zeppelin | c367db84b024c1ca76cf66b046acad61c5a8d79398e8aba1a7f18af60eb38dc0

Analysis

max time kernel
115s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250211-en
resource tags

arch:x64arch:x86image:win10v2004-20250211-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2025 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-12_2429157f5f912cf24d894658961686e8_zeppelin.exe
Size

218KB
MD5

2429157f5f912cf24d894658961686e8
SHA1

e2a06afcaaa6962166d829207d3bff3bfc699d05
SHA256

c367db84b024c1ca76cf66b046acad61c5a8d79398e8aba1a7f18af60eb38dc0
SHA512

6782ce79484bcea4c931df2bee0903c96cace844de5726e78823e60a42310901985a75cdec70c81aa3ca130429b09f5163289e2ee6abd16aea17423d8ecfbadd
SSDEEP

6144:HC61i972rJmciP98f2H64DQFu/U3buRKlemZ9DnGAe/IxU+:HK972I/Gf2a4DQFu/U3buRKlemZ9DnGu

Score

10^/10

zeppelin defense_evasion discovery execution impact persistence ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\HOW_TO_RECOVER_DATA.hta

Ransom Note

<html> <head> <style> body { background-color: #000000 } </style> <title>ORCA HELP</title> </head> <body> <h1 style="margin: 7px 352px; color: Crimson"><strong>🔒 YOUR FILES HAVE BEEN ENCRYPTED 🔒</strong></h1> <h2 style="margin: 7px 464px; color: Wheat">Your ID to decrypt: <font color="white">888-5E6-65D</font></h2> <h2 style="margin: 20px 270px; color: Wheat"> Contact us: <font color="Goldenrod">[email protected]</font> | <font color="Goldenrod">[email protected]</font> </h2> <center><div style="color: SkyBlue; width: 70%; height: 50px; border:2px solid; margin:auto"></center> <div style="font-size: 18px; color: red; margin: 3px 0px 3px 6px">Unfortunately for you, due to a serious vulnerability in IT security, you are vulnerable to attacks!<br /> To decrypt files, you need to get a private key.<br /> The only copy of the secret key that can be used to decrypt files is on a private server.<br /> The server will destroy the key within <font color="white">72h</font> after the encryption is completed.<br /> To save the key for a longer period, you can contact us and provide your ID!</div></div> <div style="margin: 5px 0px;"></div> <center><div style="color: SkyBlue; width: 70%; height: 50px; border:2px solid; margin:auto"></center> <div style="font-size: 18px; color: red; margin: 3px 0px 3px 6px">In addition, we collect strictly confidential/personal data.<br /> This data is also stored on a private server.<br /> Your data will be deleted only after payment!<br /> If you decide not to pay, we will publish your data to everyone or resellers.<br /> So you can expect your data to become publicly available in the near future!</div></div> <div style="font-size: 20px; color: LemonChiffon; margin: 20px 30px 0px 220px"> It's just a business and we only care about making a profit!<br /> The only way to get your files back is to contact us for further instructions!<br /> <strong>To establish a trust relationship, you can send 1 file for test decryption (no more than 5 MB)</strong> <div</div> <h1 style="margin: 7px 353px; color: Yellow"><strong>&dArr; &dArr; &dArr; &dArr; &dArr; &dArr; &dArr; &dArr;</strong></h1> <ul style="list-style-type: square; color: Tomato; margin: 5px 17px 1px 17px"> <li>Do not waste your time searching for other decryption methods - THERE ARE NONE, you will pay more for your time!</li> <li>Every day the price of decryption increases!</li> <li>Do not rename encrypted files.</li> <li>Do not use third-party programs to decrypt files - they can only do harm!</li> <li>After payment, you get a decoder (.exe), you only need to run it, and it will do everything by itself.</li> <li>I only accept Bitcoins! You can learn how to buy them on the Internet.</li> </ul> </ul> </body> </html>

Emails

color="Goldenrod">[email protected]</font>

Signatures

Detects Zeppelin payload 15 IoCs

resource	yara_rule
behavioral2/files/0x0002000000022c48-6.dat	family_zeppelin
behavioral2/memory/4504-13-0x0000000000190000-0x00000000002D2000-memory.dmp	family_zeppelin
behavioral2/memory/1956-15-0x0000000000960000-0x0000000000AA2000-memory.dmp	family_zeppelin
behavioral2/memory/4344-25-0x0000000000960000-0x0000000000AA2000-memory.dmp	family_zeppelin
behavioral2/memory/1956-2526-0x0000000000960000-0x0000000000AA2000-memory.dmp	family_zeppelin
behavioral2/memory/1516-6354-0x0000000000960000-0x0000000000AA2000-memory.dmp	family_zeppelin
behavioral2/memory/1956-8788-0x0000000000960000-0x0000000000AA2000-memory.dmp	family_zeppelin
behavioral2/memory/1516-11630-0x0000000000960000-0x0000000000AA2000-memory.dmp	family_zeppelin
behavioral2/memory/1956-13824-0x0000000000960000-0x0000000000AA2000-memory.dmp	family_zeppelin
behavioral2/memory/1516-14604-0x0000000000960000-0x0000000000AA2000-memory.dmp	family_zeppelin
behavioral2/memory/1516-19559-0x0000000000960000-0x0000000000AA2000-memory.dmp	family_zeppelin
behavioral2/memory/1956-22897-0x0000000000960000-0x0000000000AA2000-memory.dmp	family_zeppelin
behavioral2/memory/1516-26243-0x0000000000960000-0x0000000000AA2000-memory.dmp	family_zeppelin
behavioral2/memory/1516-26852-0x0000000000960000-0x0000000000AA2000-memory.dmp	family_zeppelin
behavioral2/memory/1956-26881-0x0000000000960000-0x0000000000AA2000-memory.dmp	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Zeppelin family
zeppelin
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (6122) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Downloads MZ/PE file 1 IoCs

flow	pid	Process
30	3008	Process not Found

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation	2025-02-12_2429157f5f912cf24d894658961686e8_zeppelin.exe

