zeppelin | 821945dd5882aad4181fcb2670a26cc322224f9f677e5df26f7e708ced0ab6a3

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-10-2024 10:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
Size

217KB
MD5

56f16414e71c5263c57a4ce7733c70b5
SHA1

d74ea238db6e0870422f6dcc4fef83964a380d1a
SHA256

821945dd5882aad4181fcb2670a26cc322224f9f677e5df26f7e708ced0ab6a3
SHA512

a492452c26f6c6d36853edcd13db03645442ea82c761940a1c0f96bc0fab7269fbb99c2e83350ecc06143cb142ddcadc6fce2ea32312440fc985b163b60d46ca
SSDEEP

6144:dC61i972KJmciP8yGw44DQFu/U3buRKlemZ9DnGAe6MTgGkT/+:dK972P/kyGv4DQFu/U3buRKlemZ9DnGm

Score

10^/10

zeppelin defense_evasion discovery execution impact ransomware

Malware Config

Signatures

Detects Zeppelin payload 9 IoCs

resource	yara_rule
behavioral2/memory/3452-20-0x0000000000C80000-0x0000000000DC2000-memory.dmp	family_zeppelin
behavioral2/memory/4404-39-0x0000000000C80000-0x0000000000DC2000-memory.dmp	family_zeppelin
behavioral2/memory/3452-1296-0x0000000000C80000-0x0000000000DC2000-memory.dmp	family_zeppelin
behavioral2/memory/1068-7388-0x0000000000C80000-0x0000000000DC2000-memory.dmp	family_zeppelin
behavioral2/memory/1068-13355-0x0000000000C80000-0x0000000000DC2000-memory.dmp	family_zeppelin
behavioral2/memory/1068-17266-0x0000000000C80000-0x0000000000DC2000-memory.dmp	family_zeppelin
behavioral2/memory/1068-25308-0x0000000000C80000-0x0000000000DC2000-memory.dmp	family_zeppelin
behavioral2/memory/1068-26728-0x0000000000C80000-0x0000000000DC2000-memory.dmp	family_zeppelin
behavioral2/memory/3452-26749-0x0000000000C80000-0x0000000000DC2000-memory.dmp	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (6092) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
784	notepad.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened (read-only)	\??\S:	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened (read-only)	\??\R:	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened (read-only)	\??\Q:	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened (read-only)	\??\O:	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened (read-only)	\??\Z:	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened (read-only)	\??\X:	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened (read-only)	\??\W:	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened (read-only)	\??\M:	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened (read-only)	\??\L:	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened (read-only)	\??\H:	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened (read-only)	\??\E:	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened (read-only)	\??\Y:	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened (read-only)	\??\P:	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened (read-only)	\??\N:	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened (read-only)	\??\G:	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened (read-only)	\??\B:	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened (read-only)	\??\V:	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened (read-only)	\??\U:	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened (read-only)	\??\K:	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened (read-only)	\??\J:	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened (read-only)	\??\I:	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened (read-only)	\??\A:	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
37	iplogger.org
39	iplogger.org

