c96b41fac848211321861fcf957e5f475a950c56f9024f792e5c9584f1fbd3ef

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 03:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pitupi20.exe
Size

152KB
MD5

942c6a039724ed5326c3c247bfce3461
SHA1

6ed179d6131f2407d19b37e31d4aa9c9709d4d99
SHA256

1be07198c324c9732d4e2676945ec021eeacd78775aea2100f49ca0483d3f901
SHA512

ac934d0d5defd5ea4354b743520b0d1a8280d74b953b0ea0e7c6cede3f036bfd715e8b4568d794db6f007f0b5ddd8be46bb5a8707252ed8b3cb304fb6746265b
SSDEEP

3072:4/s16aN54vUh4EyiDg2Z/1RrUPjfyUOqC4tn4yDDqJBftdIW6oc6jSsG:4/sMa74vUhVyXsuOU9vn5DuJBftdV+D

Score

10^/10

defense_evasion discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files (x86)\Common Files\Services\ReadMe.html

Ransom Note

<html> <head> <meta content="text/html; charset=UTF-8" http-equiv="content-type"> <title>jaff decryptor system</title> </head> <body style="background-color: rgb(102, 204, 204); color: rgb(0, 0, 0);" alink="#ee0000" link="#0000ee" vlink="#551a8b"> <div style="position: absolute; top:0; text-align:center; width:100%" > <h1 style="font-family: System; color: rgb(102, 102, 102);"><big>jaff decryptor system</big></h1> </div> <style> .center { width: 1000px; padding: 10px; margin: auto; background: #fc0; } </style> <div style="position: absolute; top:15%; left: 30%;" > <p style="border: 3px solid rgb(255, 255, 10); padding: 10px; background-color: rgb(223, 213, 209); text-align: left;"><big><big>Files are encrypted!</big></big><br> <br> <big><big>To decrypt flies you need to obtain the private key.<br> The only copy of the private key, which will allow you to decrypt your files, is located on a secret server in the Internet<br> <br> </big></big>❶<big><big> You must install Tor Browser: https://www.torproject.org/download/download-easy.html.en<br> <br> </big></big>❷<big><big> After instalation, run the Tor Browser and enter address: http://rktazuzi7hbln7sy.onion/<br> <br> Follow the instruction on the web-site.</big></big><br> </p> <br> <br> <center><h1><big>Your decrypt ID: 4010832920</big></h1></center> </div> </div> </body> </html>

URLs

http-equiv="content-type">

http://rktazuzi7hbln7sy.onion/<br>

Extracted

Path

C:\Program Files (x86)\Common Files\Services\ReadMe.txt

Ransom Note

jaff decryptor system Files are encrypted! To decrypt flies you need to obtain the private key. The only copy of the private key, which will allow you to decrypt your files, is located on a secret server in the Internet You must install Tor Browser: https://www.torproject.org/download/download-easy.html.en After instalation,run the Tor Browser and enter address: http://rktazuzi7hbln7sy.onion/ Follow the instruction on the web-site. Your decrypt ID: 4010832920

URLs

http://rktazuzi7hbln7sy.onion/

Signatures

Renames multiple (4039) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 6 IoCs

Processes:

pitupi20.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\ReadMe.bmp	pitupi20.exe
File created	C:\Windows\SysWOW64\drivers\ReadMe.html	pitupi20.exe
File created	C:\Windows\SysWOW64\drivers\ReadMe.txt	pitupi20.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ReadMe.bmp.jaff	pitupi20.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ReadMe.html.jaff	pitupi20.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ReadMe.txt.jaff	pitupi20.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1708 cmd.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

pid	process
1708	cmd.exe

Drops file in System32 directory 64 IoCs

Processes:

pitupi20.exe

description	ioc	process
File created	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\Starter\ReadMe.txt	pitupi20.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\OEM\HomeBasic\ReadMe.bmp	pitupi20.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\eval\HomeBasicN\ReadMe.bmp	pitupi20.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\eval\Starter\ReadMe.txt	pitupi20.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\OEM\UltimateE\ReadMe.html	pitupi20.exe
File created	C:\Windows\System32\DriverStore\FileRepository\igdlh.inf_amd64_neutral_54a12b57f547d08e\ReadMe.html	pitupi20.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\eval\StarterE\ReadMe.html	pitupi20.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\_Default\HomePremiumE\ReadMe.txt	pitupi20.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\StarterN\ReadMe.bmp	pitupi20.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\_Default\Ultimate\ReadMe.bmp	pitupi20.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\ReadMe.bmp	pitupi20.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\de-DE\ReadMe.txt.jaff	pitupi20.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\ProfessionalE\ReadMe.txt	pitupi20.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\eval\HomeBasicN\ReadMe.txt	pitupi20.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\_Default\EnterpriseN\ReadMe.txt	pitupi20.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\EnterpriseN\ReadMe.txt	pitupi20.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\Amd64\ReadMe.txt	pitupi20.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\ReadMe.bmp	pitupi20.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky006.inf_amd64_neutral_522043c34551b0c0\Amd64\ReadMe.html	pitupi20.exe
File opened for modification	C:\Windows\SysWOW64\NOISE.DAT.jaff	pitupi20.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\ReadMe.bmp	pitupi20.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\OEM\HomeBasicN\ReadMe.html	pitupi20.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\HomeBasicN\ReadMe.bmp	pitupi20.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\HomePremiumN\ReadMe.bmp	pitupi20.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\eval\StarterE\ReadMe.txt	pitupi20.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\eval\Professional\ReadMe.html	pitupi20.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\OEM\HomePremium\ReadMe.txt	pitupi20.exe
File opened for modification	C:\Windows\SysWOW64\WCN\de-DE\ReadMe.bmp.jaff	pitupi20.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\Ultimate\ReadMe.bmp	pitupi20.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\HomeBasic\ReadMe.txt	pitupi20.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\ReadMe.txt	pitupi20.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\StarterN\ReadMe.txt	pitupi20.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\HomePremiumN\ReadMe.txt	pitupi20.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\HomeBasic\ReadMe.html	pitupi20.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\Professional\ReadMe.html	pitupi20.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\HomeBasicE\ReadMe.txt	pitupi20.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\HomeBasicN\ReadMe.html	pitupi20.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky307.inf_amd64_ja-jp_e40bd14f18e8ff7d\Amd64\ReadMe.bmp	pitupi20.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\StarterE\ReadMe.txt	pitupi20.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\OEM\HomePremium\ReadMe.bmp	pitupi20.exe
File opened for modification	C:\Windows\SysWOW64\WCN\ja-JP\ReadMe.bmp.jaff	pitupi20.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\Ultimate\ReadMe.html	pitupi20.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\OEM\UltimateN\ReadMe.txt	pitupi20.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky304.inf_amd64_ja-jp_1b1a158086a263a4\Amd64\ReadMe.html	pitupi20.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\en-US\ReadMe.txt.jaff	pitupi20.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\ReadMe.txt	pitupi20.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\eval\UltimateN\ReadMe.txt	pitupi20.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\eval\ProfessionalE\ReadMe.bmp	pitupi20.exe
File opened for modification	C:\Windows\SysWOW64\WCN\de-DE\ReadMe.txt.jaff	pitupi20.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\eval\ProfessionalN\ReadMe.txt	pitupi20.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\OEM\ProfessionalE\ReadMe.txt	pitupi20.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\OEM\HomePremiumN\ReadMe.bmp	pitupi20.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\HomePremiumN\ReadMe.txt	pitupi20.exe
File opened for modification	C:\Windows\System32\catroot2\dberr.txt.jaff	pitupi20.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\eval\EnterpriseE\ReadMe.bmp	pitupi20.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\Enterprise\ReadMe.bmp	pitupi20.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\OEM\HomeBasicE\ReadMe.txt	pitupi20.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\HomeBasicE\ReadMe.html	pitupi20.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrc00a.inf_amd64_neutral_565c5d04cc520c48\Amd64\ReadMe.bmp	pitupi20.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\Professional\ReadMe.bmp	pitupi20.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\HomeBasic\ReadMe.html	pitupi20.exe
File created	C:\Windows\System32\DriverStore\FileRepository\divacx64.inf_amd64_neutral_fa0f82f024789743\ReadMe.bmp	pitupi20.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrc00c.inf_amd64_neutral_53a58f4fd7d88575\Amd64\ReadMe.html	pitupi20.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\UltimateE\ReadMe.html	pitupi20.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

pitupi20.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\Rondo\\WallpapeR.bmp"	pitupi20.exe