Deletes itself 1 IoCs

pid	Process
2680	notepad.exe

Executes dropped EXE 3 IoCs

pid	Process
1956	services.exe
1516	services.exe
4344	services.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\services.exe\" -start"	2025-02-12_2429157f5f912cf24d894658961686e8_zeppelin.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	services.exe
File opened (read-only)	\??\P:	services.exe
File opened (read-only)	\??\L:	services.exe
File opened (read-only)	\??\E:	services.exe
File opened (read-only)	\??\A:	services.exe
File opened (read-only)	\??\S:	services.exe
File opened (read-only)	\??\N:	services.exe
File opened (read-only)	\??\I:	services.exe
File opened (read-only)	\??\H:	services.exe
File opened (read-only)	\??\R:	services.exe
File opened (read-only)	\??\K:	services.exe
File opened (read-only)	\??\J:	services.exe
File opened (read-only)	\??\Z:	services.exe
File opened (read-only)	\??\W:	services.exe
File opened (read-only)	\??\U:	services.exe
File opened (read-only)	\??\T:	services.exe
File opened (read-only)	\??\M:	services.exe
File opened (read-only)	\??\G:	services.exe
File opened (read-only)	\??\B:	services.exe
File opened (read-only)	\??\X:	services.exe
File opened (read-only)	\??\V:	services.exe
File opened (read-only)	\??\Q:	services.exe
File opened (read-only)	\??\O:	services.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt.ORCA.888-5E6-65D	services.exe
File created	C:\Program Files\Microsoft Office\root\Office16\3082\HOW_TO_RECOVER_DATA.hta	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-72_altform-fullcolor.png	services.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\tr-tr\ui-strings.js.ORCA.888-5E6-65D	services.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\webkit.md	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ul-oob.xrm-ms.ORCA.888-5E6-65D	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\beeps\skin_beeps.lua	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreMedTile.scale-200.png	services.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\desktop.js.ORCA.888-5E6-65D	services.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\ui-strings.js.ORCA.888-5E6-65D	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\powerview.x-none.msi.16.x-none.tree.dat	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-400_contrast-black.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeSmallTile.scale-125.png	services.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ro-ro\HOW_TO_RECOVER_DATA.hta	services.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hr-hr\ui-strings.js	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-80_altform-unplated_contrast-black.png	services.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\Toast.svg.ORCA.888-5E6-65D	services.exe
File opened for modification	C:\Program Files\OpenSearch.tmp.ORCA.888-5E6-65D	services.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_ja.properties	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Trial-ppd.xrm-ms.ORCA.888-5E6-65D	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteMediumTile.scale-125.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\EnsoUI\id_arrow.png	services.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_rename_18.svg	services.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\cs-cz\ui-strings.js	services.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\root\ui-strings.js.ORCA.888-5E6-65D	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-40.png	services.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_200_percent.pak	services.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\adobe_sign_tag.png.ORCA.888-5E6-65D	services.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\CardUIBkg.scale-200.HCWhite.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\resources.pri	services.exe
File opened for modification	C:\Program Files\ExportShow.docx.ORCA.888-5E6-65D	services.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	services.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaTypewriterBold.ttf.ORCA.888-5E6-65D	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_F_COL.HXK.ORCA.888-5E6-65D	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\PREVIEW.GIF	services.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\SmallTile.scale-125.png	services.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-ja_jp.gif.ORCA.888-5E6-65D	services.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jcup.md.ORCA.888-5E6-65D	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe	services.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PlaceCard\contrast-black\HOW_TO_RECOVER_DATA.hta	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\PointerIndicatorVertexShader.cso	services.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hr-hr\ui-strings.js	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_LogoSmall.targetsize-24.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-20_altform-colorize.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-20_contrast-white.png	services.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\InAppSign.aapp	services.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\dd_arrow_small.png	services.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\HOW_TO_RECOVER_DATA.hta	services.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ro-ro\HOW_TO_RECOVER_DATA.hta	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.powerpointmui.msi.16.en-us.xml.ORCA.888-5E6-65D	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ppd.xrm-ms	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-180.png.ORCA.888-5E6-65D	services.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsSplashScreen.scale-125.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\TimerWideTile.contrast-black_scale-200.png	services.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_folder-default_32.svg.ORCA.888-5E6-65D	services.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\zh-cn\ui-strings.js	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-48_altform-unplated_contrast-black.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraWideTile.contrast-black_scale-100.png	services.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\logging.properties.ORCA.888-5E6-65D	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\PREVIEW.GIF.ORCA.888-5E6-65D	services.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ja\HOW_TO_RECOVER_DATA.hta	services.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\vlc.mo	services.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\HOW_TO_RECOVER_DATA.hta	services.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-12_2429157f5f912cf24d894658961686e8_zeppelin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3400	MicrosoftEdgeUpdate.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe
1956	services.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4504	2025-02-12_2429157f5f912cf24d894658961686e8_zeppelin.exe
Token: SeDebugPrivilege	4504	2025-02-12_2429157f5f912cf24d894658961686e8_zeppelin.exe
Token: SeIncreaseQuotaPrivilege	448	WMIC.exe
Token: SeSecurityPrivilege	448	WMIC.exe
Token: SeTakeOwnershipPrivilege	448	WMIC.exe
Token: SeLoadDriverPrivilege	448	WMIC.exe
Token: SeSystemProfilePrivilege	448	WMIC.exe
Token: SeSystemtimePrivilege	448	WMIC.exe
Token: SeProfSingleProcessPrivilege	448	WMIC.exe
Token: SeIncBasePriorityPrivilege	448	WMIC.exe
Token: SeCreatePagefilePrivilege	448	WMIC.exe
Token: SeBackupPrivilege	448	WMIC.exe
Token: SeRestorePrivilege	448	WMIC.exe
Token: SeShutdownPrivilege	448	WMIC.exe
Token: SeDebugPrivilege	448	WMIC.exe
Token: SeSystemEnvironmentPrivilege	448	WMIC.exe
Token: SeRemoteShutdownPrivilege	448	WMIC.exe
Token: SeUndockPrivilege	448	WMIC.exe
Token: SeManageVolumePrivilege	448	WMIC.exe
Token: 33	448	WMIC.exe
Token: 34	448	WMIC.exe
Token: 35	448	WMIC.exe
Token: 36	448	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2784	WMIC.exe
Token: SeSecurityPrivilege	2784	WMIC.exe
Token: SeTakeOwnershipPrivilege	2784	WMIC.exe
Token: SeLoadDriverPrivilege	2784	WMIC.exe
Token: SeSystemProfilePrivilege	2784	WMIC.exe
Token: SeSystemtimePrivilege	2784	WMIC.exe
Token: SeProfSingleProcessPrivilege	2784	WMIC.exe
Token: SeIncBasePriorityPrivilege	2784	WMIC.exe
Token: SeCreatePagefilePrivilege	2784	WMIC.exe
Token: SeBackupPrivilege	2784	WMIC.exe
Token: SeRestorePrivilege	2784	WMIC.exe
Token: SeShutdownPrivilege	2784	WMIC.exe
Token: SeDebugPrivilege	2784	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2784	WMIC.exe
Token: SeRemoteShutdownPrivilege	2784	WMIC.exe
Token: SeUndockPrivilege	2784	WMIC.exe
Token: SeManageVolumePrivilege	2784	WMIC.exe
Token: 33	2784	WMIC.exe
Token: 34	2784	WMIC.exe
Token: 35	2784	WMIC.exe
Token: 36	2784	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2784	WMIC.exe
Token: SeSecurityPrivilege	2784	WMIC.exe
Token: SeTakeOwnershipPrivilege	2784	WMIC.exe
Token: SeLoadDriverPrivilege	2784	WMIC.exe
Token: SeSystemProfilePrivilege	2784	WMIC.exe
Token: SeSystemtimePrivilege	2784	WMIC.exe
Token: SeProfSingleProcessPrivilege	2784	WMIC.exe
Token: SeIncBasePriorityPrivilege	2784	WMIC.exe
Token: SeCreatePagefilePrivilege	2784	WMIC.exe
Token: SeBackupPrivilege	2784	WMIC.exe
Token: SeRestorePrivilege	2784	WMIC.exe
Token: SeShutdownPrivilege	2784	WMIC.exe
Token: SeDebugPrivilege	2784	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2784	WMIC.exe
Token: SeRemoteShutdownPrivilege	2784	WMIC.exe
Token: SeUndockPrivilege	2784	WMIC.exe
Token: SeManageVolumePrivilege	2784	WMIC.exe
Token: 33	2784	WMIC.exe
Token: 34	2784	WMIC.exe
Token: 35	2784	WMIC.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 4504 wrote to memory of 1956	4504	2025-02-12_2429157f5f912cf24d894658961686e8_zeppelin.exe	90
PID 4504 wrote to memory of 1956	4504	2025-02-12_2429157f5f912cf24d894658961686e8_zeppelin.exe	90
PID 4504 wrote to memory of 1956	4504	2025-02-12_2429157f5f912cf24d894658961686e8_zeppelin.exe	90
PID 4504 wrote to memory of 2680	4504	2025-02-12_2429157f5f912cf24d894658961686e8_zeppelin.exe	91
PID 4504 wrote to memory of 2680	4504	2025-02-12_2429157f5f912cf24d894658961686e8_zeppelin.exe	91
PID 4504 wrote to memory of 2680	4504	2025-02-12_2429157f5f912cf24d894658961686e8_zeppelin.exe	91
PID 4504 wrote to memory of 2680	4504	2025-02-12_2429157f5f912cf24d894658961686e8_zeppelin.exe	91
PID 4504 wrote to memory of 2680	4504	2025-02-12_2429157f5f912cf24d894658961686e8_zeppelin.exe	91
PID 4504 wrote to memory of 2680	4504	2025-02-12_2429157f5f912cf24d894658961686e8_zeppelin.exe	91
PID 1956 wrote to memory of 4468	1956	services.exe	94
PID 1956 wrote to memory of 4468	1956	services.exe	94
PID 1956 wrote to memory of 4468	1956	services.exe	94
PID 1956 wrote to memory of 4748	1956	services.exe	95
PID 1956 wrote to memory of 4748	1956	services.exe	95
PID 1956 wrote to memory of 4748	1956	services.exe	95
PID 1956 wrote to memory of 5104	1956	services.exe	96
PID 1956 wrote to memory of 5104	1956	services.exe	96
PID 1956 wrote to memory of 5104	1956	services.exe	96
PID 1956 wrote to memory of 3336	1956	services.exe	97
PID 1956 wrote to memory of 3336	1956	services.exe	97
PID 1956 wrote to memory of 3336	1956	services.exe	97
PID 1956 wrote to memory of 4972	1956	services.exe	98
PID 1956 wrote to memory of 4972	1956	services.exe	98
PID 1956 wrote to memory of 4972	1956	services.exe	98
PID 1956 wrote to memory of 5016	1956	services.exe	99
PID 1956 wrote to memory of 5016	1956	services.exe	99
PID 1956 wrote to memory of 5016	1956	services.exe	99
PID 1956 wrote to memory of 1516	1956	services.exe	100
PID 1956 wrote to memory of 1516	1956	services.exe	100
PID 1956 wrote to memory of 1516	1956	services.exe	100
PID 1956 wrote to memory of 4344	1956	services.exe	102
PID 1956 wrote to memory of 4344	1956	services.exe	102
PID 1956 wrote to memory of 4344	1956	services.exe	102
PID 4468 wrote to memory of 2784	4468	cmd.exe	108
PID 4468 wrote to memory of 2784	4468	cmd.exe	108
PID 4468 wrote to memory of 2784	4468	cmd.exe	108
PID 5016 wrote to memory of 448	5016	cmd.exe	109
PID 5016 wrote to memory of 448	5016	cmd.exe	109
PID 5016 wrote to memory of 448	5016	cmd.exe	109
PID 1956 wrote to memory of 2056	1956	services.exe	123
PID 1956 wrote to memory of 2056	1956	services.exe	123
PID 1956 wrote to memory of 2056	1956	services.exe	123
PID 1956 wrote to memory of 2056	1956	services.exe	123
PID 1956 wrote to memory of 2056	1956	services.exe	123
PID 1956 wrote to memory of 2056	1956	services.exe	123