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	geoiptool.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_gridview-hover.svg.HORSEMONEY.206-298-7C8	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\illustrations.png	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ppd.xrm-ms.HORSEMONEY.206-298-7C8	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-pl.xrm-ms	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\WideTile.scale-125.png	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-24_altform-lightunplated.png	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\LargeTile.scale-200_contrast-white.png	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\!!! ALL YOUR FILES ARE ENCRYPTED !!!.hta	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\css\main.css	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ul-phn.xrm-ms	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\dbcicons.exe.HORSEMONEY.206-298-7C8	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square310x310\PaintLargeTile.scale-200.png	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionWideTile.scale-200.png	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\LargeTile.scale-100.png	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\!!! ALL YOUR FILES ARE ENCRYPTED !!!.hta	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightItalic.ttf.HORSEMONEY.206-298-7C8	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ul-phn.xrm-ms	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\resources.pri	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\manifests\!!! ALL YOUR FILES ARE ENCRYPTED !!!.hta	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CPDF_RHP.aapp.HORSEMONEY.206-298-7C8	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\selection-actions.png	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-48_altform-unplated_contrast-black.png	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-pl.xrm-ms.HORSEMONEY.206-298-7C8	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\SmallTile.scale-125.png	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-black\LargeTile.scale-125.png	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-256_altform-unplated.png	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48_altform-unplated.png	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\SlowMotionEditor\UserControls\!!! ALL YOUR FILES ARE ENCRYPTED !!!.hta	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg6_thumb.png	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\line.cur	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\javafx\libxslt.md	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Consolas-Verdana.xml.HORSEMONEY.206-298-7C8	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-pl.xrm-ms.HORSEMONEY.206-298-7C8	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ESEN\MSB1ESEN.ITS.HORSEMONEY.206-298-7C8	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ar-ae\!!! ALL YOUR FILES ARE ENCRYPTED !!!.hta	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_PrepidBypass-ppd.xrm-ms.HORSEMONEY.206-298-7C8	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.hta	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubMedTile.scale-200.png	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\tr-tr\!!! ALL YOUR FILES ARE ENCRYPTED !!!.hta	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\cs-cz\!!! ALL YOUR FILES ARE ENCRYPTED !!!.hta	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\hu-hu\ui-strings.js	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\!!! ALL YOUR FILES ARE ENCRYPTED !!!.hta	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\pmd.cer	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\!!! ALL YOUR FILES ARE ENCRYPTED !!!.hta	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\share_icons2x.png	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookWideTile.scale-400.png	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\Timer10Sec.targetsize-20.png	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\flavormap.properties.HORSEMONEY.206-298-7C8	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ClippingTool.targetsize-20.png	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_targetsize-60.png	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_fi_135x40.svg	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fi-fi\ui-strings.js.HORSEMONEY.206-298-7C8	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\WorldClockMedTile.contrast-black_scale-100.png	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-30_altform-lightunplated.png	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_2019.716.2313.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\edit_pdf_poster.jpg.HORSEMONEY.206-298-7C8	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ul-oob.xrm-ms	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-80.png.HORSEMONEY.206-298-7C8	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Fonts\!!! ALL YOUR FILES ARE ENCRYPTED !!!.hta	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\SpeedSelectionSlider.xbf	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarSmallTile.scale-200.png	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\css\main.css	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ul.xrm-ms.HORSEMONEY.206-298-7C8	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\!!! ALL YOUR FILES ARE ENCRYPTED !!!.hta	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2108	WMIC.exe
Token: SeSecurityPrivilege	2108	WMIC.exe
Token: SeTakeOwnershipPrivilege	2108	WMIC.exe
Token: SeLoadDriverPrivilege	2108	WMIC.exe
Token: SeSystemProfilePrivilege	2108	WMIC.exe
Token: SeSystemtimePrivilege	2108	WMIC.exe
Token: SeProfSingleProcessPrivilege	2108	WMIC.exe
Token: SeIncBasePriorityPrivilege	2108	WMIC.exe
Token: SeCreatePagefilePrivilege	2108	WMIC.exe
Token: SeBackupPrivilege	2108	WMIC.exe
Token: SeRestorePrivilege	2108	WMIC.exe
Token: SeShutdownPrivilege	2108	WMIC.exe
Token: SeDebugPrivilege	2108	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2108	WMIC.exe
Token: SeRemoteShutdownPrivilege	2108	WMIC.exe
Token: SeUndockPrivilege	2108	WMIC.exe
Token: SeManageVolumePrivilege	2108	WMIC.exe
Token: 33	2108	WMIC.exe
Token: 34	2108	WMIC.exe
Token: 35	2108	WMIC.exe
Token: 36	2108	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4928	WMIC.exe
Token: SeSecurityPrivilege	4928	WMIC.exe
Token: SeTakeOwnershipPrivilege	4928	WMIC.exe
Token: SeLoadDriverPrivilege	4928	WMIC.exe
Token: SeSystemProfilePrivilege	4928	WMIC.exe
Token: SeSystemtimePrivilege	4928	WMIC.exe
Token: SeProfSingleProcessPrivilege	4928	WMIC.exe
Token: SeIncBasePriorityPrivilege	4928	WMIC.exe
Token: SeCreatePagefilePrivilege	4928	WMIC.exe
Token: SeBackupPrivilege	4928	WMIC.exe
Token: SeRestorePrivilege	4928	WMIC.exe
Token: SeShutdownPrivilege	4928	WMIC.exe
Token: SeDebugPrivilege	4928	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4928	WMIC.exe
Token: SeRemoteShutdownPrivilege	4928	WMIC.exe
Token: SeUndockPrivilege	4928	WMIC.exe
Token: SeManageVolumePrivilege	4928	WMIC.exe
Token: 33	4928	WMIC.exe
Token: 34	4928	WMIC.exe
Token: 35	4928	WMIC.exe
Token: 36	4928	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4928	WMIC.exe
Token: SeSecurityPrivilege	4928	WMIC.exe
Token: SeTakeOwnershipPrivilege	4928	WMIC.exe
Token: SeLoadDriverPrivilege	4928	WMIC.exe
Token: SeSystemProfilePrivilege	4928	WMIC.exe
Token: SeSystemtimePrivilege	4928	WMIC.exe
Token: SeProfSingleProcessPrivilege	4928	WMIC.exe
Token: SeIncBasePriorityPrivilege	4928	WMIC.exe
Token: SeCreatePagefilePrivilege	4928	WMIC.exe
Token: SeBackupPrivilege	4928	WMIC.exe
Token: SeRestorePrivilege	4928	WMIC.exe
Token: SeShutdownPrivilege	4928	WMIC.exe
Token: SeDebugPrivilege	4928	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4928	WMIC.exe
Token: SeRemoteShutdownPrivilege	4928	WMIC.exe
Token: SeUndockPrivilege	4928	WMIC.exe
Token: SeManageVolumePrivilege	4928	WMIC.exe
Token: 33	4928	WMIC.exe
Token: 34	4928	WMIC.exe
Token: 35	4928	WMIC.exe
Token: 36	4928	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2108	WMIC.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3452 wrote to memory of 3088	3452	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	97
PID 3452 wrote to memory of 3088	3452	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	97
PID 3452 wrote to memory of 3088	3452	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	97
PID 3452 wrote to memory of 2444	3452	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	98
PID 3452 wrote to memory of 2444	3452	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	98
PID 3452 wrote to memory of 2444	3452	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	98
PID 3452 wrote to memory of 3980	3452	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	99
PID 3452 wrote to memory of 3980	3452	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	99
PID 3452 wrote to memory of 3980	3452	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	99
PID 3452 wrote to memory of 3988	3452	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	100
PID 3452 wrote to memory of 3988	3452	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	100
PID 3452 wrote to memory of 3988	3452	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	100
PID 3452 wrote to memory of 1736	3452	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	101
PID 3452 wrote to memory of 1736	3452	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	101
PID 3452 wrote to memory of 1736	3452	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	101
PID 3452 wrote to memory of 1232	3452	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	102
PID 3452 wrote to memory of 1232	3452	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	102
PID 3452 wrote to memory of 1232	3452	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	102
PID 3452 wrote to memory of 1068	3452	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	103
PID 3452 wrote to memory of 1068	3452	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	103
PID 3452 wrote to memory of 1068	3452	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	103
PID 3452 wrote to memory of 4404	3452	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	104
PID 3452 wrote to memory of 4404	3452	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	104
PID 3452 wrote to memory of 4404	3452	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	104
PID 3088 wrote to memory of 2108	3088	cmd.exe	111
PID 3088 wrote to memory of 2108	3088	cmd.exe	111
PID 3088 wrote to memory of 2108	3088	cmd.exe	111
PID 1232 wrote to memory of 4928	1232	cmd.exe	112
PID 1232 wrote to memory of 4928	1232	cmd.exe	112
PID 1232 wrote to memory of 4928	1232	cmd.exe	112
PID 3452 wrote to memory of 784	3452	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	120
PID 3452 wrote to memory of 784	3452	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	120
PID 3452 wrote to memory of 784	3452	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	120
PID 3452 wrote to memory of 784	3452	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	120
PID 3452 wrote to memory of 784	3452	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	120
PID 3452 wrote to memory of 784	3452	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3452
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3088
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2108
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2444
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3980
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3988
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1736
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4928
- C:\Users\Admin\AppData\Local\Temp\56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe" -agent 0
  2⤵
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:1068
- C:\Users\Admin\AppData\Local\Temp\56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe" -agent 1
  2⤵
  PID:4404
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:784