Drops file in Program Files directory 64 IoCs

Processes:

pitupi20.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_GreenTea.gif.jaff	pitupi20.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14829_.GIF.jaff	pitupi20.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382950.JPG.jaff	pitupi20.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21294_.GIF.jaff	pitupi20.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\ReadMe.bmp	pitupi20.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\ReadMe.bmp	pitupi20.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ReadMe.txt	pitupi20.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif.jaff	pitupi20.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400001.PNG.jaff	pitupi20.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\DISTLSTL.ICO.jaff	pitupi20.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt.jaff	pitupi20.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\ReadMe.bmp	pitupi20.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\js\ReadMe.txt	pitupi20.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKDECS.ICO.jaff	pitupi20.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsBlankPage.html.jaff	pitupi20.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageMask.bmp.jaff	pitupi20.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsVersion1Warning.htm.jaff	pitupi20.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\ReadMe.bmp	pitupi20.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Essential.xml.jaff	pitupi20.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\ReadMe.bmp	pitupi20.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\ReadMe.bmp	pitupi20.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Charitable Contributions.accdt.jaff	pitupi20.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME08.CSS.jaff	pitupi20.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\ReadMe.html	pitupi20.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBHD.XML.jaff	pitupi20.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15023_.GIF.jaff	pitupi20.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02742U.BMP.jaff	pitupi20.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\ReadMe.bmp	pitupi20.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\IPM.CFG.jaff	pitupi20.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange.css.jaff	pitupi20.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\PREVIEW.GIF.jaff	pitupi20.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341557.JPG.jaff	pitupi20.exe
File created	C:\Program Files\Microsoft Games\Mahjong\ReadMe.txt	pitupi20.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\css\ReadMe.bmp	pitupi20.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\ReadMe.txt	pitupi20.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\ReadMe.bmp	pitupi20.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145212.JPG.jaff	pitupi20.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386267.JPG.jaff	pitupi20.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\ReadMe.txt	pitupi20.exe
File created	C:\Program Files\Java\jre7\bin\server\ReadMe.txt	pitupi20.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\equalizer_window.html.jaff	pitupi20.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-heapdump.xml.jaff	pitupi20.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14583_.GIF.jaff	pitupi20.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Events.accdt.jaff	pitupi20.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_win.css.jaff	pitupi20.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\ReadMe.html	pitupi20.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt.jaff	pitupi20.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\INFOML.ICO.jaff	pitupi20.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\ReadMe.html	pitupi20.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01241_.GIF.jaff	pitupi20.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt.jaff	pitupi20.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\ReadMe.txt	pitupi20.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTVIEW.JPG.jaff	pitupi20.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html.jaff	pitupi20.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.xml.jaff	pitupi20.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCAL.XML.jaff	pitupi20.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15059_.GIF.jaff	pitupi20.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\ReadMe.html	pitupi20.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\ReadMe.bmp	pitupi20.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ReadMe.txt	pitupi20.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\en-US\ReadMe.html	pitupi20.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\ReadMe.bmp	pitupi20.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099198.GIF.jaff	pitupi20.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\QP.XML.jaff	pitupi20.exe

Drops file in Windows directory 64 IoCs

Processes:

pitupi20.exe

description	ioc	process
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..ultimaten.resources_31bf3856ad364e35_6.1.7601.17514_es-es_601724f80b599442\ReadMe.html	pitupi20.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..omebasicn.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3750d57f67b9b07d\ReadMe.html	pitupi20.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\UnInstallProfile.SQL.jaff	pitupi20.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-e..ebargadgetresources_31bf3856ad364e35_6.1.7600.16385_none_88767a95b8bbf001\ReadMe.html	pitupi20.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-n..sh-helper.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9b3b900d1741a8cd\ReadMe.txt	pitupi20.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-e..rtingcore.resources_31bf3856ad364e35_6.1.7600.16385_en-us_02e9e13998201d43\ReadMe.bmp	pitupi20.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..omebasice.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_63d383e3a610e3ee\ReadMe.bmp	pitupi20.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..omebasicn.resources_31bf3856ad364e35_6.1.7600.16385_de-de_72e9145f89673890\ReadMe.html	pitupi20.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..homebasic.resources_31bf3856ad364e35_6.1.7601.17514_it-it_27607ce0d66d59f6\ReadMe.html	pitupi20.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..ultimaten.resources_31bf3856ad364e35_6.1.7601.17514_it-it_7a6c0813b0185bfc\ReadMe.html	pitupi20.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..statement.resources_31bf3856ad364e35_6.1.7601.17514_es-es_8e22d46614494e37\ReadMe.txt	pitupi20.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..omebasicn.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_b7c696a7f6d113c3\ReadMe.html	pitupi20.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..ultimaten.resources_31bf3856ad364e35_6.1.7601.17514_it-it_90d7f5ba1d001eec\ReadMe.bmp	pitupi20.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..-startere.resources_31bf3856ad364e35_6.1.7600.16385_de-de_3188cba3c74cc57e\ReadMe.bmp	pitupi20.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-gadgets-calendar_31bf3856ad364e35_6.1.7600.16385_none_0dfaaaec65b0831b\ReadMe.txt	pitupi20.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..terprisee.resources_31bf3856ad364e35_6.1.7601.17514_de-de_3114b8ea29687dcd\ReadMe.html	pitupi20.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\DHtmlHeader.html.jaff	pitupi20.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_ce76f352fa54bd75\ReadMe.html	pitupi20.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_355dd017d9254149\ReadMe.bmp	pitupi20.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..ar-wizard.resources_31bf3856ad364e35_6.1.7600.16385_it-it_cca6156795327692\ReadMe.bmp	pitupi20.exe
File created	C:\Windows\winsxs\amd64_wcf-m_svc_mod_op_perf_c_h_31bf3856ad364e35_6.1.7600.16385_none_564b5f0e0709e9c5\ReadMe.bmp	pitupi20.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_c31e0e0ffb3148d9\ReadMe.txt	pitupi20.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..terprisen.resources_31bf3856ad364e35_6.1.7600.16385_it-it_9227399fd915635f\ReadMe.bmp	pitupi20.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..-startern.resources_31bf3856ad364e35_6.1.7601.17514_en-us_247c7f7ff2fcb4c5\ReadMe.txt	pitupi20.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1032\ReadMe.html	pitupi20.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\3082\ReadMe.html	pitupi20.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe.config.jaff	pitupi20.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..lprovider.resources_31bf3856ad364e35_6.1.7600.16385_en-us_ecaff9829f3b58ce\ReadMe.bmp	pitupi20.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..-startern.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ee2eb924e76291e1\ReadMe.bmp	pitupi20.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..terprisee.resources_31bf3856ad364e35_6.1.7601.17514_en-us_b4e211957dcdb16b\ReadMe.txt	pitupi20.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..-startere.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_8e3f46bd6c2a35fd\ReadMe.txt	pitupi20.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..fessional.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4359cbccfec4bd1\ReadMe.html	pitupi20.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallCommon.sql.jaff	pitupi20.exe
File created	C:\Windows\winsxs\amd64_caspol_b03f5f7f11d50a3a_6.1.7601.17514_none_f885d1129806720d\ReadMe.txt	pitupi20.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_7e7f3bd0c60c7e17\ReadMe.txt	pitupi20.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..essionale.resources_31bf3856ad364e35_6.1.7601.17514_es-es_c8e6af2b99edddf7\ReadMe.html	pitupi20.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..dthemes-calligraphy_31bf3856ad364e35_6.1.7600.16385_none_c1407bc73caf8dfc\ReadMe.txt	pitupi20.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_it-it_1f85c65eb05726c7\ReadMe.html	pitupi20.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-iis-metabase_31bf3856ad364e35_6.1.7601.17514_none_9757fd443892abe7\ReadMe.html	pitupi20.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7600.16385_it-it_4dbc16709fc64660\ReadMe.txt	pitupi20.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..m-starter.resources_31bf3856ad364e35_6.1.7601.17514_it-it_bfdffa97b92ad1d4\ReadMe.txt	pitupi20.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_it-it_b6a4e01baface2aa\ReadMe.html	pitupi20.exe
File created	C:\Windows\Web\Wallpaper\Nature\ReadMe.bmp	pitupi20.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..fessional.resources_31bf3856ad364e35_6.1.7601.17514_de-de_a95a194cddad7664\ReadMe.html	pitupi20.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..omebasice.resources_31bf3856ad364e35_6.1.7600.16385_de-de_61da96604705f464\ReadMe.bmp	pitupi20.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..ar-wizard.resources_31bf3856ad364e35_6.1.7600.16385_en-us_3ffb4c3dcb07890d\ReadMe.bmp	pitupi20.exe
File created	C:\Windows\winsxs\amd64_netfx-aspnet_webadmin_b03f5f7f11d50a3a_6.1.7600.16385_none_6cb4cb2fec54f7c8\ReadMe.html	pitupi20.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..-startern.resources_31bf3856ad364e35_6.1.7601.17514_es-es_c82940e03ac63534\ReadMe.html	pitupi20.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..terprisee.resources_31bf3856ad364e35_6.1.7601.17514_de-de_afd2a018d6923470\ReadMe.bmp	pitupi20.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..ultimatee.resources_31bf3856ad364e35_6.1.7600.16385_en-us_60918bf31d027127\ReadMe.bmp	pitupi20.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_es-es_dbc7c5d1d33a67b5\ReadMe.html	pitupi20.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..howgadget.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f86c44a49a61f132\ReadMe.txt	pitupi20.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..homebasic.resources_31bf3856ad364e35_6.1.7601.17514_es-es_b0a402c879512106\ReadMe.bmp	pitupi20.exe
File created	C:\Windows\Boot\DVD\PCAT\it-IT\ReadMe.bmp	pitupi20.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..ultimaten.resources_31bf3856ad364e35_6.1.7601.17514_de-de_44d068f0f70f62b2\ReadMe.html	pitupi20.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..epremiume.resources_31bf3856ad364e35_6.1.7601.17514_de-de_1413722bc729bf88\ReadMe.html	pitupi20.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-dot3svc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_05906ea4445b6301\ReadMe.html	pitupi20.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_6b16fa9f975e1109\ReadMe.bmp	pitupi20.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..fessional.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca0da675f8ba6653\ReadMe.txt	pitupi20.exe
File created	C:\Windows\winsxs\x86_netfx-clr_ilasm_exe_b03f5f7f11d50a3a_6.1.7601.17514_none_d76c81de4a71c338\ReadMe.bmp	pitupi20.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..cognition.en-au.ale_31bf3856ad364e35_6.1.7600.16385_en-au_08cbf9359cd20cb7\ReadMe.html	pitupi20.exe
File created	C:\Windows\winsxs\wow64_microsoft.windows.d..ackmodule.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c0b45804490d366e\ReadMe.bmp	pitupi20.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Aspnet_regsql.exe.config.jaff	pitupi20.exe
File created	C:\Windows\PLA\Reports\fr-FR\ReadMe.html	pitupi20.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