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2025-02-12_2429157f5f912cf24d894658961686e8_zeppelin.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-12_2429157f5f912cf24d894658961686e8_zeppelin.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4504
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4468
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2784
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4748
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5104
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3336
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4972
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5016
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:448
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:1516
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -agent 1
    3⤵
    - Executes dropped EXE
    PID:4344
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2056
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2680

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MzE5QzA5NjktNkEwMS00NEZELThBOTUtMDBEOEZGOTMxMEM5fSIgdXNlcmlkPSJ7MDM0NjA1QkUtMTE2MC00MUJELUFEQzItOTlCN0I2NzNERkE1fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RDc2RUZFQ0QtQkNFRC00OUY3LUFERDAtNUQ0NDY5QjAyOTgzfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMyMzYiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDI1MTE0ODAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NDE1MzM2NDgyIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3400

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\HOW_TO_RECOVER_DATA.hta

Filesize
2KB

MD5
cc05205f7e468db08d993f390586cd93

SHA1
47979722a8df5f93e3889aeb9c39bd521db5f9b6

SHA256
601fd4ca88710a56b19087d0b8f614d4332c2b3bc16cfdbfad4b79840a890a80

SHA512
e4dc63eecf60c0cdbd759c9644bd1936afaa27a647b7ab00202a0bbdf9fc40b96f01a4923307d776a0c3571042b3eedddaec4b36b5c2ca9cb6c8329d6e729cdb

Download Submit
C:\PerfLogs\.Zeppelin

Filesize
513B

MD5
5c28c47f3bfed42be4598353c37b09e7

SHA1
ba812147087474e80f619c52e5dc1270e0cdaff6

SHA256
d019029034c1e18a571b7847c7b937339adb4c6f6fe0524afb10ea98bfc525d5

SHA512
b71da960a550007f2ad7d664b093c186d1ee8e8c3bf0fa85f45c9e0ec051dc6e68f85bbc1d01f908616052e949f2e9e104b2b875bcddef9772c86ddd66fff3b9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons_retina_thumb.png

Filesize
64KB

MD5
948992b3fa8e37ac1b5dedff5c601689

SHA1
8d74cac266bfd443666cff2b7c12139bde27999e

SHA256
4b1c1e6250fe54edb6e6638a99bf75fb203c37df6eadd886d913b0bc40bbdca8

SHA512
c73b134c400fd827adc348a1fa85f1fa103dc5294e3993443ed953fdabdedd780b432f9393361afbf8c34522db9388de9f3451b879b1501bde29473ff64072bc

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_wob.png

Filesize
52KB

MD5
f82bf507ae4021d998f636a8749ed3ea

SHA1
b5a4f7124210a5d539ad06fd532fc04e92076220

SHA256
32fc5ae9989e6aaaada58adcacd306cc309da9c9b674d00d141bbfdf23eec832

SHA512
9e3cc31a17292cf4e74504d3da562cd4589cdc0e51b045ef017cacc9e2d8ca8b5e09839c306a5671285e233743023bef47ae7c2d5f3d00440538f47bd08fb13a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons.png

Filesize
52KB

MD5
80906ad3d24e5acc8cbb3f3214f34507

SHA1
7fdb2ef0a288a438dbb1caa5c3b39c9f12e8b770

SHA256
ca8a1ea70cea14797f25667f6194b6ff20bb59e94cf30f52f4217311433220eb

SHA512
7e0335b56a1333fcb1df8847ce76b88a1390a8b4dde9bad9dfd182cdaf93e2c4e171810383ef63f67c516890397b81a08ff00d6efc737ecd9eef72f4b4b3356a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\ui-strings.js

Filesize
29KB

MD5
062372cc2d71ce0fe566cb62eddb803f

SHA1
70f8157a3fb9580586a026489b13e86dc948dbbc

SHA256
eb4a8b07c9c4a12176f1d3225bdd7b2ad3a5f5de13d0060f1f9cf364ef75a0b6

SHA512
cf2ab1a978577ada94503be7b5a0792226dc07be1c9e6a0ed2b6da1834864151a40fba0c92ce2da08abb4a37f12855de5bfd0d757930926c3cbdba82e58a929a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\ui-strings.js

Filesize
34KB

MD5
ba66be0b4f6516c187b38e1077ae910b

SHA1
559dc8be0928043f144eca82bcabdde599e507bd

SHA256
d9581f2a9dd1fe438e41746e5a2d572cd73baf09c27b9e9ac78c51285a41da0f

SHA512
6bec7a8d1b00dd48c06c5cff2631543276bbd652e4e760f4a768724e1995d0d8c82dfd9bb0140b8f2e6d2b23e79deb566e4a792913f50bb386d696dff0b711ef

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\ui-strings.js

Filesize
9KB

MD5
d8d2bfaa9903b1686c59e5c40aedf772

SHA1
c5e76ed3664bb848b6fb1466cbdaff5a5a0a8cbd

SHA256
8f46c5dd31c37b8e69a2d17b8f5a28ec89aeb81ef089354f6fc5466d8bc62b74

SHA512
6da6f8dc72c9d823f7a1b4d9557c26aa560a6603549b9e5abb3030b2c51639a305d0aea71352cffabb2a2e7849d4cff6eb271aaa85fb4ca98653902b83a945bc

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\ui-strings.js.ORCA.888-5E6-65D

Filesize
10KB

MD5
c960117875943566e06da88322c15438

SHA1
93c795fbb796af81e4663d484cf424f5e91bdc36

SHA256
30d31597d14897271aac3ec492284569e5a8ec0648dc17948ddbacdc032872d3

SHA512
e94ebe1cf2f4f1c4006e2208d97e70c630c9a5ba3885bc20c358be1039b1d148ca80ef5c226f18ca87fdd25099a920f78e47f46db9e64736708a2d5c4b5c84fc

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\ui-strings.js

Filesize
5KB

MD5
a7c8431c24706bc738d24beacffe4c67

SHA1
b5df377e56d69d3bf8314aad86c312d396ae5a0e

SHA256
e1358520cc4a61f4e58b0b4612b64c05331e2955cd98d5a0004ed636c3c11fd4

SHA512
e5c95b9dffbd700856a326f67f106c0792e6466b869f11aec216d1327bf460ad548f327664f44dd92b23c44b057941d45df125106d770c18adffbeef02504be5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\ui-strings.js