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\!!! ALL YOUR FILES ARE ENCRYPTED !!!.hta

Filesize
3KB

MD5
94882cffd939ef7230f8ac709c07d995

SHA1
a885ddf9610928e96a742ea598dd654f97f5cb2c

SHA256
f0fabe301fa295ec2ccbac340017092dc63364dbe1cc01e8e8a9820d8efe44ff

SHA512
6a9a73ba2b8b71ba176688190ff931bfce86cce193a7d24936a9711902fe945ae379634d1dc0564003ac6cb89aa09095337f7e5d2ae7fd4ee48609d769e3ad7b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons_retina_thumb.png

Filesize
64KB

MD5
1bc3f8013b523a653231687bc0b54939

SHA1
a937546e0daed363ad5013e483d025cc57537c79

SHA256
71b76cf37b8b6b41e5b4e22ce4fe771dedcaacca5c214e2902c49a6ba96fc18b

SHA512
337b55c12ef3a977c396a1a3ca105e3f54c08faddcd9e463324e8bcd3c3f402b841cf56b977158dd46362b14afab9332446f2fcd7b5d1a58974eedefd6a13bcd

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_bow.png

Filesize
52KB

MD5
011a16b6d5e4d2b5bcf5fae16a01f8a3

SHA1
4c77fd56bed7f7875646ccdecb5eb13d915e9bac

SHA256
0cd0798f2b19b92851ad7eb2b5b8507ca19e494fef54fb9ce85d4ddd4ffd543a

SHA512
3a8c728f9d453febb1e78ab939b1d46fd25f29c5ac70180c3aa1df623879c3716b39eacc7a3d51a432eecc4d7757b0b902c5cd663dbb449151b634db0feaf646

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_wob.png

Filesize
52KB

MD5
aa8f74ef50c1b611f2cd5c8d606adba6

SHA1
93cc1d04a7d560ad6e32b7b890cbd42d926d8d9e

SHA256
38825c26b5a80d73f12d0c9ad158da7d738568f9b01968328fe9da6e4e39d85d

SHA512
2a9b771ca6ea9a67de66e3c96170686486cb7707bdae1681495835e3664ffcfcf51ac1100332c4974520f71ff2891f4c406d085d9e3640cac247473b98530b59

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\ui-strings.js

Filesize
29KB

MD5
4c222e1637aa626fe259843fa9a283a6

SHA1
5b8b9ca7a87393d68a8b18e90706c5af1b8ebcde

SHA256
504dba7a35236829c08d4165f0e8d7bfad1a9277af0abfe00752fa350c490946

SHA512
a3a73a78cd5eb3a42cf3a2bece7ff419ce4a7987224b535a8803c14a6dbe7b057d566333a064b0d8c70edde54a18a3be1d8c4ecf504ca6a2e0ff148318e0b622

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\ui-strings.js

Filesize
34KB

MD5
25d62c0ec04a35e4468d832d27ce321c

SHA1
122fb5f443bca6e3e5908969e257a8caba395319

SHA256
51d04c72eb16d38d3e0e14ef8af41ea970fe352fc946b6680a4ebd4331e587f6

SHA512
0dee880abe4735e3c4b604b843d883291efd200d45f8cbf91246690281cc5aa1cf0306ec8af80a983accdc5135ae1e80be7ad21b3fff96db96620da3d21c6c31

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\ui-strings.js

Filesize
9KB

MD5
98c1ccf07d18a1e98e60e42a6acd961c

SHA1
bdf60a2597de29a9c080f4e2e72b068549563b03

SHA256
7b73ae855a02c53c8045a022681f1c4c330d3387c161e8c2b7354759eef463d6

SHA512
e404ad40dd3e435463adbf9c997dcd31e0889f010f9e148935d83103bf29cb1fb7ca133e693e2e4a2adfe28bfdff98e8357735cc41f319cf7cb285968b79b290

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\ui-strings.js

Filesize
10KB

MD5
5d37ab8490781282eba3b855014b0e33

SHA1
77c8ce2c96914ce055e8aa3cf6fd620e130f0479

SHA256
676f989db90cb68833ae15931528b0007c9137ca235eeb1ba17376ec42c693ec

SHA512
bf6a68dd24478bd7a3c5a4859f9df9b1288edc275bf7a584b7e26ec71985be7ed1872323dfdf7ce208c1eb84d2b2f01ef3b63e600bac72584da8cd16549e4352

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\ui-strings.js

Filesize
6KB

MD5
1f7b0670d7c9b4369d8e8461e0e67e85

SHA1
2c8311c54a29ca2e9558ac4ea20ca7901b924ed1

SHA256
91b25e9afaf7348d706da392a29e9877be6f4c10c0a0ad50455a313691b0ab5e

SHA512
cbf0d7d91beeb2fa7451e4ebb596da29bc2a84850d4f99c33dfe251436f3943a0039198f9bcf932ef1e89fdd525f207d05755d098926a5610a9737d9ef680248

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_ie8.gif

Filesize
9KB

MD5
ebb830fcfa0f1ac4bcbebcb65431cc72

SHA1
a8967b0f49ccbfec90cce72f8b24ce5f72c32690

SHA256
316dbc741854992c754400b1bbcebe479f7a85f18561524cc796936c63137cca

SHA512
c7ae3193330051d35d531572b8aef3c318c6ad5de51c7e0fb48d1392a818a8425cb28af8a82903a15680de1e20f61c94d1c686816566c8a96821e44b2cebc0bf

