5fbad0cce9edfa32396a931f6f88f359656a362babce09dd3b6a3dffdd8b24f185edd
-
Filesize
34B
MD58c19e929465d1c83c2764c2182874fe3
SHA10192333e3b59ae6e506cc6d89acbf07332ec56e4
SHA256275951b9b916ca244efbc437518684fb6147157cdf77ffb43ca3d665c2f56cae
SHA512bdaefa8fb024d084e5b618940f94da76bb391dd39b73060286901e63452bb8770030cdae57940e410cf11c6f5647f04c647d368cefc7ed9f25e8f18fed97c47d
-
Filesize
34B
MD57d4e9b7bab70722ce4706abdbcf084e8
SHA14e0c140932948aa51cfe4386830701e3d0407972
SHA25623ecb98c7fb0022de430438915ec89e5d5488aa0076ffc28ae0e5fede59696ed
SHA5125c544d84c2ad071e5da2150faca0a047d1249f26dd2233cc410da3ffe662abcd37dacca7bbad042eb9225c31fc2a878f7585c67a3c04af15a9d0663af1bca2d8
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.encrypted
Filesize12KB
MD523043516fe7537d05c89444d2b8225f6
SHA128de4d761fdd75176b926b22ca96058288774c84
SHA256f020a7f6997bf915cc5c7423d646458218e593e82da336d3c5ca17aad0a0530e
SHA512445c99c506c17ff174fb429bfc691a23811ba25e41dfac14bed46da12231caaed40c3bfbd8344ceb146627952fd53756ba222bfe4d1b38aed2daa3f2e56ca983
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html.encrypted
Filesize8KB
MD59a1d47b50d7b73b04a29ac10d5e442c4
SHA1b5be0f633a979443c1fa0ace9492d8ff9a63b06f
SHA256aec2733143522c571572ae9da098bfe387a17b44f43986035b5efa43fdd285b0
SHA512d76ba3e7a0c83cf25e56a88bc5dae8f7b0b0b3f1f33fe349d0125f44c4bbb70940fa4ad8368fbc1bbf562f4ab54ba62d7038de43ff8f5a59d49faa56cb94adb3
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf.encrypted
Filesize64B
MD53f68072972eb526d1f47b0f5130361a7
SHA1ed9932f6c1a7c6eb03f7be1b8f0b4efd42c9698a
SHA256fda0c6a37b5816da95be210b0a7402523dcd26789503372d49df89bdc184f86a
SHA5121cc7282c792bd29106f918f802f78aef33ef0b65e1bb81d154b605176e5be660fe2fd941ddb83eb3ccfb16daf4d45214dcc93433daf114f0c926842044a17de9
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA.encrypted
Filesize7KB
MD5d16a88ea1a1421875c2ffd248abdd567
SHA1bdf6513cbdc5829f948b7c81689c89d29c967ebf
SHA2561eaab07c21ddb95096a614178763a683b726d7a281b09b23964264d652eb91c7
SHA51263cf5d10baca9eb0351e2e077fe0f1601c11722208e256829509c527961d0807ff5fe62a975e0e4898754512cc1a13a0bb7aab579c979a713b76c88dc54ff953
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt.encrypted
Filesize11KB
MD57f32118be8a97271fa4fe85aedc405e8
SHA1206d06ecb60538b2621eb751fef4ee3c9da1beaa
SHA256ba1277eb09806a3eba59f4a26051f27cc7bc539fcd95569d680c8c43b79d4ee8
SHA512d66f60f5301deb5ea55f63f384803b2aebf2d3b71b773b46d8db5def00f19f26c5d0504675a321f37f6058ab332eee34d80c0b149b2fb17097c032f80cf38226