Filesize
6KB

MD5
35667d2d0c719d006c9066e5bae13949

SHA1
35fd0ecc2ed9bab2ef3242d16dc2c4713b087346

SHA256
d9394f7d15740d6f3bf5f0202bbcbbd765382d3417446d053554d66a3935432b

SHA512
6bc0d0bb65e39aca66910944f461d8c1332b7e1133fcca4c34878ee3667d97b54f1fcb950e283510216f17dddb6ef50db58f5c946eb153b600acb362348b5e94

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons_retina.png

Filesize
18KB

MD5
4c30f7da493089afe08d4baefa42064a

SHA1
1966a6a3e9a8e1250bc4442aad04dc1b33c8af17

SHA256
31330efb63dd2343a1cb97b8ff1c59b265549d1676459067fde6383156a86a45

SHA512
7f451b6cf2ab1ee5ffa497fb635d46772354a16a5fcdcaf9ca33094d8d610f7ec8287fd5032f412bc27e9f9ccfdc4df3311ee4c72e2fe36cd6e7f04326eb1eaf

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-selector.js

Filesize
176KB

MD5
edac5c0136e342e9e99e5485eddd7538

SHA1
83a3feea74126e23bf35fb11db0bffe56de3c0cd

SHA256
824de1fe51b0805d226849af41a967123fe858b069b0515ef81b977f51ce0727

SHA512
a86a1976305662cfb97e03477fc0ce2410e8415421a8d942aad860775b253d42d0f6598df0742a9a9a82704d9b9aa58ed831ad96c74743f1bdfb78330db79c57

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-tool-view.js

Filesize
387KB

MD5
4c133ee60ccad09b3f5620e6cb2f5fa6

SHA1
822dd6be9cba39270abfa382a03b2285a2714299

SHA256
fde8e31bd5e68872c9f133c83b02a7a1e34f66449f3cacd84aa25bae9e35553e

SHA512
64896d737d1a5bb9b748c254fb9c24fa6991254efb008d4b5672d9af6c00a60efa9d8696c4fa2d0f86ffa84ab626cbaa708ebdefec8f8fe611e73e95ab6dc315

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\ui-strings.js

Filesize
10KB

MD5
75dbe160441435d8cd278161e949c518

SHA1
02c269525d53685ee52c79aab57de9404cea6bb3

SHA256
2493bf478ff0b6dd8f13df51dd412a1546b2f47ea3bc84a3d20a3f2f434b2b1f

SHA512
3b0da3a1e155b269028a298a5209b82ff37b582c89a5965b0abee49013b5bc64b40ec4b45b659c960d609604f75062b03bb0779a92fd28f1d3944d71eff9af1f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\ui-strings.js

Filesize
12KB

MD5
7cf7be568c67a9e6436cbd0bedd346ae

SHA1
1214270c32035327b25f463a54d3c4f1ec0b8a16

SHA256
0d353c7a152f483e39c984cd38ce2c38e2775fc348da41fd20168b5419447e75

SHA512
0af416ac509aabea1bbb2778260aef65cd612381f24848ff28ed52086c8112d5dbb88722aaabcff8ec85751f451fd1cbbc6b7f502d79559e5e6539b88e2ef3d9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\icons_retina.png

Filesize
16KB

MD5
b77807be30bf5734904fbc4c48e9a40a

SHA1
6bc0f1386e4fd1607819ccca6447bbe0c8517757

SHA256
be6ec0cdb9832f89133c7c4fd0fb75dfcd1221a4df2d16f00a00dfd66cb5c067

SHA512
ceb31a497b28adb10bb83574f78b0b1327ba8bdc902e0b372c47c5a027fb7f16fc4c217b8f805782851138a4e99c309cede55ee50a88a7dd86065d64c78be9e2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\new_icons.png

Filesize
9KB

MD5
1e0c5126beec0ecacbb373a39d113a29

SHA1
0aa2bb5475f5f980c7fe58c043e53d4220b02af8

SHA256
0330e512c68079a1049166b9f6f2ee5fa39dbad90e9dec8173e67d5b189455d8

SHA512
5a4f0974703202bf1b0032741b73076d2aac77f164be7e592e57c2a7e7fc6b847d1ca2b12c7906d11c193c5c706666633592217ca7a26af947cd3041d09805a5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\new_icons_retina.png

Filesize
18KB

MD5
04e37d89f36e67b9145be2b1da4e2ff8

SHA1
5f91471e96f60746ec9bc4d07b7c867db9aa1c54

SHA256
2e65b30867cfe6831c7ba9c193fb3d4a22e4f01c3f9b83770fd6fc338da5d335

SHA512
54832e48b57bf6752fa48cb7348df92448a5fc942750644e67d0f4c5c934fbd2fb4337d529d334956c1644f5b922ed2ee271168fd79b3dc20f43e465fb858e02

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\icons_ie8.gif

Filesize
9KB

MD5
fd34ded94c1bfac5b0d4dce8eea6b2fb

SHA1
f57fb1da687ccd42d0b27d94465c5e5efbc02cf8

SHA256
f9d0c1ce2045a62c523f5a4fb8e1122ad4be2341836bb4c5eec9ac0f454580ba

SHA512
c0578164f81c69d8742b90ed2cc36d9b42c4ce79fcb239acf7412da991c2c7dd02beca6542142bcb8aa3f029c9e5aa10b7de78db49c0630a7e86837e969df9a4

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-il\ui-strings.js.ORCA.888-5E6-65D

Filesize
6KB

MD5
ebbebb3587d88abacaa6927738403365

SHA1
baed8fb36e439fd3ef595e43d3b89af36fe82d70

SHA256
7779e0e8700ff12398d9073c05e60abf2834f405a9a54230046b610eff42e081

SHA512
4f94e425184f9fbfe2f0aa91bb36bd890997d3b7d71a5f063e02673c8da0ecedb4a4b6593dc6b45a30a5fcfe576bab6828349fc0d8bbb808a1f2e3867c36a899

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-ma\ui-strings.js

Filesize
7KB

MD5
2fe208944b962582faf34528a095f8ae

SHA1
1d44fd40a462b5cfb72f87aee7f7adf5a50241a4

SHA256
9a0e2833a4dfd92fa6928fe8dcdbc809ce71672097f03722ba5fba4461633e40

SHA512
160c611093a8ad2b0cdeec60f3b029c860a18854e326e3eaf5c47452549b5be4e352eeacbb096692bbeda1c3d4e4f2472103566e4f1683e13210cb0aa58be24a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\en-us\AppStore_icon.svg

Filesize
15KB

MD5
9abfdbb1809ee45e5e02eedc8a2e5bc6

SHA1
ece44e63c74bc42d2c14033257d4fe2e505d561b

SHA256
df0d8f32b4e5a5212f67ce5d87b5a1ec948c5ac38e9b1c5e8b7561bf8a5994a6

SHA512
616a35b403d2a0e75bfa7b8925dc22252f4f1ddbe86d82beff676cff84f2f18c562d9a30a531d3cff53c964d867f21b0b86549970be1328e509860a232f69078

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\en-us\PlayStore_icon.svg

Filesize
7KB

MD5
fc22ec7def931fccae7881d02a36427a

SHA1
93bd2f24d61a4c28cfba593619a4f8169324b9e8

SHA256
31726e090a569b28e8e72d17717cff793ad0accc3e6ad188953c777b9a19fb99

SHA512
aee9aa874a7d96b0aca41b05c0dd2210b96b9d58f178969f6b90f180da8e728bef7c94876945608ec66ca7b899f750acb7fc106fa2e1862356d66e71c80ecd6a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Light.pdf

Filesize
381KB

MD5
8b3f495bd74ee5911915760f75e42fe9

SHA1
7baedd5e4194842f463c7b91b523d051120efbc1

SHA256
527a5949b4e3d7344cec0f56b55688cd6a683591ef60406e29134554daf5b5e7

SHA512
25647f8bf00a8dddfd6a939ad1dde1c7e4292205dd218fa9fefa358367a0a4206d27ad110ace84bce5b5e643d32877d58ebebcf0b3b3394d2b8bd4b0b255cf3f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Light.pdf