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\exportpdf-selector.js

Filesize
175KB

MD5
e67c72ff481887ecce94609fcca4b200

SHA1
ab17839cae32d99792eb9c8f15accf33f3b12158

SHA256
2e5f98e5df9f2cd74acadf3eaab6652cc35d73aaaa36336d996f21845af170f6

SHA512
d659145dae0d538bcaaae18d5e2284fd55392f5b6e1342198c95cc748357d0fe2c7b149bfa79b2d3ef0f5a514b20299dcf20455f006bcb6871d3d7ccc020347b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-tool-view.js

Filesize
377KB

MD5
9192d2bf9d96393c2fa60102c66da30f

SHA1
bc7aedbee4cb9bcf21dd7080301e153fadf603e8

SHA256
2f557c4a1f8d1f278d3d49527561ebcd635cd214665d4bc41d624d1be09bf457

SHA512
aa7191cf1db09801ceecda0e44e8d4ff5f88a72e0d4c7bdb93c65301c6ab465f3c5e58a49ac594356aa639c2c1076a0d45ea040baeed021d28272d92c99e219d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-tool-view.js

Filesize
387KB

MD5
db01d6c1358f31121012e863dd04d292

SHA1
ad7387bacce8a8e92f1d39f6e01d299c0b9fb4cd

SHA256
a8f12a04fb9b6afd4346d7680bdee0488322b60d7e09477cfc491d7685f419fe

SHA512
995dfb22c13013f0e04343863c212fa776295ea96cae3ad1394e27bad8a337f35b662c3faa70f0fee902cc2105b92c2f2a09e764e54fb62148513a9c2749f5b0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\ui-strings.js

Filesize
10KB

MD5
d4a568536495ccfae7649ad3e2f5237e

SHA1
c241658123d4f3c98b1b370c06c6415293214312

SHA256
bafb533ffa44310691e7af76d79ee6b673dbba7d7a2f1b57bf0d86afae00403b

SHA512
98ad988d1a9041fcd0ea0e05621c8409297e50f426a1437bfa5b9fe38563ecb38ed9f92973a8a2e98ff63d2941e4eedaa050e5d2b4a2690c3a86cb5a96defbb0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\ui-strings.js

Filesize
12KB

MD5
ccd1602a8a3992d6ff0292a7812452bb

SHA1
1dc9e067b4de64b6cd6c6b31c3cbbcc70715e094

SHA256
91a9da60cf1e48ed76f6d3a1c98abb45a6552bd293084ceb0fba85f102f71be7

SHA512
dee48d4a56dc223aaa871dfcca2e71f17798e3a11c33ae5b95a2f49c6d778462843b23030cc3c6d48ace4469d8fb3ed0573eaacd732ddaf466451787f1d87cfb

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-ma\ui-strings.js

Filesize
6KB

MD5
6413d6bec6c7d9f12b49484c37bec8b7

SHA1
9857dc363694e0064914128918c596530655082b

SHA256
ebbd636e6f4158498aecd9ff08df166fb499cc7b4415b0b3abdb76e8c6a56903

SHA512
2988fe0bfea452b54c62992fd170d54e7ffdd27374f9553e15d396cc8b0449016d1cc513d514c9ddf91797fe060ededd52e382727feb0aae44847cb7dded6981

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Light.pdf

Filesize
381KB

MD5
3ed286b108811f63c0a6098455b64ad7

SHA1
0c0e6c9e75ec16eecbbfc01e5d2d1a8cc29fda79

SHA256
50474f5fa517d0297299394ffcc9fdf97617d35de8049827b1b5fb01f6859a90

SHA512
3eab736cdc0a0e4fdc125239432c98f897b4cde090906937a19370288e9119f60e223ebc99bb6710fd42bc8bc30ad864873f34b4d90ba32a33628374f6f27bf9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Light.pdf

Filesize
56KB

MD5
c8f9456aa939351d1ba2de00ff1f9bb6

SHA1
50e722a0bf45f48fd00e9211703a00ad2b6d6d27

SHA256
52247af372e6dbed62cf5ad591877a67f843020cc39a0c1c9e406fcbe77e765e

SHA512
374986814f5c58b924b11e7c317eb166fb822989d67f94b5361cc0aad10096ae548373dffff3c08b91a8f7f62f446a3e264fb8f85243746e8de6e2e76bd1a662

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-il\ui-strings.js

Filesize
14KB

MD5
3203ca7a75c78b783ef89647971fd2b4

SHA1
f32e4b158401eaa793c9ea386d57a8c8876fe31d

SHA256
69d0aa4fa755a247a3d0657ed259153181541e9334a502250e1be90f8a499d4c

SHA512
f6146bfde7ca3e979020effb764df04769144abdbab9d38df2a2eb7227661847726686b55d61b58d5c2ec49316f530e78858c346b39cbfd3da241fd31ca3c026

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-ma\ui-strings.js

Filesize
17KB

MD5
007b0d8b5471a74495f8be4b35727402

SHA1
63fc5f6211b2863d4b1478cbe1908ab9fba619d8

SHA256
c330c31b493e800e16c152df2e9ec6d99b7891d51c7ff8633c03e7b272f1d912

SHA512
872048ada5e5897aa84350e5c95d56f91ce10528afbe974a2a5b327b4c298a4d6d2e6677869279dd3c370fe44bea6a938990a599bb797a3f74269c550743267c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-il\ui-strings.js

Filesize
15KB

MD5
cc48fb1a73d43c74beee0bcff423d0fa

SHA1
d10dfe93884fda76763bc0dab352a4a3e3dcc897

SHA256
bd518fcf6fa6d345c680fbd4e6cac8f13c076a350aa8121d835870761fd2fcb0

SHA512
ea237961b7ef4a01f15fa9b792f56fc73908a5de6c173886e6df4e0e6e8b1807e3d5644d9103425b9943a11d8e1026d3ca55424374c653bb79f8fa5b5788e197

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-ma\ui-strings.js

Filesize
18KB

MD5
ef20a06f0fbd03dec3892b2928bbe874

SHA1
9ea378da4c26d35043f05c5925b123658ffd62d2

SHA256
5a6befaeab4d9581ca50a7e44768fd39d2bbeea42fd28fc65d9b7c4b00a94104

SHA512
5bb27f869cdf2336dc48124577e46d15fef2cd477732b7688fd3e0a741310f5fbb01804fd8389f196509581a278afb57952cd0200d0c46bb2579935cf7bb39da