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA.encrypted
Filesize7KB
MD53256e0dc4011cd4a39ecf20c6f260b5e
SHA1c6f58aeb95e311ae8c9da84be12ab0f69cabbf7a
SHA256f5e56df39136ba5d6c26030f093a7758ee3fcd610568670855545d0ad3333423
SHA512db46df8d693ae9a3057a016cd65a44cd902bd9a88a4c139178ca2e0565393876e550fc64bedd93971f1cea5efb66b45d7ed92b9a975a6b762660ba9d583dd461
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF.encrypted
Filesize140B
MD57435b62f79a6e7dc16818837ff1eea88
SHA1c90f70f2e4c3d8caf5c89fab2401eb564dc95292
SHA25624480eecfe805ac2ed43832cbe74e36f28b12eba8660912cdd162b22f5ed1b35
SHA5122665b2437285c5fa9e3da3f7180c3ea304c25bfc4e59564740350649e28064be39cb90e78723edf27eb2e5ea22124d6ba789b3f2c70534689c2fad4bf6527195
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.lock.encrypted
Filesize7B
MD57e3c78fd34da72591e00ffddfd1b3dc0
SHA1c92e3bf998ae554a70f78e4909d3b8cd3cbb6155
SHA25621dc9fd8ec05856fd268ed7b27cf680632e2ec7d690405dd4aa31a0b8b3f4893
SHA5122bf256cc077a14956be66f31d288a549c7a2b96e35836bcaf3489fbc24d19c9f8db332a6e84b44d6857f679b180c3532ff9e7fa6aafda7c795fa90d540a2069b
-
Filesize
3KB
MD56bf407eff9709eb0b3cbff2589dd6791
SHA1b6d121d60b87056fa06b453cfa01e6d6ebac4f1a
SHA2566da1cf41feeb14a40add7ed8ed9246cf49e85ef9ad65872dbd9b8713d4de2fa8
SHA512c4bad7e7a75931a42fdc5c9aec7c1420c5649bf2b0c9458049db120c896c1a3e54c5c5b00a62b13bffc42da4267c27ccf5a5d1edc60f2d691fd8a1b31cd8cb2b
-
Filesize
48B
MD59270a287347313986fb7a14881333742
SHA1f459a410397cd2dca9b6535620fe40c267323c2d
SHA2562008ee31736c4c03748523c961b949b24965ae33b2c03152e86dd5e77caf6e87
SHA51227464385a5311885fae160eae1a7f9225660a56035b75c94dfbd50817a087a5086bb007e7cbf70de8726e3f0fdf7c62ba99c73f538edd688422f1a72a0eb22df
-
Filesize
109KB
MD547bea616d0c56574258a8f957a1e830b
SHA1140089e6e6da176417f4e7d3b1ec96e1a47f1a9f
SHA2567bf7318c83375f412a1d62cb3c647e547eb2d0b5aeb4edd150fffe70fab45626
SHA512e713dce8da612061db752c3dd263adfce9389e4eb4f38a9b1c65aa2cb64cfb4ba2a89e1dff375620e72b6a45b9ee46a9be8b18d7e419573bdf0045e33bd8f380
-
Filesize
172KB
MD512f92c7372a72a1dfaab97105c872d53
SHA18974bfbd21940546c4d64a3813048a14d12aae8d
SHA256905d726e9eb5af59ac16ccc2365e0621ea9d670da9b114b36a7af930c10f9524
SHA5128d8331f4f93f963e9afec7bd77abeb588f0c17ba7d2822f4eff7423a4b01a8dd90d25060f019471191ac0d6bc4e99fa18e7eef0198cb50e0d4cd8e054444790f
-
Filesize
3KB
MD5e855e2629b37de4542e743a7be6d1507