Filesize
56KB

MD5
44a8f6d068eab8272819c3bcad611fba

SHA1
0c27f21b2b76013e6347ff7438a0a07f05786643

SHA256
c23fe00360491071dbdf01283b4896de769baf120ec26d0ec1edba22b4a2210a

SHA512
bc5240fddfd75abcef7486915c314954af4f3323b78ba2b62b2716b8d5dadfb0d8ab729db1ac260a635c5a7b84a64f47431c5c9b3ee521eda2a4ac9dec6f556a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-il\ui-strings.js

Filesize
14KB

MD5
0fd52876c72caeeed62c1a2d6c62fdfb

SHA1
c242862ff6f62e82cd8c517e04939c2acc4a38b4

SHA256
921c04de200cf2425048800c2126f144bd4eaa9b19cac1c4a652803125fa2566

SHA512
3426c13b69662061994e2d52687cb153d35e37e181a45cfd3f22683e153aa60001764d323a6d5f34690d659a06d316abd58acf1cec16871f72e13b208ed626e3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-ma\ui-strings.js

Filesize
17KB

MD5
03ae75ae087e963542d20f5bb388f740

SHA1
0e95aa31f5795ae5937fd2e60e7b55e80bab6929

SHA256
edd89906a5f5e37f88aac951c5366069708bcf63664996ea301daffe3530bec1

SHA512
4497891a009cd69edc43c37d412d1656c646d8cf8125659e060daa1857c7c2ac68d9456b14ca415960a61950c22f84a1ded2b7a7b5b058aaf28edb22bcc7628b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-il\ui-strings.js

Filesize
15KB

MD5
d884b556412264576937e7cceed9c781

SHA1
ae64eda7461092d74cb3e653f495969f231f2a2f

SHA256
b1f95efa15e8722ce2b86ecdcc4baac1d9d0923956490cf6cbe359d2947040d3

SHA512
77be797afce94953f4193bafc505548d2a0dea9dfde47df3b5567932412710e84516233fae7baa021cec86729cbe8f49c80bf89d980572f0fd511dfac6c831cd

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-ma\ui-strings.js

Filesize
18KB

MD5
4c7936a011c60ca343ccf89fb636f462

SHA1
38478d2aa91aa7abadacddb8cb883f7d86346831

SHA256
344440c2a8781437fdb87c198f83d6f9b5d7b48f2e0a1be8c9422e75a27c3a37

SHA512
985578b25d2f65d879fc6ea860e46c48d2516792036c78f52ba2db308f1719e2ac660f724880c252a0e4b2dcbe3012b0471a3b00dd06c2054f777b116b7047aa

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\progress.gif

Filesize
20KB

MD5
d1eb92bbebe14cb04f0c57b71e173681

SHA1
4493e6f29b82650669856b7d967ced0dea4f2a09

SHA256
ffad9a2cc38ddf481f2a91e969aef9780764b5751556b772c9586b39f8ad578d

SHA512
03305ccfa8953d00c6d6b8a38198cf91645bd232efe0201f57c446c88ca9aee0dc875908d764717f5baecb02d2f0f3379d3560692d6cf9ea10088d65a473abf5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-ma\ui-strings.js

Filesize
11KB

MD5
7ceecb4bbb3c17fd5923d82bfb02a860

SHA1
d01b2ff2626b5093080146d387d66d1387cff28d

SHA256
f9b9c62efff0a91631abd0a7cd5dbfdcb9842c6ad22e089b19be45783cfe9542

SHA512
a6ab1b1e3dc9263f9960444077d9b6073d4ee0ad86431d7740e0fff53f5e26e79232fa9b44d95ae8e681c16f90f5a050ee35eb725c3fe34f0477ba96a2995a59

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-ma\ui-strings.js

Filesize
17KB

MD5
ad8cfd352b7c391ca909fddfca8a2ae7

SHA1
10291b7ccccd5010f209466899a64b051d39ddf6

SHA256
6760f86e046032f36583264f31ea120f869b376a9cc5da984b130e8f3a6e329e

SHA512
b386747b77505658cc86b5582a986eeb91e2324127ba119ec38e81fe136d7cfb8d4322e5002c234b7699efabf3a207cf1834bab00d36fdc67cf4e82521fdbb2f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-il\ui-strings.js

Filesize
15KB

MD5
bb76086f3f09de1a146e9c9fcd621d3b

SHA1
396a033da39d9d477f84d9c7ca0893364ab95066

SHA256
7d9402d38c1a882320b6da31283aeb0ca3682babe35b625e0f6849ac9fcdcc23

SHA512
a50062ebfe483b3cda2f551b146e5fb853400def84917f9ffbb46c4fd2172a45cc0c9a20f4bfb12e6202671b46806be56d72204de93ee0d15bfb26a53e461fd8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fr-ma\ui-strings.js

Filesize
18KB

MD5
0347790b9d331a18eb6f0f9feb33b544

SHA1
1ceaecbafa975272c451ef997c0031d01bc0d502

SHA256
7a08eec3e07ffd9f15ad1bc6eadccefc8f2608e23ec59b4178b7a8180e75f9be

SHA512
306b5cfd6989bcf9b3ada00a80391c7e3d906e57159fbda304d8921724bf6780dcbc65621beb2ededb0d204871e01978665dd22aa7ba54337cc303a59d5d3092

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-il\ui-strings.js

Filesize
19KB

MD5
406d6b887fe2610c0d4eb115b2f38a8c

SHA1
0bb5a646b1ea97aec3d2bc4d711807caf650d016

SHA256
eebd434bd02833f4e4b746f9f22e83f4565a9232818d79c2ce6beef4e9ff1eeb

SHA512
891096ddc8a23807e93cab689223dc232ca6ad0d79a81cd0713865f7a5b5850e98dda7b48be0355e7df98a0ffd528edc732b90f6c2d5147d9530ecdc548cda8d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-ma\ui-strings.js

Filesize
23KB

MD5
c50ed085fc474d0893697965dc752371

SHA1
570a5a20f04266a886311a9c99807fa773949d34

SHA256
cd1d4de7b6bcc33dd75a76daa8613d942fd21d92d8f24ec87fbd5a999e28347a

SHA512
0b5171024d8b988523354f3423b6c5a5f80f1f3004eb1e828582a16c4a588fc4c727725add2a4d1e227d74bab1ce45af8d3688e87f1ebf8a4b8f5fdbc220da4b

Download Submit
C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe

Filesize
4.1MB

MD5
1af0cb82fe68aea2e1a9495101ef1f7c

SHA1
c2ef4a55bf12176f11597bd3ba70ee3577e609a6

SHA256
8de787b96486f1488c62f2846f705bf68073182d4d24e25d3cab8a69540ac71d

SHA512
a04e2b7c49167b17df61dd15383cb74888536e76dc249a5677d42f2d4255b3eea542f2222b64d5cd3171550f541990d7900912ddbb7732af5a0d252286ef8c87

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE2.POTX

Filesize
292KB

MD5
4bf2cbe199e174caba15cb641f9f3cc8

SHA1
72bec29ad0ccc767d4bb78dded510777d53b54ed

SHA256
e839b784faaa1b509880b4c52b0f883a1e682ea969b9d23663383ceba27ad076

SHA512
756a34a2a64f57f9945c295d0d6b62dfd2b4ee66d7653d4ae759b83c2488503fa6e12dd5b35ce61b3f6ab13f24c2ff8ef4e9c28c795bc655e6d08accc5f8e5ff

Download Submit
C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE.ORCA.888-5E6-65D

Filesize
5.4MB

MD5
75672124182dad9aaf3b07e80039bb8e

SHA1
2fbc3f4145218f4cb7862130f0f83beacaa2af52

SHA256
4d2a7a6a5302aa1efd4ec73186ac8db8d4ed80d4604cbcbf014b105ee8be6482

SHA512
7fac93e8d8e9109631a5da782ecd3229a641b29071ff7cdad6fd6f42fa598a9a1723dd95e8e7cd3888cb497a991b873ffca7910ab17ed0602b1758b4fca4bb7e