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-il\ui-strings.js

Filesize
9KB

MD5
67549b5d38e6e6b1ac3028126d321be9

SHA1
4864dcfd30d9dc7120a047d1b7be18a3af403589

SHA256
27a07ce1ad260e356ef6868260a72b108b81b7f2b523ef87906fbd53c55fbca7

SHA512
eb59a78d7e42c8817bfc7eb347fa1fe90f6ec49b4ba6751885ba67f4c41d3bc7079f9ac62391db869b6ecfb69f27134ed245feb2981aa426186bb10c3452863c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-il\ui-strings.js

Filesize
15KB

MD5
e60fc7e305dc5d9fed0a1cb3b7fcde9e

SHA1
b2a1471d190d2cd8c26b10c85da6371af285ab52

SHA256
0df3ebaf3b45eb17137aa51ee0e897728c2dae5970d86b8bf571d5894a4b9cff

SHA512
d93aa992cf84fbfee4f221049826f92908695605b7eda61c4d5556b4de90a3d1b6fcc302266f4f7498af1091c5034b6f5b0c81699d32cf471b42063046285ef4

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-ma\ui-strings.js

Filesize
17KB

MD5
2b29ab126e3f8ea5ead3c46821150d41

SHA1
79fcbe6cce28ac511dc0eff1da77ebece72f5984

SHA256
ec1188c914d25fec645f24a57b36bdcc6bc71d0672c22b260591a338577920f6

SHA512
d08c5f83ac2e70c16af8e7203469f59439c9adc42cf5aa52b8efa0356d07ec1b9b15ee3902df9b9638fa2dee851e8cf2c24e9ae75a2d5bb0afa4e0e7ef19edf7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-il\ui-strings.js

Filesize
15KB

MD5
575a85c5a0090ace6c7db5a0b7a1ab45

SHA1
5b3654508bc0b26ec8014702e8ccfb84a9c60a77

SHA256
6d322dba7d1205182a695385932f6264f25a774915b49b7a5ba8e9e6ae415f25

SHA512
37d37248a10621a28d334fce21fdd8da4e088e17a14c2439a4109d38ed4f189b0f986c13f8a432cfeec798daaae3bbd7de8eeb6d9763b8e4d9fd0351d722f3d9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fr-ma\ui-strings.js

Filesize
17KB

MD5
ee0b95cd0c590a384f3efc08dc0922b3

SHA1
3e677cfe7f1bee4beec807d7454aaa44a7cd20ce

SHA256
b57899df4c6c682ba49a105e25b9b2fba8028781883e0beb0bb171720ef344bb

SHA512
7efdfa7c28a256f24afbb993193675b8cf9716617e31890244f8c6d732d5c45c6e238e25385c893d213d16d47e06505cdbbafcd5d978b06358893353e6720268

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-il\ui-strings.js

Filesize
19KB

MD5
ca9af1500c5ff78d0d9824bca49554e1

SHA1
10ea913239e5d767ef611c2b1bbdd2343d6bdd8f

SHA256
f526811fe7cc0624c8fad16ecb62fef5be95e741772630851cdd78b97f912cfb

SHA512
cc4e4805baf1e878ccc8978fa45f904d7592dfc6a815cc107b0d7faffd80f2614df1cd9a8447510b23b5f0cad3400fceabc2d9ef4956a56bbf5bcc00a3a2bafe

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-ma\ui-strings.js

Filesize
23KB

MD5
638f810ac8d9e89e2c527a7e58cb529c

SHA1
6f62acec18b64346201e034ee68e14ac72810f0f

SHA256
b0585df2dd3e64646295a62e538df10f5731a0892b99a9f54d75ac97d8b2041c

SHA512
0ad0dc0ab25e8133938580fa3f4092f33dfb0c38848afcad104796b6645f9139045d7d9a89f7f2eb65bb8eab2013704fae20220293a51cad46de90020f1a6e75

Download Submit
C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe

Filesize
4.1MB

MD5
903722dd548374239470387fc5056d15

SHA1
7e6c6f1801fbcc7e7dcc837125c205b867dce086

SHA256
821e7b03045a357b951bebec0646bdb6889489c63fc263943411dac7cfa33ba2

SHA512
22a5fad478ab4a1a87e4b8ce0c6d497af38ab1966beeab9a0566426b8f95381e23f7767188e0daccb262d7ce7f7eb150271bfca9e4693fe74004f01a6c27af8c

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE2.POTX

Filesize
292KB

MD5
a22e4bb7e297164e48c0e03d821471b3

SHA1
d44bf7b4de6f61b57f1708f2ec934eb01e470a94

SHA256
3e69278246fd82ae2db401ff5494a89d0cf6e979702ff1657ffdc9986af7dda3

SHA512
67760a68e90da696dd10e4fbda73c6f6fb62d5cc8a3db280110a6588d955b4b84527ec8ce97515cc0b811a9924f88748ba803946a748af08321bf7df57c577ca

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmdp64.msi

Filesize
2.4MB

MD5
ef8e0c8ad1fd1b6e88a2e79faf399bbd

SHA1
fe2d7df401973a9e7f3cd661b69759ebd3f60fd6

SHA256
b069d4a640e835eb10e537177f7b32bc82a01fc6a99f6c1b19e5fd6c40205384

SHA512
a3913cd582750f7fcc0e2401b0fc424cf3da1259145d59f512d72ac3cf2c23207bb3077a987c348492d6d5e646b8ea1d48539c53518478bfbe408d9b517a7e99

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exe

Filesize
62KB

MD5
e6037b3db6f016ebbb62377cb847f430

SHA1
9592535b08aa52016760e338892763c91bfdc169

SHA256
598881e01a518116fc2dd425e9d841cee38a941c35242656317cf92564922fde

SHA512
6a666314709682e86cc6084ae1444f9837e5a9282547c1f447bb0538ce67cc43a0f7c3b35868a1f07d85809c297bc9272fb7ca86a8298aae5f121c463076a097