pitupi20.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pitupi20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

pitupi20.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main pitupi20.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pitupi20.exe

pid process

328 pitupi20.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	pitupi20.exe

pid	process
328	pitupi20.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

pitupi20.exe

description	pid	process	target process
PID 328 wrote to memory of 1708	328	pitupi20.exe	cmd.exe
PID 328 wrote to memory of 1708	328	pitupi20.exe	cmd.exe
PID 328 wrote to memory of 1708	328	pitupi20.exe	cmd.exe
PID 328 wrote to memory of 1708	328	pitupi20.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\pitupi20.exe
"C:\Users\Admin\AppData\Local\Temp\pitupi20.exe"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:328
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\pitupi20.exe"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Services\ReadMe.html

Filesize
1KB

MD5
3792873760ce9c14c1f3749f889a9f4b

SHA1
95b8f19389e62e8b5bc9db23440a131336407a9c

SHA256
29c80ccaa4ef91f8c9a90b8c4c69cb4a591dbc5e0edac254a6c52cf10a40e995

SHA512
5a69ab4420e96df85d0d9c9ed652c7563313b34e866b4811274e538a4963cc5c75bac0bbbf27d8aee936e76817ea6b5caadb9a90b4c102c7b1213723e93ab62d

Download Submit
C:\Program Files (x86)\Common Files\Services\ReadMe.txt

Filesize
482B

MD5
3c5451f4286d1ccba34ed225de786745

SHA1
1cf8cfb2448d0fa05a03f76053573e7f3f07a992

SHA256
88c12770711cfdb9db3dbe3f4a78e181a893d1cb6d472ab71ac95ba4f408ca98

SHA512
147b3ab4c503e2619f9d2f0058fdf7df88aa774e319fd12b1ebc0856868cef6848744dc193214b2fe847690cd2d2091a51ff5aec4c73c5bdd97eda039038eb7b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\TAB_OFF.GIF.jaff

Filesize
618B

MD5
168787b819ca9d0f35ee4a46c24bdaad

SHA1
4be91b6d2742bbe91170ba6bdb6b31d5cf9b73a6

SHA256
14cd8c2c54655d096a3c7a8f29283a2f223595c426ac188f9a462432f052fbc8

SHA512
d679cdd978af132fc98ec2c95085165062fa95305a78da3256dbab8140889092b1b751348a4c238d47487b7a72ad644e345a6a82fad621a64b005d19e4712ca8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\TAB_ON.GIF.jaff

Filesize
490B

MD5
a80f47c1962f448e9110d9c5a9f1ba5a

SHA1
eceeaf7dbb30048075681716cdac77820ea22d7b

SHA256
0ad11127ccfab2f0a91ab45e9e606eff90729eeab587ede7fdd40c4cd7de833d

SHA512
63baefeaf4d25b158f1491bf6e3f2d9ff355796f2d7a04d9072abc2a4cc82c44a4527fea5ddc5aaa6daed2d2545faf580e56b1f6a73e0e112f6c159aa75088c4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\button.gif.jaff

Filesize
458B

MD5
e8af99763e450843ae920ffb1e21b28e

SHA1
0b4dba0c0146338aee6ff71a893266cb48746447

SHA256
a701ec5d74ae3bb6f2337862ab1f2f9e6fc9a9a2a4a054800cb386408a5d00d8

SHA512
f66a34eace810500b5e6ea17e457bf4d8ca58f430e1ce26bd1ef02d238441b354af97691ce995dce1808e3504b03f6d76cc9d71906a6b6f0573d78372e02e975