SHA1e8b230620abff33f64d9adf9a0734aba704ad28c
SHA2564b9916673a6d458a3de35f62b6d74bd41d18175d39ee8879d36216277e400a41
SHA51250fd7367309953a87ae26135f74fc44c608cf142ba8af52a63b45019f7a53e254ffd952e455d9a52d8cd10dde766dde9ea25dcd072ba24ee3c3c2119d4d691f3
-
Filesize
34B
MD5e438d0b1406450e49ec4479a3e2c8a54
SHA16805d8d399b2d4c834d73588bbffdc93416d5bd2
SHA2566ac1aad3b94751795624f377289051af4c63a307809aa7ed6a7a8992ff6bc9ff
SHA512f49bd19e9d03b3df12213b38d7d990e69061190587f6d0c7f828b865b0251cb4307577e3dae88ea3f73cfd1896b1cf34c1329ed0f30bef68c8f572c355eaeae9
-
Filesize
1KB
MD515ab6a69c3102f78106f2b1aea7b2011
SHA15370c612b3ea23199596edc124a98302ac094fcd
SHA2563489ba7498fe35abde634b2072a8dab29731ee0b4721fcf66ae4296d001dd787
SHA512fb001a1fd1db6e9bb442924f6ca6838faa103ae2f75dbd1fc75f45b867e0ba5d0b24ccd23abc633173d14f469d640e56b34d6e1a9c809c690e1858bb9bcfc3bf
-
Filesize
34B
MD5a67165f669bf655a63822bbf8b217a6d
SHA1a44e672e9b9343d7186a382648c0af74f710924e
SHA2560a2076f550e2d49d8b4d53421e21f95014f8cc45fc18d69ec811d2d47386dc6b
SHA5124ebe33761866c04e4b20d9fac6013afccb46743f0a03464ed318064355341aaa6e5e98a33f80d369caa08ec58157217b5fc4625cd6de6d7c5f85e1eff37f523f
-
Filesize
34B
MD5651b6cb9725c3aef3e87e247ba006f59
SHA1ee3a7b095daf39fea4fe458bf2637f4152c45400
SHA256823a687ee4732977936cba2f67fb45e8638225676b8f00c3731acca189037c30
SHA512421507057a6c6ebf29ef846d11c4b7dd50b0185568a0aa66c87d3d0291198348d2d18577b5bdd2d3f9e75a1121c49c9de51a683e84ff5342b3278443313042ed
-
Filesize
34B
MD5e021d6a572b6e3ee2eae3bf0f46c671c
SHA1c7e670c7f6a6e9e8087dafbeb7881a036d7dfd49
SHA2561cba40cb45de8979d3124b9e8ebf1ae333b25b31a2391d399e5071e2a2100c7e
SHA51263e89bf85640918f6d71c959446eaf994a1392303d08f0a166c729a3af6e0c737eba8e01d3d0d773f17cef83ad54415f340f599abdb51dce1506c739cdb9b6be
-
Filesize
34B
MD53b683f994ecdc5e0bcc50fc9961556b0
SHA1317001c37cfbad4f84fcc2ccffec57272b4df70b
SHA256f1cdb6067f95bc8d68936989d0e0475631d0d22da672d749c5cb33f3c922f417
SHA512cc53ffb358978f91eb3cbf10fbf96c9b8e806436903a6d44a55b13bb6b9061b226e25b6d4ab32577236d045c321452f491b3ede5aa6c3f41d3d39c360c8825e0
-
Filesize
34B
MD5d62d5eaac9b74838c1946eb89f2d9e66
SHA122e9306f8fa8f168b2b1cf58c01d8bc3444a6c81
SHA256408efd4710c34a214352bc451c8643eb3b34ab3edbbe053ea0a3959e2d3efbc8
SHA512bf3a5299cd798083b654ca302a771832473383f9856d8f0ffb5ff3db2d3bcfcd3b596dc50a38d9fa906f7636230e66627a6a272418b2b07b65ed276e3f14a32d
-
Filesize
34B
MD557a814ef27517546c95ca2c803b61b2a
SHA1a1f9e756fb507f11547e96ec0e2f3ea5bb8bbb05