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\misc.exe

Filesize
1015KB

MD5
50b0178a95e749efe61f66eead0f2e41

SHA1
bb6a80dfb7806731b2dd88e98023ff0e18696d6f

SHA256
2841940678dbbface73ef8bd5ec6cc2bd4cb053484f65421f8d4e2adc5de1802

SHA512
5fad85b6e18eabb93e2573f9a8d943a3e22d65f4aa16698b7a67c0ea877a60fc4bcb05dd67b7318cbbecfcbc23af77dd61c2f9acbfe2dc30a76c1b8e81658fdf

Download Submit
C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\vlc.mo

Filesize
606KB

MD5
ce996a29ab8bb09636c8eacc877360a2

SHA1
902b94b608d8f53b649f8f9acf49897c5eb90ee4

SHA256
5924587a3180c497898b6768109fd646ac5b1042b629433caf43f9dc23623b0c

SHA512
16121484d6a9dcde6e98402899b2abf65215ad0af466798674bf0ac7e164f0bcb9baeefb56a51de92913f88e2d9f005a4b2dbe13a3c8e7a0517ffeec64a6f2ea

Download Submit
C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\vlc.mo

Filesize
611KB

MD5
66a7ef8af4a6116abb21ca122dc54b9d

SHA1
887d4317f99044c2b2d4ce5a060a0dcfa8b44642

SHA256
3812e67276868c8a5f3c215c1bc8ccc9548bb1f0bf39f21ff51a35f0250ef69a

SHA512
4af3d2575a141888bf5c2be5214778bb1aa2fe108c7552ad055609072292fe22a2d1b6adb5f888a4abba05b6d6cdf3d675fb4f4fda659217dc886cf28e36d1c3

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\vlc.mo

Filesize
674KB

MD5
acc2bd0c1203ef3309248ec7a204d078

SHA1
4d649f4d567249fb0f5c84afe4c20ffe3eac552c

SHA256
0ed16937e7bb79dca26404a2b9bed99e7552dabe365ce4c80a33f740988be190

SHA512
01bf09345cd42cad706b584cdc14b6edbb11e119f6ea4d877d17c4f38f06804095718f818b7c86bb5f484bc41db5491f532074d459ec133b1b4522b8605e11c4

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\vlc.mo

Filesize
1.1MB

MD5
ca97ab9dbf2492fe13bc71d4e876a453

SHA1
ae01da7ba3eca2d225935defc45c0869cd78573c

SHA256
f9a26f1a08238b9682b6c9b9a3e8c9619d80276cbbd295cac674893ac853d42f

SHA512
8bd0cd20287553ea63ac340c725552aa9e6295a79a1de6284c7700459c36febfd20bb0dd65c7706fda0375ba8eedd1170c8ec3e21569b78c71edb674b9d38e5e

Download Submit
C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\vlc.mo

Filesize
595KB

MD5
7eb53be56207123af1d565836884617f

SHA1
51dcb8277cde526615de46b1b6b58061420930d5

SHA256
3cd2ab887757bf751aec1b9f105056a4f29dc20618fac31bf27947862a722cba

SHA512
2d74378a1b2e18e40199d1f6cc49cd4b2ffd245e05de3afb2c09c60d1e01fb1b0b80771d469c0c89a632a3569d04bbad237a64375d7ca59bf2412b949e8cd60d

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\vlc.mo

Filesize
617KB

MD5
615bb86929f56660f111d7ea0407918b

SHA1
6c1b0bd4035167c36e406e1f1638c45461df48a3

SHA256
30c72656e2aa9ca6ec0cb2234636210607afad4daaa4314046027b37cac22a92

SHA512
a5735a849920dfff40d3a32fb9934c74e9c1693ad2662c99204696fe682e629c478203bc6e6ce7cec049098a5fb3472f35e910fc1f454a1a43b44dec8c6d71cf

Download Submit
C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\vlc.mo

Filesize
780KB

MD5
5ac78e9e1522577841e2dbaa2dd0f6a5

SHA1
592ef4e99fb03bbfad7c9074eb829c162c991c98

SHA256
ed7fd0697c38e47a2977ccfe5befdb1de5317e0da87626cab6480dd36ef83670

SHA512
1c11f0670a186b7afbd4f3bbf80826c289645f5710ab53c501f508e7849e27d4ad308db0782f15fd73a210454b9f863491f2d3d9f5f82d68ac655931b94f8648

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat

Filesize
406B

MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\Desktop\CheckpointInvoke.mp3.HORSEMONEY.206-298-7C8

Filesize
370KB

MD5
50ca38c4b8dab97594dbd09d032c4133

SHA1
de46bbbbb86944be8cb887ff31ea555363900983

SHA256
8567ff9361880623511f661593cc8d1948cd24fb654459731980e50333a81da0

SHA512
3b1177980d68a77e6b3ad8794c1b64675d78616b1bc5f40259f60671f4b0cf305401c2132f7d20ec41c6194644e41721c6694b2db674c57bcfb6037737f35287

Download Submit
C:\Users\Admin\Desktop\CheckpointWrite.vstx.HORSEMONEY.206-298-7C8

Filesize
231KB

MD5
116e27206b7e7fb7441a51fc5650d9eb

SHA1
888a7816df0130694fd3207859c4506e4b30ca7c

SHA256
d73b8675ba967ad3394d433f7def62f1709907c7008d822e661486e5fb80506d

SHA512
ecaad010064f77a2e1f1fa0783643c8f39edf8ebff110567163ebd2ece15209c730572b17dd9023afd2a9e522777eac7405cb049e2a23e6d9bfd036fd91657b9

Download Submit
C:\Users\Admin\Desktop\CompareComplete.pptm.HORSEMONEY.206-298-7C8

Filesize
577KB

MD5
bc03f33bf60991544d9e46440913ef76

SHA1
c1c2258d98c9bef84bc47e37516fe415013e3246

SHA256
938ceb0cfd9f565c6f44196e66db078047d56a789d8ef16590187779a2def53e

SHA512
6f99aab66fc15d35a33425c19a0b226040a989829b873d2c6ac89b397e4c2c785f03907481e880662d1a7d135e26db437a44bfec2dbfa89af91a9bf1c26f162c