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF.jaff

Filesize
778B

MD5
fee95b1c8e014986cd1acee5faa610bc

SHA1
230f88836abd9042135395c57cafb5eefc3f2f01

SHA256
bd6d65797769f0ccfe5ab71860acd335532dec035bfc332769cbd3a60779fa50

SHA512
3da5701e2137af95338137240ed8517c1b0bff3592ba214811537a2fe35cf47cc7d6899aa3ae0d07a606af41a1f02551825c8f2c41dc94c0d38ef3a440ebb7e8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF.jaff

Filesize
1KB

MD5
883ef0854ee29b1902898f3f293e8938

SHA1
7796fff96007af1c24747107c9964d2caa33a94a

SHA256
04e2b5346b0e30a2b0a85aa5c778f761a0ff5cb05c0c54792f8c71b7b6bb5392

SHA512
d22ba85ac83124603210f54ec15583c5fe931874599a8c0801d88aa5dbf159f41ac000a78f9ca1246bea70078b9328ced20e4966afb4c83e0eda515cdf4a25a4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.NO.XML.jaff

Filesize
1KB

MD5
f562a5d79bd46acc1e19efb00217828c

SHA1
785f1960a95ea69edb8f511d3a3d44532aca03e1

SHA256
5cfa70fda4d6bab431b96944979cee478c9eff57becc45fddefe3006e4e53057

SHA512
10a87aa32464e8c659e8f914c19d290c0d7bbd2f1562c44c357dc5506e02a13e38afe559e09b2c54c01ad48b7848953c2f0ac270eb1d76d0e9d7e071c9870057

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif.jaff

Filesize
426B

MD5
994ec52582c23f3fdc06cd0756283b9e

SHA1
c23ba06a1e7a5d867ffd0f9be09e1477bc266947

SHA256
4bfb98aab1691c03b94df59b98ce0971999d0fe3e79a1c5aa2ae6168ea43ad53

SHA512
0f281d5ae5b51e04dc77d42d58e9d9bac970235fc804808b81dc03b80cc958d0c1f0bf7848599bdce6f6733c81964ab77f393a3a3306effce0541a6fc33f4139

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html.jaff

Filesize
9KB

MD5
e9c45801c1ea5ce1feba682498f6694e

SHA1
c083e25c586e117e96911f4ffbdc4388fc21207e

SHA256
f9874311387330eb34d280d6bbf0ee9d38e5c9be86be821a30498542ea2bfd09

SHA512
339622d0427f0470fddb91244291dd190b81ade05d176995ce1166479091d6c4f37922271eead31a95f871e73366cc44c0748df7e893ba5139071f009208770b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.jaff

Filesize
12KB

MD5
ec0e4ef8d1c80d00c1cb2a54e178e8e0

SHA1
7e616326c2fef03ba8636657ff62e735d3e80ff0

SHA256
21487e3a62c26615f1286b225f05f6839749a7dd67d970f264973b8152d890a1

SHA512
7c37c1e5f0824dc74cfdac91a85077f299bb2ece005f1f52eebc292d3bf2f674819b8d77092ece689a7dc51e52796cf135cb4e9ffacb4b90ed4a1d2155033f98

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmhyv50e.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.jaff

Filesize
48KB

MD5
c8ed4269e4418ed18d04b5dbdfb471f9

SHA1
65c520a3b12fa4449314433cf9a491e496629f50

SHA256
6e03354f4fa16744f9fa25db3132417bb41e2cf7b6c19485e6c80dc82b9d6df6

SHA512
a0e32f452cd310507f3b78c3ec225d945203323a0cd97d74b289214a133cd74bbc44f26cd02f4d99661aceafe8b86aa52e730db996d950263502c0ff571f192c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe.config.jaff

Filesize
458B

MD5
fa4045e3e343958687b86f58c6dae29b

SHA1
96d677581961ce8570b727656ff405988d341769

SHA256
4adc4c3e69f7565c1d0e73208967d2cb6a67665df591d407836ca9702a787a0a

SHA512
649248ee5bb48e5cb4a6449251734b707e049e132f0da83435f7d3355556309baa632cae680f169e156e7cec7084e3aa4dd17c9be940de2e3382ce8fe32489b3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v3.5\SQL\de\SqlPersistenceProviderLogic.sql.jaff