SHA256f3e8951ea681cbba90b62119eb4f8e6d334dff2b725bd0c1e1ea821d222cdc00
SHA512764a6dec008178472a0269fbce0324658d3b0ea6af2fa2c32c77d4793e6966e6629579377a1c463b8498bb836b7e0875e55f2cd05939e715ab3df0de923a4648
-
Filesize
584KB
MD593ba2fdea65d76f64d8ed1d8c9d48ecd
SHA1f9bbb157187e4e1d30cd7cc5f1cef170b55a1bcf
SHA256039ded2c5907dd86d3e57359b6b8b6b5964108c3e29e297524b0f06301f8967b
SHA512cf8f047a178d895fde455eb30a2bd3c72535a99fc9196b0d5b7493203c88c38f9471298458f829948a06ca74fa3fd497ab06c7f401a422a00eaa3ae34e79cc84
-
Filesize
181B
MD5b777eeb92b8b9de6721bb93d5df7c5ab
SHA135639e6b363880693e34e7e6ce2ba75bbdf4216a
SHA2561f4de8de80eeac64914c46f1b2b85126d8e2da5969cd50f8213be22de73bc777
SHA5129e0cb635b1684701dce1ad9296598c01ba141674b9cea39c3658a332e074661349a4ee976ff7dc11a89c6aa1f28185cc11df10052c54433f4d65661019361a00
-
Filesize
11B
MD5049ced07dda359728bd97e94c76de9e6
SHA15732419cbc746060a5d30ad7cf0a4c0be2df7251
SHA256416f7a4887bb2bc68e414caacbe2d5bceef4c2425c347a6d805c0f4d8ea125f7
SHA512eaddf6e330435df1eb6f6bdc3b46660e69745c1246df89adcb6e913248062df8755e81b7daaf7fc4765e1006e24521600018ef0b047e8adf6b487602080198ff
-
Filesize
18B
MD52fe24c447cb21c02a0e34d9276bb4e48
SHA18242de795ce8f08e411c89b87afbfe57db394a95
SHA2563c9d77d849a9977f87b0b8951ab698406125a03ae1d94274522c3fefc912a2e9
SHA512e19db14910b38a93a64530961f0f0fe3059ed628e486b2312d16e475c79423046dabe1631b1ad22c2a2a3e70b4ac10d7f77167a94d8e52b42edda31989c74302
-
Filesize
14KB
MD5b3af737dcd7b6cd73ed52a6ff7158214
SHA1d2b4424b672bc9b1f410192c1fe458ff2369a8ab
SHA256658b0b39b74a83dbceca8541bd5047e2ebcbeef3d71eb7195e95f13baef63c53
SHA512a34e6bd1f56f4101e431502a3f15bdfa1b3c73e41c7d397b9a15fba32d2abfeeaa9b54e2e33fdd49b2b7f6aee49946808d28e36f9f59669584059d4a519e7c2f
-
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.001.encrypted
Filesize14B
MD5dc3ffc07d8df4bd8b256efd354963ace
SHA10d7de8ae944c29f6e7ded76548947ba22a9443c6
SHA256c75ddb5523dd3b332c8497f3efcacb836179c6ad6ac47fd4f526be66c45d3dc6
SHA512799c1b17303b003eacc61b1984d0ef6ac433e2443903ea103950af21f984653607c136c66970c8b8a722cd2369592ecd535b4cf626f4ff3a98f779def0d8c0c7
-
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.000.encrypted
Filesize247B
MD570374da00fdc4d2bdbce5c5caa399206
SHA1875a4be4612a1276633220a8463e9977636ed295
SHA2564212b1b64c8f83d049c347ee805713d138d749d798a406efc8ad7b706464f196
SHA5120f0f4de59fde6d2ddc21effc5b993da7cbc287c4561bfb50c14d21e991a6c6c096446a8a80ac6b38e831ed161ab6b50eaafea59c3c48a734e2e79856fb100e6e