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmdp64.msi

Filesize
2.4MB

MD5
aa970222f8436c37923bd6df08ae36fc

SHA1
3922cba2e7f3453b11cd59f4ce43c6f32da4e10f

SHA256
d6dd4267527bb5d41d4183b49f3b49047abf4b4d5f73037dc2d120f75086da05

SHA512
deddd0859b2de0976fa31f55cc022aeff760cf492e0528b41df15f07eb7fc101200c611cf3dd3a17d08bbc5570e7b38552695bda0bcf7ee32acb5ec46059bcd2

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exe

Filesize
62KB

MD5
6870b7d8c595b6d04839d5a3a20f35f7

SHA1
1710e4bd9c2092edce4bacf38c0f29f714393f79

SHA256
71aedd5b54207ba3601fb793aca22dddfb95497c108a1eb0818c9054154a48e9

SHA512
07424c4c473f64c79b0c8c713ac8a24630100442696ab24a4139241c6875c57b46d5de33520d0ce175a5f373d27b2f13870a3998af6e8cd11cba6688d76cc50a

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe

Filesize
1015KB

MD5
8e96e4ae484f8c0a4b800cb549b9a029

SHA1
e6c488715176d1df05c16c8fc8546234594b35c3

SHA256
ba51c05afec45c0bd7d2efcb4314c1f172b5a34d79ed16e2b87d3d232962ab19

SHA512
611e530d2a4c598eceb588836733acb1a1e115471b921d87b64a61ac4b18517d9279ccf2c30229c5773013550347e2697c32c75b816ca7891890350b1ef55afc

Download Submit
C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\vlc.mo

Filesize
586KB

MD5
da6ceadc543658d2f0c45fb5cbe2dcfb

SHA1
2018c7f34204958a1e85ca07e0dcdab191f69193

SHA256
8545027c37e15335b170924e164bd78c6a01bb40ebb16ff445cb010030570afa

SHA512
c74ac85587ec954caabcf59608e623686e5cf986e2a7bf7c44ae9ad2c8d8ac8defe5f55615f0a3c57e8364fae651b59b2c6f07d1db006a71976b23a932b3c10f

Download Submit
C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\vlc.mo

Filesize
605KB

MD5
ac2a0eddd8686262c1a36c3530b574fa

SHA1
70a59f6163872d0b5dabeff79e38d79cb424b2de

SHA256
3a72983343eeffbebd5a27cc37322a78ed4e570e818ebb5437bbef7dedb1e4fa

SHA512
2993d1f715e9731e07c14cfb7ef62211247eb20ce19a1a491783f2a3f1403d108010e1aab62bc3e44f4848ac2c440c79bf89de209411020c93b6dc7f609bd657

Download Submit
C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\vlc.mo

Filesize
612KB

MD5
c6be4e417574afc8a0d0682ff514df30

SHA1
eee746ac01a613fdf37f99a8e23da7666d7b6eb2

SHA256
3e57e221aa1f1539f4290ddb51a416d1149f12e5dc2caa8acb4de5b3b601248c

SHA512
79b029b883338a6125054fc2fd710760bac8e1db963a9b296ecbeb89f19d34cba02938153da32e707b298f9926676d14ec8e26cd6e9558c6531ee4d995a28943

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\vlc.mo

Filesize
1.1MB

MD5
bbd909a7f3f9844f38505c212f86a966

SHA1
4f80812c5ebe9e3aade8e6ca7670d9fdb01b5a69

SHA256
e8245bb58f9a68cd1f6e9e9646df6544f29711f33322ec4d3eeee9db768745a8

SHA512
76d6f9c36da177aa29dad7fbc6eefecd9400530c940e645e6349f45ee2989436c6846a0315e83c198c640835db0e1dfc7957a3e9869ee215ac095d5123df2765

Download Submit
C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\vlc.mo

Filesize
606KB

MD5
05f9d87243713c171cf5e61e9da71c53

SHA1
c899b53958da59d1fd67dcf1e50b7a9d0cb8f57e

SHA256
4770cea269152f08769d50cfd04af57374cdc4fac3c7daf4a726f28ab9b9679e

SHA512
8b127d6741275684600c4ed7fa3ec294447f994664e3865ae240105c03ece73e6c588a3bae8633cbf751d5dc6265cf696a693503e1f33dcb748171da710f6f0a

Download Submit
C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\vlc.mo

Filesize
594KB

MD5
044af73d17917eaa2309f484c09ef637

SHA1
856d586074bc90e3baac3c2401d17f393d7994ce

SHA256
d429e668ce5a67dcea129662755065d9922f2d317e265f6b2504e87c8460cccd

SHA512
919d088f982f9966199bc981aefe8c6c3d7ba5f29da3357554e2c6b93b5205707623a948ed168b5db54591120190c313d82424ded471e5b0b96304164e8bbabe

Download Submit
C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\vlc.mo

Filesize
780KB

MD5
de9ded0984ba76c154c4bf805b5da475

SHA1
1dfeb862de6780fb1fd213caa246f7ded72ca6e2

SHA256
0e2d5ba1c2ee231eeaef58802ab883e47a4b887baf8fac530bfa607ec89418ab

SHA512
42da24239da666ccb229800a286e3cb2b9da429148cfa2bfcd11be5bd7bb6f4e4ca9d6cbad620889806ac6998d97e70e5eef3e2afdae0ada6d965921c145d6d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat

Filesize
521B

MD5
5c70b3bfb558be59b19cd5545b383455

SHA1
ce6d7cc54c6b34828772ec59a40bf424b7685c91

SHA256
28c7c34e8a0c658a1089ee2c7c5190c98e6e0ec9a6ebdd1c5535e0d37b48c079

SHA512
48dd2b9ac4463296da65553d7bdfc072f0e399bd3485d69dbc5ddfa42f858dae32b496c79cdde13d119954bf2a3e2842bd703e367e7755a773f9e6b0178a5844

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe

Filesize
218KB

MD5
2429157f5f912cf24d894658961686e8

SHA1
e2a06afcaaa6962166d829207d3bff3bfc699d05

SHA256
c367db84b024c1ca76cf66b046acad61c5a8d79398e8aba1a7f18af60eb38dc0

SHA512
6782ce79484bcea4c931df2bee0903c96cace844de5726e78823e60a42310901985a75cdec70c81aa3ca130429b09f5163289e2ee6abd16aea17423d8ecfbadd

Download Submit
C:\Users\Admin\Desktop\AddOpen.MTS.ORCA.888-5E6-65D

Filesize
439KB

MD5
d1069688d518683e8df8707804383d90

SHA1
afe4b258fc0b4d524783dab54e872f2f82001682

SHA256
444e629031db42e71948ad4c1db2454840b456a5527c0f7be2f863491fec5070

SHA512
4adca6855f7636eb3d68faa2fc8b18a297c4d480de09a170e723870a060cd6328abbbe9321479b76fc38731b386a1ea449be186cafa1670e0e1f0d4b4097b3cb

Download Submit
C:\Users\Admin\Desktop\ClearHide.ttc.ORCA.888-5E6-65D

Filesize
249KB

MD5
6a09ff1485549967500962599144116c

SHA1
d7b07ce81a3d64841330ca49cb54a88c4344f45b

SHA256
d675fe1d49f41882221bb3ec62ba170c89777a2086ebd98c57d7afcf04f67f27

SHA512
2c7f4b3af4a9aa8929d8f44b2e366923438e23b929bdc6595824d84ad091d648e16236e2bf5b6d6092ca97a38fd606a10ca4b700a4e4de247bffbf770932fc1e

Download Submit
C:\Users\Admin\Desktop\CompareMeasure.mpeg2.ORCA.888-5E6-65D

Filesize
287KB

MD5
b64d4929b3dcc95bdbd010b36ace7575

SHA1
6d0c482eeb36cfd9f6e4f5dd4317ea13ff12c352

SHA256
94283514ba8f1165b08de5528477e507022e0ad23f340e4f729fa4f5987097af

SHA512
809dcb8d3a14a2ae9217d158e4d460c27b57e8cfb4f083aed4034d47af117c4a6ac96c303f6f8081832ac34fbf2ba1038b37edbdc60a0935a592a011a9746bb0