Download Submit
C:\Users\Admin\Desktop\CopyPop.vb.HORSEMONEY.206-298-7C8

Filesize
439KB

MD5
c61b99484556fdb42b058d8c25a90086

SHA1
b83595dc443060bab470c988d3e4eb936b6c739b

SHA256
7ee796348e21665f9d874541e5a07acc4e988be8176590fe6ecf474a233d24e7

SHA512
ea66a592c8f5d7e8c67ec9d7ae1a5271db7839e53e0c258a6d5572068514498f06a5a583e7bc4eb52a22bc8b1265e6d51563501256d81cc7223cc82e7612b89d

Download Submit
C:\Users\Admin\Desktop\ExportRequest.mht.HORSEMONEY.206-298-7C8

Filesize
347KB

MD5
056510ca6a5ec3617e817c4c9d307921

SHA1
8f94ad4326e8e6a3704caf43ba96608d0097a134

SHA256
7354f0481e13c4d33f6c85f93b74464ba9f88352a517dd1f0d3cf4868eaef49b

SHA512
46658d2319b47a0519544efef85ced683303b427080abb5a9dc1583907cab66b8f939fa6e0b2bda9ee62e36c79ce70320608163d791445754ae035b57d40c2a8

Download Submit
C:\Users\Admin\Desktop\GetPop.svg.HORSEMONEY.206-298-7C8

Filesize
324KB

MD5
89c5d524e8f10d3759120fd1fc244272

SHA1
335583daab26bdfae162d5f2e62c3c7e58267355

SHA256
19ec863833398d8cc7455c5995a8302222941d213ab73f6260c5a333d9316b6d

SHA512
626797a8b08607ba4720e5439b94df2f2c5545a5f3700c577444ca7edb58cf2c503360b84551ff0b5ea3e92c224422f7bae30229b24c8a17e4b20037eef899b7

Download Submit
C:\Users\Admin\Desktop\InstallClose.dwg.HORSEMONEY.206-298-7C8

Filesize
600KB

MD5
d2c64d9d90f0891b15ab8bdf59800d73

SHA1
90eff2be012185ef4765d983aa04e0870e0205ae

SHA256
c07a7eeb0ebfdfbbc829cf51bb94064879657a57a9816fa034d262d531a32ba3

SHA512
6ee0bd8d53479de1c0fceb26c7fc24969dc8f9e8863501525b127b970abb635af4b081fa53bef76fa8c0046fc9acbb73b201d3f8710b7529d1e22250f532cd82

Download Submit
C:\Users\Admin\Desktop\NewWatch.xhtml.HORSEMONEY.206-298-7C8

Filesize
508KB

MD5
ee03e382ac659abcc97f77b993e827b5

SHA1
9295a0de4e8636892a5e2d32894996c84e88fa4b

SHA256
5ff499d6157e50aed3eab0e46ce97efa13d43eeaf12624fc275ee492776dc3a0

SHA512
b012b849f284ccf1b9e18ff81583ef74f6bc66485734fb0c2918d4d5e20c153dd32f21ba727d76ca528c7f5c60e3dc998efb74db630676d187824a17093cad1c

Download Submit
C:\Users\Admin\Desktop\OpenConvertTo.mhtml.HORSEMONEY.206-298-7C8

Filesize
301KB

MD5
a54476ef221ea2d26283b57e5072a346

SHA1
da4136d13941c59e761c6ea555ba9a4aca963a80

SHA256
9e11c886394bb2a397be4f6a1d575400408b4c85233b5d4dccb668672a90c276

SHA512
b39880c63671edfdda2c53cb4c337fd5203fa11906394ddc0af773413d89fed0360f3ae63500776b7eed2e0f64759b726d7780c0d2c764bd32b437736ca17340

Download Submit
C:\Users\Admin\Desktop\ProtectRequest.ods.HORSEMONEY.206-298-7C8

Filesize
900KB

MD5
ddef6345b858bee9e6abd551eb71c15e

SHA1
ebaf0c0b2bfb66198b6f47e4987d0bdf49ada728

SHA256
c64c2b76e6ec9dacc4627d2b077c801bfd92559f39405ca84d47214e9f9f9016

SHA512
171bcfcce098658831580303de571c7fafbf347fb49ec9cd2411654eec934bc387c2e934af4b0c24097193649610a681473c196d66e85aad7db064a6f541a0cd

Download Submit
C:\Users\Admin\Desktop\RedoResolve.vstx.HORSEMONEY.206-298-7C8

Filesize
462KB

MD5
c4561649ad4c4250747ead193d12ed7a

SHA1
41b4a959d4cd64e55d461ecd157fea68832ea2ce

SHA256
7ee9bf135fc9d4f9f97fbc0466d076cb479501913a3aafcc4170649731a6cd4c

SHA512
c8f62f38929e20b10e24884beca3e670ad98b606ede31e90f319dccc49b6ee285739dd56311626cf44ba34831c316de2f041eb6ab3bf624e07dbe302fa5c4498

Download Submit
C:\Users\Admin\Desktop\RegisterMount.lock.HORSEMONEY.206-298-7C8

Filesize
416KB

MD5
db49d88300fca9e67c354730a2ca1ab6

SHA1
69689ad6dc08e4fdbac005f382da0e3e5cb2b597

SHA256
ad3a207031733d84887ee2a520f07d8f764a53ff3109cc2d04677cb7a5026937

SHA512
c58abba18fed1be6c9611558acc048e089a81008c335a55389ada487f6ec65751a4488fdaebcae536394337e989ecc77ee325f51d8dfa79b9d168ccdb0ae7d60

Download Submit
C:\Users\Admin\Desktop\RemoveSave.otf.HORSEMONEY.206-298-7C8

Filesize
554KB

MD5
8926c8270aca5e0fc6bd1f5bf0fc545b

SHA1
1e0afb11e8c154da1a85e9268b10543a3efcff35

SHA256
290c9c531152634c5f7ef26cf5b5195ade3e9c35a3c52d6bb2c1fa3141a81eb1

SHA512
2bea219cfe159e1038cb9a6fed8389a18d7415f2443cd102ce6bf63436fb3f5802f64f34ba7e1ab18f23fe6a26319fee1726b2ab6d186bcd54cdec8e95636b79