-
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.000.encrypted
Filesize254B
MD5d7707af74eafe5afc0173ee8f01c1d4a
SHA1846033e003a87e2fa02e1d4fd3c12a3f07631a13
SHA2562cb1b5a6fe77e2268ff7357e36e372bf3dd13e37e4884e25b68abcc54966eba7
SHA51269f38eecda2ed3f72656b8ac0f99a97ea91c9c73f51a7c4bde1c4a3d0acaa24a6bbbf58833ccd59fdc1badd71c9dc9696ba52decc89111d61f8d5d46212ad418
-
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.001
Filesize64KB
MD5c5654aedb4a8dc944cca008bc37667e4
SHA12768671ac52e8cd2450e930f1accea91ec17d925
SHA25647f38b5fd69660a720d192f1074d023008bcc8621eaf527af0ef6bfdc0a35541
SHA512a8a10f8233c2795288337d877183f4264e66e2643c378b6436c1dd3d5c7ad2d83c88282f1688ccbc75f55f0ef86d8186eb8073c6299b46a83636ebb6d2e6c6a0
-
Filesize
64KB
MD5c3b1c07e45146df6fd5cfaefc139a966
SHA144e50dafb71b8842c602cb4eb3437e5bfed777d7
SHA256b77fbcc7bc57b8a7d733d560874c9b6b210cd5470e7e1ba9080ebba8ac7e55cc
SHA512e0be9876ac5c0dfb8ca5e2a1d1d5567b76826b703494fa163627300e95b085d764107a4548da2d53813a620b7a88504aab03d0a87ddec1ea15eedb395ebca6a9
-
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.001
Filesize64KB
MD5eee56c115f4098d6eba963d8ab793940
SHA1386682a8c4102da98047c8c61edc258732c6f473
SHA25664e1d5f8441022ce5e492461b1ca191d0bba5f5818171b76662727132aec0c58
SHA512bb0447dcc98870795412c7ddd0cd5bf767af90c296bce640ba705577214a87ff71900696a26c5d9e1e8847701d5f27600f508669ec81dda08b67125773e32706
-
Filesize
48KB
MD5e70406f5bae1dcce9f94ad150dcdd05d
SHA18a1abbdaa070042f88d076cc2b8b9753c3b1143a
SHA256290feac52050622d75a229ada0bffdd10d84ed6080ce1db72281a9f8bfe8a628
SHA5120516c1ea09c3368221718e6b184f93eb09b34be1e5c21f6fb3703f6c6d7975320ccc2c73bd20e0d0ec08e216fbc9c9754e5edf0f73db6af266d42f7dcd215544
-
Filesize
2KB
MD56c8824bdc712767a3705341c43e4e403
SHA1e4e040a4c61e9e05edeae12f356b73eb3aaf3f04
SHA256b6fd5495d3f38b98476324cf3ec1b87c2b1d4ff9d5d8a7fe024968ae40e0b7fa
SHA51217e9476ca52362388db2bf590435be30b5d1e8bc97d978d432c803539c0a995c738fd612c51f6a39a7a6e741c4c4fc22e3fe408f949ab1d70924046d1f94cf0f
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office\Microsoft SharePoint Workspace 2010.lnk
Filesize2KB
MD50cec759ea03d47fe525757eeca697075
SHA146ccc15e6c1ff9221eeaa66558472af401600cad
SHA256bf55542d8b132d38087009b362dda7b1d314616867f5e2dada0a2bd7031773d8
SHA512222495cdeb61a6663f93e6b007e73fcb13b2feb3792856b5649760628250cd93648f43da2193cc0afd5c85ca66b1aae927a30da658d0a78aa3defdf54e31ba43
-