Download Submit
C:\Users\Admin\Desktop\CompressWrite.docx.ORCA.888-5E6-65D

Filesize
15KB

MD5
19829574468da041bfb5e1bb8c5c6a97

SHA1
fa33429e1f0954fac2265c7f56704a157c08b185

SHA256
d324bfbbba43801f5e2e5ccad27a2658d5ed58ca380804ffba3a014c0adb1025

SHA512
15558306d1d73f29cb1a6d6ff3904fff7f7f70a678c62a63e73dd18cf6cfa4cd0754fc079fdd4463ae81f6f9bf00224647b04c7ed72ac74dd40c799aef558f20

Download Submit
C:\Users\Admin\Desktop\ConvertFromInstall.wma.ORCA.888-5E6-65D

Filesize
458KB

MD5
bec81d7925f8c772a7e6744036b8ebed

SHA1
fe0bd7980e183a42bd38cc9df1d1345c7c3f595b

SHA256
0402889480c327be42ce7276cffc927061106fbe4afaa6e73bc37dd05707a857

SHA512
d28f1faa73cd68ca4415290b9030808d87d22613164709062a1864ba05e569aeb6422cbdac43ad6c60aac2529e7d11fe764fafbcf5a6d7b791e97d5a657953da

Download Submit
C:\Users\Admin\Desktop\DismountConvert.mpp.ORCA.888-5E6-65D

Filesize
477KB

MD5
9dbceeaa40eb303968752f640b289bae

SHA1
ca779954ca4f27a415b6d21c59603abf9fefcba2

SHA256
ddda396d3da091b040235114fa1a2cc7ca017002c028cec96f08d2c26bba4f54

SHA512
45e0c00b3f111aed50fdd99b6177440466661b8c6e09afab040c471015b305d3634136c7c5c4d402fca72652b14b328a8eb7180f1b580d793e848f4d79510b15

Download Submit
C:\Users\Admin\Desktop\FindConnect.aiff.ORCA.888-5E6-65D

Filesize
515KB

MD5
c7741e9a26cf8ae7e7a0fe0b36842388

SHA1
39db14a67da8579b85ed7adcfe41e93ffd52c404

SHA256
41465855781da6f269dc0d9a232afa78d5901e55097e138c6b47b075dd944831

SHA512
4a4254a5bbec339cf71c4f58cc64519265d6ce8de794770bd7630d4cda4b97c8b0c39027f2f322c0430be1e1a3a2869710752ab9d27ad42128db168a17be8f70

Download Submit
C:\Users\Admin\Desktop\FormatOut.docx.ORCA.888-5E6-65D

Filesize
15KB

MD5
6afb41900b314b226b78cbc60d0f0783

SHA1
80ac69733e815a31d27a40e3939e7cdd7eaeb401

SHA256
72aea5b6fc8547814ee0904ff0ec6359308d11ca4f563bcd620322bfb9d266f0

SHA512
d7a9f34e4094f74fa06d598f3ff70381b6caa1fdc09b5c098f449de525f0a4620ed606c19f4d96cb4cf702f43dc905bd3b4c78a1f18db76a8e359450ef18b622

Download Submit
C:\Users\Admin\Desktop\ImportProtect.pdf.ORCA.888-5E6-65D

Filesize
344KB

MD5
d89a2de899634a39259f5380ae0ffa52

SHA1
abea36fcec309659b9c70b057d5fc5d449aa6589

SHA256
3e203fbb242060ad82e2586b3503483f1906a4fa943553f2d9e784ee0fe43fc9

SHA512
59c72c55913c3d20844afcf67e7d67fc33cb8d2082e8f751e9411f72e00410d08bac3f9dd5f33e21b34fbf84745f3233bead91948cde06a6d17b5445bc3fb17d

Download Submit
C:\Users\Admin\Desktop\LimitConvert.xhtml.ORCA.888-5E6-65D

Filesize
496KB

MD5
bbd2add80415117c6a85ef9b87c71be0

SHA1
87437bcb147080156ba532add42856d8cc0194b7

SHA256
756bfa64776778d244a304083f9858718bfa946a86372006768b9760ba1441a7

SHA512
cb0bc8d8a8e69c48439badfaed1ffa5f9fc374f4d695cc4a71fa56026ca5936903ac4d4f0af98f9b6e0401f62ac4ea0e75b876b6c545d2d700bb24a316667568

Download Submit
C:\Users\Admin\Desktop\MergeResolve.pdf.ORCA.888-5E6-65D

Filesize
211KB

MD5
b6d2e61e753e9d0d70695642cb5a2611

SHA1
15f9ed560baddcaa3435e4e1c24e7690a8ead01b

SHA256
1acc1b75e87a7ddbc669e6094c7cc41258b975b24493d86043735292ab7119ed

SHA512
667a14f492b74752cfe1e799baa60b9bea5d96bc60a5326645d9f285acb8965a5594a60b91c6fe1629cb51c146289c631686b7fef8ba0a49f98766068ec4f031

Download Submit
C:\Users\Admin\Desktop\OptimizePop.tiff.ORCA.888-5E6-65D

Filesize
325KB

MD5
e767e8867357c29329df934a07a47df7

SHA1
d32630bd5b1aee57d82dde3485540520e5f6e631

SHA256
78dff12357aed93e69508c5d994a96b8d6d9797e133e343ab40743931727e103

SHA512
37fd94064024a7de715cbb69209a7292f4a97b1c79e0f97a34b65f017d0fe79651481b7660942b186a89db2819499fed2ac8ccaa2613bcf419690429416a18be

Download Submit
C:\Users\Admin\Desktop\ProtectUnlock.raw.ORCA.888-5E6-65D

Filesize
382KB

MD5
7d790d6e6ff61df7984cdfc1820cf1b4

SHA1
0068ff622816f35180d46f860fe92e38fc821a65

SHA256
90de0a83eb187894f042856f5af8f4e15403de18558215c46e4bde6c7e7821c5

SHA512
9c3cf7b39f8656ad19e24eda877c207ce96e2691567d60fd993858a5b904b60d126931991bb07f988e6fffcffffc60c7a6d253752ea9b47d09bb2cc1408f22fa

Download Submit
C:\Users\Admin\Desktop\ReceiveDisable.aiff.ORCA.888-5E6-65D

Filesize
401KB

MD5
0c1caeb02f4abdb8f8e72ef612ba1006

SHA1
1621089a239297af0ff932405e774bb87c86e2ff

SHA256
36be03964750705c4ce8980016bdace53b821db170fce68fd3955159247ebf53

SHA512
70fec1a1c35a40bef82fdd182ba8803463ded7569a62565ced385d8cda4148add7e666b47c6ba9ad3bf815b492cb394f2fded2a48308d3e4c56a9c4aec02ab34

Download Submit
C:\Users\Admin\Desktop\RequestResume.xlsx.ORCA.888-5E6-65D

Filesize
13KB

MD5
21d43c4c07d8b1e38ecae47f210f302c

SHA1
9022cafba587ed691b464f1a52a311b8df560cf0

SHA256
4bcce94f48f62da2841ef5c0a4d0091173c74108b63993345ecb48d2b627dade

SHA512
900fdde8ccd476fb32822ac68284cde282baff24bd53e64dff0d8e88e371bef1477ee54f47eaaf9bda0c62a513c023851f6c72ae5c586da70eb8affec84474eb

Download Submit
C:\Users\Admin\Desktop\RestartRevoke.mpg.ORCA.888-5E6-65D

Filesize
306KB

MD5
42a5582f81e9062c5594046e8e90511d

SHA1
92b21f42a011e49c547e6ce0d2c3e88f28520156

SHA256
423490a4839bb1bc14e2171cd83ad0717afd4f8ef86115ca5d5367eaf549edb5

SHA512
26a5b63acef61575977cd08e57216af5addef7f2f24ccacea65a421e10c772ba884151e939bcf4f93ce65fd73d27e6ed488c7d2c82eea1f19e399f13725d483f

Download Submit
C:\Users\Admin\Desktop\SelectMove.vsx.ORCA.888-5E6-65D

Filesize
591KB

MD5
023cf8608ceefd2e16f1989a6951d1a9

SHA1
6d07d00e58493fff16de06f07df0ebdecd043fdc

SHA256
c7db7b6ca20d3deed72c9dff33bd65c3bd37de7992be5fe948ba94a1402da955

SHA512
fc2dc87c6cc8ef06228fd7b581496367cc3e8a4aa4db0ef51067afe8f7da3eb6468a43bb44db68e98e9f2ca2d8783c5db899683fc03556ccccee455404aec227