Filesize
13KB

MD5
47809e697b5a8ba19caa8943389b6c35

SHA1
05ded07103f7197df302cd2dfa82343710786b8a

SHA256
b009342c2b01387bc21ed3364c71cc3f9097fbf61f7088be33d69e88be6254d9

SHA512
30df89af07eaf67e8dacf49e82afaf525f17cb61a199ec8c1ae0941d756a8a25ea98b754368490a4124576f482513371d5eedbd2aa21feca57dfd23fe2cfb891

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_leftCorner.gif.jaff

Filesize
346B

MD5
f2d9f9fe6fe1d57c7eb2aa5d964f90af

SHA1
2ae5a6a083d7c6ce2f0c1ed3dd4dad42ff5682bd

SHA256
6872332e3e348d2488a4046f7716e030d2596a0ce70307f7c39306fc914b348e

SHA512
d4170688ec3dfde026e215a0c3f9d0b51eb908f1efe20659e44cfbb85195d1d2b3170498b4c48e859be9a264b78f6f50d7703df3da22e1a0c363c2adc698797c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_rightCorner.gif.jaff

Filesize
346B

MD5
f7aa638e2109f28d39deb0c845a4f26a

SHA1
19023c95856e55ee043f33df8ada72a8bc41db10

SHA256
c0f4280c614a1846b1d51c4529d2402014e9c9a14ea4cf57b795a7f14c390362

SHA512
097093c0f03c5d75dc16e8aa7bcfb6d59422287bfb5375e1cef34eef209a0f3c091228a2636013ff9e43761de6bbb90cf39c462a0c54fba893ea628db554d268

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe.config.jaff

Filesize
442B

MD5
d2dd6e040755ef0c789250fcaf9e2bc5

SHA1
16849ccbf2fc6414c7f44fbeb0caea0ee06979d9

SHA256
9ada6e075b2b9df0ac8ccea232a861303b3b7d6b1d54e30473e39769f88ed430

SHA512
b20e922bfa40cf696791092ed03e0a159fcf78219e37753a5702c5d6b2e4aef75b3999666d51c5b599bb7f2f78d3919f15738aa9218089663b89d9564b7a1c2a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe.config.jaff

Filesize
426B

MD5
c0edbb18db4c01ca3ca6757d02a01e76

SHA1
18d30e5a78621decf66e4b167c72372e5281882b

SHA256
1b993071bf13c38cfb9a2b4f6780627df1f8f12d2dba646658cf7478848c3ff4

SHA512
414fe4e2754e94468cfdec9667015028d9e34410f9650dbdc85e674bcbcefa2a8a9bf1a2147a38881da65f701004270e8d6574134e83862517e9d954dafe5cb4

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe.config.jaff

Filesize
490B

MD5
e316cab8eb1d4d866657c0069da8f1f3

SHA1
3a9ad1fc38c035f03d4864e52e059d936cfebb24

SHA256
4200a74ad239580f9e7e2d56ec6d6c34e5a1c140f670a5d6989310e778486b1f

SHA512
534fdc36e6f65809f534871e80ecff6b599474ba9fa605c633fe9e3fefdb0d3598dde3319cc00459eac39c9ecf8e4b98f4b44b5d1494c6fe3cd588bf69d6b2be

Download Submit
C:\Windows\Microsoft.NET\Framework\v3.5\SQL\ja\DropSqlPersistenceProviderLogic.sql.jaff

Filesize
2KB

MD5
d810e26a058e5dc91f8cf36081f9cfd9

SHA1
369f4a7b45e158e9b924a64a7bb30d2c671a0803

SHA256
844e1c6edb350f0e1e363722e24f6a7ba399baf66e512de251809d1115408757

SHA512
7f291a2916f441c1aaa8f9b3989fa8c0263832d727c86db12b2f56c024911681c21f28e6a18ae7c54cc286c0b9d2d217875820b2fa1caee5a99024d14cff6a4a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_1x1.gif.jaff

Filesize
330B

MD5
392959546a0bf070d86e302e96f521c1

SHA1
9d64c3963dd7225ba810dd1dc30bf03bc0e81494

SHA256
5476c4b1b28277fede7ab5965f5463e65d1ff2077cdb9d04063658385eb747df

SHA512
036cde9fee8dc05439adf42d9409a37dfd03724199595d4a3ac2d8ff28de5d9eb7568340d317e01a5c7b61ab7d80735aead444c65e999f589346e68fa52f1f74

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe.config.jaff

Filesize
554B

MD5
fc7a26959f2af4be0541b64e24d8866b

SHA1
a9f29c82802a0a0307da83e0d013e3a220eebb0b

SHA256
b470dac940c1a5113fa4e6fa3768d88a84356d64f344ffdfc8963647c6928c52

SHA512
9a28b91d75617c2cfe72d00f4f442a8dd4ee94f66ce5ffda7660983dc04027d5cbdf6a69c56bf341cfb70f77e0a9bf4022ee14a38ba6798bf7913f800d3f86f2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe.config.jaff