Filesize
181B
MD560a384b20e99cbda77d0f9c23682b0dd
SHA120d3799adfc17c9affe6f2f237db5d7f350d1f68
SHA2566da0c4c4ed2da5e17e01ce642714e5f04749cfa0ab5e30ae2b9b411689004a1b
SHA512d951c8ffa9fb74fc21989b69e010876ee873833a0c4d3b93abcefaf4e4f6a01f0ffbedc11ea5f0e8020a7bc76dbb912598841f69f3a8b57b16c1fd2ef67d584e
-
Filesize
1KB
MD593ca901e8526e45f6f2308983eafd321
SHA116cb12bedc01603043f972342c863e17f27db2cd
SHA256bac5f910b0143feb48676dfeba0e36f0905dfb386b6083f64557feb1b27151a6
SHA512a6fc933137291b3eb1ad4ee2ebc04b60cf0331cfb710785b60d21b0ecdc01e0564a21b769ba7b4dd7a32446ae4b089671ed917beaba8be7b77bfec3851ff664d
-
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi.encrypted
Filesize180KB
MD591234935b7615e2e73a977522a09392f
SHA117343ef42cc1c564a1f241a53e7c05287dbf06f2
SHA25642a4887a244c0a2cd2af2042c06cd4dfb1c1b0a82be2a0ba1b3ab48e25fbbb4e
SHA512f2b43705d59d146c8517a245dca1ffc50fe691635bc07c3987b5a642c8f3a7881f3ab3cfb426d26e6cddf5fd1151f0be7e70d495657b1eee4cd4dec22c380ec5
-
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi.encrypted
Filesize180KB
MD502af05730023dcbadc68b46d0998778b
SHA190c409babc76a2eba3f5edc334a4c3eeaa5a9ce0
SHA2567999733be7261e902e2f93016e2a8f643c30cdbce2c0dc23f89d0257353b9e83
SHA512aa58636129e53ac0d25afd4474f1b78cbe23d3fd02c8404c7d5bfae47e4e9014e888a44d008b78700de30b059e5d7a38e7b3126b5427e83eef1684632149a200
-
Filesize
23B
MD51a3d5e5a10b12375d19596c1d2cb37cf
SHA13c82075074febdb2649fb58314510f5b8a5c5064
SHA2563f8ae0e6700b2e69f68eab9e9e26a2bf81220d16fcf50a2b0b5e6019df02b4fa
SHA51238c8959b59cccacca0395c9a1c14a4880866522fe4c901faf6dc936bc77e8bc2ee15d567c435e83634d74b9b40cccaf1d56df457514bd8409d1d5e73c8cd303a
-
Filesize
8KB
MD5d85b283f481a52af78f8414d715b7d43
SHA1dcad5ce9f2db636ad6eb197bf4b0a44ca7095d68
SHA2561657ddb7e45e2da483fe2934985b1e646e5125aa7555c68f5e5444417203b295
SHA5126668810193b5da113dd1ecba1debecf4f3b2eb9a60ff229c1879cedb15b9d1d353b34871dc3e0a004fe5bd0a65985b549fea86e03257ef42785ae13fd26bd7f7
-
Filesize
264KB
MD59e3cc85af2c214a8d41a311d86ae1b2c
SHA1fa03daf3e2385b4017662820ee4d25b3d27c26c2
SHA256ea32973a055277483ebe9323a1a1f1f3a8bae80cd94d339f24c34809078bc9ec
SHA5127876628a5d6cdbe609871ee5221fe8fdf4d2052402f58561eb932475a5abde2b3101ce378e537ee94216be2468642154e82a0613968e3f7bb1c8c156cfd155e1
-
Filesize
8KB
MD530bccaf7164bfdd25987f28017656dfd
SHA1958e78d7d18a2f487bc17bcd0b4e14f1eb7748f0
SHA256020d2e223757c746d902af26fdf5b7db6066f02636d9fc458fa045ab1d1abc6b