Download Submit
C:\Users\Admin\Desktop\ShowBackup.xml.ORCA.888-5E6-65D

Filesize
820KB

MD5
3a9a3f47fd0ef98104f1bdab95e624a0

SHA1
d13f80fd9a81c8e31296596a6dd19c70c3e93b77

SHA256
a29f3d34699c3c4b9f12d00aafbc4226b72c6c1403623bf1b3abbc69d6cfb30c

SHA512
3ffd8b0ca374340f7e196560081660b600516bed912841318334830606eadc4c8e38c46955d7b5213fafa26ed46898342b87964fb6b990f9bfec196f1a665bf6

Download Submit
C:\Users\Admin\Desktop\SkipUnregister.ppsm.ORCA.888-5E6-65D

Filesize
268KB

MD5
3d03dc3cd11bade479c0ab7f6d10639c

SHA1
9f0d58b72a694a26d56bf4ecd675e660cdcfb9d5

SHA256
64ad774f3a4c15d183305168a264ef46f0a33291493aed23dd8344aa716c14d5

SHA512
e8e7c2bf3afd7d9eb52e687e209af0d1dcb0e1f629f7fb6e2a8ffed3dd4e40bc89613e21496cc8fa25ee4b227e966c87a27f25684a3e851f6228aaf9498923ee

Download Submit
C:\Users\Admin\Desktop\SkipUse.rtf.ORCA.888-5E6-65D

Filesize
230KB

MD5
410ed96bca123d7707c30a85d31b0e61

SHA1
faca78b45d1a68b8630dd301d42c6723109a0075

SHA256
1f97dc4ea7869b5547ced08f5e63bac6fef168b86b9029fae0950fe21ebffcb6

SHA512
38ee928fd0c2632857b90ea72756fc727e44df02cd8239f7f629777a24ed695a1312a608af1861648b57c644245d060a22ba76f03473adbe876f0cd984883692

Download Submit
C:\Users\Admin\Desktop\SplitConvertFrom.xlsx.ORCA.888-5E6-65D

Filesize
11KB

MD5
b8def498afbf83ba3157c8270733dcb0

SHA1
5b757b60d8583be02f983326ed08010b2a5222ff

SHA256
0e6bff9e925a1987281f80c2d9ee68bf4ecd7c62b7ffa34768b17b03b8633858

SHA512
caf8e4cd65734ea8a752490db20a84b722ce7b8a69352f566e927a7c3bcea56281ad4b512b34dc2a61aa81e8fabdfea279600a615324475bb3959659f6d8b223

Download Submit
C:\Users\Admin\Desktop\SplitSend.iso.ORCA.888-5E6-65D

Filesize
572KB

MD5
5c181292c8d78389ba0be51319cac206

SHA1
3c2914c283188d0cc82c533f26d3af3f3dfd55dd

SHA256
ec9d954d8fdf4e3764ffdcc011ffa9eecea98503086988cdf356e2040463b01a

SHA512
232d2768153462474422917b1173fae007cefc6b0dac488b04085ddcd591d3dad5b13c848c60720e4035539ce521e15622756322dceae62627927df972eedc54

Download Submit
C:\Users\Admin\Desktop\StopOpen.xml.ORCA.888-5E6-65D

Filesize
553KB

MD5
cf2e339ea7197fd713074e0192efa313

SHA1
1449d95f8db0982af2fc071ccc675fbe5fa3c659

SHA256
761c0da010e017e1d134f1b776196d509a3a5ed672c16e936707cf5e9490c82c

SHA512
6997e6fcde065f9d29e5aaeb40f34b958a2ed543ff7cf59fceebd3ff7ac4086b93ae498e1f6d41f56d0dee6c47403452182ba2b2cc18b59011643d9fe2635b98

Download Submit
C:\Users\Admin\Desktop\UnblockStop.docx.ORCA.888-5E6-65D

Filesize
15KB

MD5
daa28253644c2b3b1bf08014f7426c9a

SHA1
ef67488402b0549fcde67b39746d883e0ca85801

SHA256
7c3100a865ef8378cbfd3ebc1fec4558167dc4c89f9a33c47c2075c2e5082e04

SHA512
026166e0ee7e885138fe030f1404766552d7f1bdc7e151ee21ee2855867fa0e13750195d856950071bcefe601cee4245babbf70562dbc18a9df22ba2cd8c920c

Download Submit
C:\Users\Admin\Desktop\UnpublishGroup.odt.ORCA.888-5E6-65D

Filesize
363KB

MD5
2be89b60b2f4faf2537b250d741f9fdf

SHA1
cb216f40a357e52821e23579d66c5daf728b074b

SHA256
8526624d9f07c94d893ac224d9649895bf33c616ec0e999419aa60c9d70420b8

SHA512
948da78f16b0162c2de0293fa306427fc2b5d194a8fb6c731b37740a98488f343c73502646ce45e5a57c86269965806f00a6ad1c1378dc8bf7c1d5efa4326e00

Download Submit
C:\Users\Admin\Desktop\WaitCompare.rtf.ORCA.888-5E6-65D

Filesize
534KB

MD5
3ba7e6e2e382b1c33879ebdb0f5daf42

SHA1
1aee4febfdaca8e7aca2d9617629e6d641961850

SHA256
607ab042615bcf003b6ed8e9dde8a2daff05378e0f169adef1791c87eb187571

SHA512
de0fdc5671760ccc93a2fa174f5951781967321d72eacd49f313cb498ed2a5adaaa8eaf590a69858a5b4377663f1e45f867a7c2b7190672032a049c69196cc48

Download Submit
C:\Users\Admin\Desktop\WatchGet.emz.ORCA.888-5E6-65D

Filesize
420KB

MD5
40eed5ba44d0cf02f10281abca6badd1

SHA1
54198211a1a7af1202a771f27253587903970b1f

SHA256
500ac384ee93438f63893188811115b0a9cdbb3f43c8daa20cd5e4a515521cf4

SHA512
de1de4807f84933f2478c6744da95186ef4f6b940c48b9f5f53b5a777106666240bca1472b203aaf2421d8dfc6bf6b4e16a6a81233e62e7337b572781eaffe11

Download Submit
memory/1516-11630-0x0000000000960000-0x0000000000AA2000-memory.dmp

Filesize
1.3MB

Download
memory/1516-6354-0x0000000000960000-0x0000000000AA2000-memory.dmp

Filesize
1.3MB

Download
memory/1516-19559-0x0000000000960000-0x0000000000AA2000-memory.dmp

Filesize
1.3MB

Download
memory/1516-14604-0x0000000000960000-0x0000000000AA2000-memory.dmp

Filesize
1.3MB

Download
memory/1516-26852-0x0000000000960000-0x0000000000AA2000-memory.dmp

Filesize
1.3MB

Download
memory/1516-26243-0x0000000000960000-0x0000000000AA2000-memory.dmp

Filesize
1.3MB

Download
memory/1956-2526-0x0000000000960000-0x0000000000AA2000-memory.dmp

Filesize
1.3MB

Download
memory/1956-15-0x0000000000960000-0x0000000000AA2000-memory.dmp

Filesize
1.3MB

Download
memory/1956-13824-0x0000000000960000-0x0000000000AA2000-memory.dmp

Filesize
1.3MB

Download
memory/1956-22897-0x0000000000960000-0x0000000000AA2000-memory.dmp

Filesize
1.3MB

Download
memory/1956-8788-0x0000000000960000-0x0000000000AA2000-memory.dmp

Filesize
1.3MB

Download
memory/1956-26881-0x0000000000960000-0x0000000000AA2000-memory.dmp

Filesize
1.3MB

Download
memory/2056-26880-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/2680-9-0x0000000000E80000-0x0000000000E81000-memory.dmp

Filesize
4KB

Download
memory/4344-25-0x0000000000960000-0x0000000000AA2000-memory.dmp

Filesize
1.3MB

Download
memory/4504-13-0x0000000000190000-0x00000000002D2000-memory.dmp

Filesize
1.3MB

Download