Download Submit
C:\Users\Admin\Desktop\ResumeAssert.pptm.HORSEMONEY.206-298-7C8

Filesize
393KB

MD5
cb2f90ac4f146b48705d7f245e0138fb

SHA1
9419255a43597bcd132dd47b36a8aa2f7befa039

SHA256
7ec7b6b4fc2f952505994659df5d19938e2860f3933bf40e31e4ce75dd5b2ac0

SHA512
96a847424514b1495a31d60926ef756661242b7954d212ecfad8b16adf260c592ffdd31be9969d2614f542a07227b33afa39b5f97e2fe7fc406711a60308b6a4

Download Submit
C:\Users\Admin\Desktop\SwitchReceive.7z.HORSEMONEY.206-298-7C8

Filesize
485KB

MD5
3d61d2a1f42be425518b710855c56be0

SHA1
c8e3fb9b8d0c5a3a5b98279e1d509831c9bcf6a8

SHA256
7f3553f90681000ce68d43d417732ec06c9bb23e7811494b2e41f26e4dbae215

SHA512
8318cfde6143a4ca171e976aaeee57e3e0185a5840abb0d1fb005d91b2b4b1f0f1d07e021d202a433a1ef0c6d4b5ddaf27de7ffb271cddb371c7262f5357a832

Download Submit
C:\Users\Admin\Desktop\UnprotectSplit.pub.HORSEMONEY.206-298-7C8

Filesize
278KB

MD5
403193a8c4a77441b21700f68d8b8478

SHA1
9eb4a72199f5c291250ca48ceb846156b3f6a9e4

SHA256
04c6b7d227c25d23a11292f4535712049d9ba0b9e67032e452daeab4539b6440

SHA512
3dd1b83574f96abe1352a010ffd1926551ed343b438f4d885ed27fbd2baffda37f54c334c74e54feed3bb84029fdd292841629c3e7f8a37c95e17e8c4d70413a

Download Submit
C:\Users\Admin\Desktop\UnpublishCheckpoint.edrwx.HORSEMONEY.206-298-7C8

Filesize
623KB

MD5
55833a977cb6717c4892f282bd5decdc

SHA1
e4447f1c8ab738eedb181d99e669c9997082928b

SHA256
a0a696dc7f7eabc5e6a20cea5223dd871852e7ab41467b56d7955447764acb43

SHA512
cabcd9479cb89bbd12f4246e9b14f1afcf7c781d210686b322bdf63919418af479eb57aa4afb712c3b9e01a3673259117a9111d663514cf49c7e09523c165aa9

Download Submit
C:\Users\Admin\Desktop\UnpublishUninstall.ps1.HORSEMONEY.206-298-7C8

Filesize
254KB

MD5
b3ed39912fdaee3054238b78f45a8521

SHA1
76c38ff611239fe2bcd51d240ac45086b23fdb81

SHA256
2776eca517adaff65a89e90873997fdf4149b6fb50f5cc51be35b2e2ce25e5e6

SHA512
211de9f91c5c412e87b282a78973acfe85bee1c4b0a247982d725153fc3c70a0ec4c2a092877f62c38f2db0c2f5e02f2f0f4ee94b32e3e65096e28d0b60c6eb4

Download Submit
C:\Users\Admin\Desktop\UnregisterClose.ppsm.HORSEMONEY.206-298-7C8

Filesize
646KB

MD5
f5bc292d8fee74f05f653e75cb6e82db

SHA1
a09f74f7a9229fa67bff4172e2836916ae822190

SHA256
9056ce9c5438423b82c113065d1eed1be40acaee78e097f6db3cb3c0db4423ea

SHA512
88b7efd451254a44dc7eae50f373660af2fb81aa80b3a295b68cf870e33f1436da7cf1057dcb5d0b9ca8548ed2ce4f602bf20abf8202b275aae7081d543d6f68

Download Submit
C:\vcredist2010_x86.log.html

Filesize
83KB

MD5
1f0b273988945fdcd6da5d05f1fd43f6

SHA1
7a82fca12ae2a9a1d92adf499dbe46a9bd0edf2a

SHA256
15aa82b8653d824619751512684c6a6bb875f72fa2fb199fdfbf9d10885af9a4

SHA512
84ce5138bda4650870439343fcc28a220c5026b01fb9888bd8c6d44df6a7e4641a2765034321e29be6cc3037b8fd898b34673ab48e0824f5fee3f072a3b67566

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3350944739-639801879-157714471-1000\.zeppelin

Filesize
513B

MD5
8bff8f7ec2dee0630915c750011b1bad

SHA1
3f37e6bc23aba846bffa9d510bfd03024af53c73

SHA256
aca5c1161a85a45d36eaf2bceeff54a0d668bc04957b91f49665fe2a52857ef3

SHA512
e9f1100ee8ebb3614351f8300615fa9400198848502e7d67e8dce918d95a0ce7a245db2a9951fcb7baaeff9c8d0fe36b38d368c263e5daf34ddf0947470d9abe

Download Submit
memory/784-26748-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1068-7388-0x0000000000C80000-0x0000000000DC2000-memory.dmp

Filesize
1.3MB

Download
memory/1068-25308-0x0000000000C80000-0x0000000000DC2000-memory.dmp

Filesize
1.3MB

Download
memory/1068-26728-0x0000000000C80000-0x0000000000DC2000-memory.dmp

Filesize
1.3MB

Download
memory/1068-17266-0x0000000000C80000-0x0000000000DC2000-memory.dmp

Filesize
1.3MB

Download
memory/1068-13355-0x0000000000C80000-0x0000000000DC2000-memory.dmp

Filesize
1.3MB

Download
memory/3452-1296-0x0000000000C80000-0x0000000000DC2000-memory.dmp

Filesize
1.3MB

Download
memory/3452-20-0x0000000000C80000-0x0000000000DC2000-memory.dmp

Filesize
1.3MB

Download
memory/3452-26749-0x0000000000C80000-0x0000000000DC2000-memory.dmp

Filesize
1.3MB

Download
memory/4404-39-0x0000000000C80000-0x0000000000DC2000-memory.dmp

Filesize
1.3MB

Download