SHA512612c3c911f4f97fbbfdaaddc188a225acd982373973f8da8d7b31112290a7662f033de1d03645e78720b44ff6b2807e25df16b0abb57db1d3b76ddb45420a1e6
-
Filesize
8KB
MD5344b3ab1cb29dffc84722d8a5a270e44
SHA174d2af9c87f09ccc3be54bbdbfe00f4c992b0951
SHA25611922206081661bb867ae95c79fbfdcbf0c660e3ed105029ce06efd7635ef637
SHA512dec86d89e2b020dbaedfa06dc957b9fefb47e1bcb1100bc64c3a3f67d2c7cc4984d0b43051dc013ca8b38f87797468e0512553b8af3a0a4ec3f82d60831157ac
-
Filesize
74B
MD5898a9a3eee060b45c87ce4b4a2a8b62e
SHA1e78b8bfea88e93699340f4b0cbd5c328905d381b
SHA256cd447ff1a58e611dad25c5ef3137d056b4c9be56c429cc3163602c5a7e19fa6c
SHA51202c884c473217c99f8d7c1c6d26be5495619e13f372c4386fcff8286b474550629953b3de173753150526c7f355fe20d36b9457748c43594834d1d189cdea5e9
-
Filesize
28KB
MD5b39634ac3c8a04f59f20a55b6c06781e
SHA19c2062648224d01dfd61e6feb58424b9de16f690
SHA256c39fc79b70806d1286d8f341de63055f4349a64e3d9b948c5db299c75aea00d5
SHA51279173852f9e83ff9de68ca381bedc28b98aad2e38a9e639ecd06893b436f35637033583335c36738094d10e6fe27df8bd5b6d5dc6b324be8458a325da9e04703
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A1D77FD1-86EB-11EF-AA78-72B5DC1A84E6}.dat
Filesize5KB
MD571eb649407cc1eb8064afbec38174089
SHA149f71ce28b3c140c2d3c20ca477b0f14c606ad86
SHA2562b14142c4af42f858ca883f1e73d03be56482412828de8dc44128d764c22dace
SHA51204b75bf1b69dc861feef5f14c1b2b2bac43657a3e41be6feb0a3db559726c82a344d081d8c8dc47ed1d3b682f0186c708579d8cd2bbc724eaf31f35e3e1453e5
-
Filesize
652B
MD5648555a0dcc29708e473177e024403c1
SHA17ce2bc4914b89d8150b1176599fa729598ce2c96
SHA2563ec66d5159c878ce35d495a9c3d689b098228ec30520b53f5a2615c16c0dc5ab
SHA512ff0c0a6185e9375b1801a4e3cbb26ccc23373175204d7b109f0b9dcdd6171f79b8c6c42077401319c622122dca6190b8bd904be4ce18e4e3b26ba230cca1c787
-
Filesize
152B
MD5316acf694b27a78bed880691f4f63dc0
SHA11c6f641dc231a6a7267d58f556f28194ca4c2ab9
SHA25669044d01fa80bdb92d0879e4ba6b8df701212e3d615bc0fbbc535c3d37ca1e62
SHA51225e6800332d0408e68271cfef1a2567c5ef0a5eb29e887a4254a39e756d33ee158ec8bab323fe2511e11e8467248a9039a85ef77b210d7d32c6b4ddc3135b2c2
-
Filesize
512KB
MD5096cbbf59de4212509086de6f91bd556
SHA15c8bbf5c45b2bde23aff675ab9d6ce43fe96e641
SHA2566b8fe78f48dd7d399ffab2328b18ef9718753b22410ee938bc78c0f63daaf98f
SHA51214cf913cbc71d1667218314d06eb86126c19c44d8e9c21da67267f606992f75ffeb717ab19f92b42a7a8f11bc8b5be52eab9b27b7b6fb6fd63d8f3571f245c65
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite.encrypted
Filesize48KB
MD55d1b2e0a6041aa2d1c510ed0eb207034