Filesize
458B

MD5
bd083e8d0d0011d16530d3264edc70d5

SHA1
b57b93649ef2ca8b3a601703772e0d62ba985a0a

SHA256
4da95d27d4f6f058f526d9ddaf8b1a4ded68f7423da75273f2f3175bb07949c2

SHA512
5e4613020901c206d5f4979992777f5687fd7f81e1ce4c59316f98d137a88993716936c427f3e50118b1472095d48489213a50437c116557e53e5f46a46eebf8

Download Submit
C:\Windows\ReadMe.bmp

Filesize
3.5MB

MD5
302f1e02eaa609f8bffded8399bbdd52

SHA1
2e7c2734030cac5900354ed8193fe0b1a0cc5cfd

SHA256
297311d8c31549f8618bcd6ecfb99f2345ede1f39505e597b4853ec434449748

SHA512
960ca6de02b5cf39c01692b1d986889f92ad86514f74314684808791ce0c2b4c332369d2fc932d3e61f5a45cd520346a3bbb580b5b60575101cccb15f1c604a6

Download Submit
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WindowsUpdate.log.jaff

Filesize
282B

MD5
cabaed65039fc8497f490783f08da9a3

SHA1
36d3753e424ca5d382bc67c0f05581da50ebda13

SHA256
155db0002ead32adf6b3e7276eb44792b1033817d15fa9f93cd9adfdc05c12bb

SHA512
3afcb6e3ed639b01e18b514eadaa8a32fa5e2a1f5ec1b9e9ed75d3536af612b8a255bd2dc23bab0599ef0d4dec06d2a523972ed391c3cdf6b53c4195eccdad9b

Download Submit
C:\Windows\SysWOW64\es-ES\ReadMe.html.jaff

Filesize
1KB

MD5
bd6f398673aa30049452af1f81c49ec6

SHA1
20f8568fb8ca80c2ee2f003576fbede33ec3b411

SHA256
92b21172d43f0229e4397298fd750fcd1562fcbc958a3c7eefa0162f59689355

SHA512
bd069d73a38b41e1301653dcd1c71fc965870abb1973612d65a87bb2168597558edaec38e50c164043006fba5a73a8934146b12ac23af438238c8f6235e05f5d

Download Submit
C:\Windows\SysWOW64\es-ES\ReadMe.txt.jaff

Filesize
762B

MD5
43ca0c0057bcab208226b65b72c555d1

SHA1
3f9e1ffe8b60424c6fc61c3da19980532e203022

SHA256
75c6555df7801fd26dce3a987c557e8c4d319de0690216f0b1e08908c13b38bb

SHA512
7f301daae02dc41d46008c3c9f2f11577dc7d2ca9af26e44c17066a25522da81d32a6242921659f4e15746d46b07ce247ebf4fdf0b78fe706c7542c79a94b129

Download Submit
C:\Windows\SysWOW64\migwiz\ReadMe.bmp.jaff

Filesize
3.5MB

MD5
dc0745e0f3e6565ed12e9f8f70432690

SHA1
11597db87e7b6626f5d5bd9e4193f48ba47e11cd

SHA256
58608ddbe7ecc1b7654dda8d10e90338927a6fa024b52aa4d147f8a1512203b4

SHA512
4fdc2b2acee6526d7c672265b50c1c7af269493c2f32e220578796ffd000a80b75634fc2582009c886e224c6a83dc6835d4a1265f54a795d3680f707c8e92143

Download Submit
C:\Windows\inf\PERFLIB\0411\perfc.dat.jaff

Filesize
31KB

MD5
5a3bfbbddafcded8e28bbb470a7441df

SHA1
5d1aba2337ee14756e3515bd28ec387e9a856310

SHA256
94e824a53609782e5a06da326b4dfc1f1105dc0f2ba025c56b9d4bc884a0ed56

SHA512
3b4e1e8ec968b002767d50a03c86ad00a07a6b8722e89f093d5586ea8ce8e5ec4018a8de1cba81836924d3927a6e2872a8ed6310ba3004879dfd35b56ce5d13e

Download Submit
memory/328-2050-0x0000000000260000-0x0000000000264000-memory.dmp

Filesize
16KB

Download
memory/328-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/328-18-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/328-6-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/328-5-0x0000000000280000-0x000000000028E000-memory.dmp

Filesize
56KB

Download
memory/328-4-0x0000000000260000-0x0000000000264000-memory.dmp

Filesize
16KB

Download