SHA1f19416b24ebb9b839792e2645a66938e527702cc
SHA256013a409c57c4453c0a7cb77efe18b41a3eb247fbc232e2ef5d09ac532ac6a3d0
SHA51223395003075b82ccfec49c69de2525d143f0f358a3436eaea4c7c852080b1dc26f74dd3fbf9f3c9f1530f1bededaa1212231e61b6275fa06627d675f0da9567a
-
Filesize
13KB
MD521fbdd82ba07846919236c3ecd95153d
SHA1624fa3b853c339b0d17cf7210606e546ddba3fe0
SHA25634728c5c889d7462f11baf4437f4dd5ec463fa7a9c87b0193136d5c8d9a7562c
SHA5128e8439eb51d8119329380dd2ad604315c73cf3ccbfd99f575f00793d53cd282010b78123412559a4e3ff594a04cab2b9897de4641d304670aabb164f785c33ab
-
Filesize
321KB
MD5b3081cb5e8def7ba92b37131fc72e99d
SHA195805588b97efbcdc1c8be81b457168571cbcb75
SHA25603dbde42e520eae6627fbcd30f41c8f629d0b798777dbfcd6ac9d939d51d3405
SHA5124567438a75847a955233cbbf062d7f5741c6189b5351b97f6920da9b9faa2be14f283e64aa9d399d6cd07f18fd42761c6a2152834dfe434c833b0a657c2d6e42
-
Filesize
289B
MD5df133793f65ff54ea93826fc6d145347
SHA1a1c68345397f33edc0d8720a23cb32a09747aa7a
SHA256482a9b0082d5d7ec38d4418ebd0bc11dbf832fa0aa2cc771d18cac831a06b117
SHA51271b87d41e40a5a65e057e07822b504ae53514610508c6d6f0fe16176e5b353a35b9b80f9629d016fe65aef93d0296b2cb211abcd89318c43e2cafa3be15046be
-
Filesize
409B
MD5aab5b7d506aadbe342963a8fab5fc147
SHA13cd9820a791639534cc2d132e4cbc2fed98554c9
SHA256f66ce44944b9a47e246d25284e151971cb2b3a40fe7b362b55ac83ff0fd400fa
SHA51212025a8851d5f692b81a1d503fe24f5eaebd827647a450b22264568aecd269e5ebcb6b1d45013017e4e279c89947308a96821f3979aca7f1899af5a276da2006
-
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk.encrypted
Filesize1KB
MD526d76530af2b7eb940539677c14b0316
SHA180b67b391f3b3fa26d8578273ef4bab1a648bfc4
SHA2568e0883132899aeddf0cf0a529ab6d969be8dd36ca7fdd3417d95f4572364a2c5
SHA5127ecb4b671f09b3544fe8ef9baa0130f4d74318d92e594eb70d565ba52ad070ca06e96c621975f59ffdd8fda4ba49846e17e70efc0c9f1d99e9f1523ab2b380d5
-
Filesize
181B
MD5cfe970d486ef4951cc32032cbbf290bc
SHA13eecaad37a7a7670a86509174f0be496293509de
SHA2569db2b3591418f9cf3661daace691e20ceca82c5831ec02b7bbe6cb256a2b1de2
SHA512e13b6c0b2cf5edf58af7ee1daf112a3b3427ef23f1712c476694ba0b77a87cb54b8644dcea19128c0589ef8824312dd1d66fe3e5a8e7835408d3c0ccfcd50536
-
Filesize
81KB
MD545c2cc5af0fce8fcba875caea2c5e4cb
SHA1db7f0453298a7d09f3012cba9b87dff83c020b7d
SHA256cb837434de53fb78ff7e4bb8bc817aa548e6fac388e9f190fdc1186bd38fb180
SHA51273604466a5bea39e9dbe5b67ba7abaf480438bc03af16fd56670f24fbdb67bfc4d5f860dcdf4e2b1a8c98fbbc685087faa788104f1e8c9d7cf09800453e60aea