17b4d01d32c64a62e36496829da323fe308437048ca87143de7365fabd4194fd

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 03:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
Size

33KB
MD5

0d2c400c967b3df9f1c5e193e9ffe482
SHA1

2b09bd6fb74d067e107727a7494ddd33eba47338
SHA256

e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a
SHA512

55366092f2c6d036ac23b7832a59eabb78e31c9dec1a390fadc2173e3cbccf064ec657f0df7303769ed6769437c193c2d589f2760d82dda45b6b274e805f35b4
SSDEEP

384:XKrBEMQmrwynWHmetF/2zmb/yzU0JBECvQgdxyllliReMGm4hEEZGIG5YBg49YZT:FMpBWH3HdbOygUhobYBraZs2SM6Q

Score

10^/10

defense_evasion discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files (x86)\Internet Explorer\en-US\ReadMe.html

Ransom Note

<html> <head> <meta content="text/html; charset=UTF-8" http-equiv="content-type"> <title>jaff decryptor system</title> </head> <body style="background-color: rgb(102, 204, 204); color: rgb(0, 0, 0);" alink="#ee0000" link="#0000ee" vlink="#551a8b"> <div style="position: absolute; top:0; text-align:center; width:100%" > <h1 style="font-family: System; color: rgb(102, 102, 102);"><big>jaff decryptor system</big></h1> </div> <style> .center { width: 1000px; padding: 10px; margin: auto; background: #fc0; } </style> <div style="position: absolute; top:15%; left: 30%;" > <p style="border: 3px solid rgb(255, 255, 10); padding: 10px; background-color: rgb(223, 213, 209); text-align: left;"><big><big>Files are encrypted!</big></big><br> <br> <big><big>To decrypt flies you need to obtain the private key.<br> The only copy of the private key, which will allow you to decrypt your files, is located on a secret server in the Internet<br> <br> </big></big>❶<big><big> You must install Tor Browser: https://www.torproject.org/download/download-easy.html.en<br> <br> </big></big>❷<big><big> After instalation, run the Tor Browser and enter address: http://rktazuzi7hbln7sy.onion/<br> <br> Follow the instruction on the web-site.</big></big><br> </p> <br> <br> <center><h1><big>Your decrypt ID: 4269048812</big></h1></center> </div> </div> </body> </html>

URLs

http-equiv="content-type">

http://rktazuzi7hbln7sy.onion/<br>

Extracted

Path

C:\Program Files (x86)\Internet Explorer\en-US\ReadMe.txt

Ransom Note

jaff decryptor system Files are encrypted! To decrypt flies you need to obtain the private key. The only copy of the private key, which will allow you to decrypt your files, is located on a secret server in the Internet You must install Tor Browser: https://www.torproject.org/download/download-easy.html.en After instalation,run the Tor Browser and enter address: http://rktazuzi7hbln7sy.onion/ Follow the instruction on the web-site. Your decrypt ID: 4269048812

URLs

http://rktazuzi7hbln7sy.onion/

Signatures

Renames multiple (4015) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 6 IoCs

Processes:

e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\drivers\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\drivers\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ReadMe.bmp.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ReadMe.html.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ReadMe.txt.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1568 cmd.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

pid	process
1568	cmd.exe

Drops file in System32 directory 64 IoCs

Processes:

e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\fr-FR\ReadMe.html.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\StarterN\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\Enterprise\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\UltimateN\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\UltimateN\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\eval\HomeBasicE\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\Professional\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\eval\HomeBasicN\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\HomeBasicE\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\eval\ProfessionalN\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\HomeBasicE\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\eval\Starter\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\OEM\HomePremiumE\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\OEM\UltimateE\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\HomePremium\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\StarterE\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\_Default\EnterpriseE\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\ProfessionalE\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\_Default\StarterE\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrc302.inf_amd64_ja-jp_64ee91a0bf7b132c\Amd64\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Windows\SysWOW64\WCN\de-DE\ReadMe.html.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\_Default\Professional\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\HomeBasic\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\HomePremium\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\it-IT\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\PostMigRes\data\ReadMe.bmp.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\_Default\EnterpriseN\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\StarterN\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\ProfessionalE\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\HomePremium\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\UltimateE\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\eval\UltimateN\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\OEM\HomePremiumE\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\HomeBasicN\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\eval\UltimateN\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\UltimateN\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\eval\EnterpriseN\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\Ultimate\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnep002.inf_amd64_neutral_efc4a7485b172c07\Amd64\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Windows\System32\catroot2\edb006C9.log.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\wbem\xml\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\eval\EnterpriseE\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\eval\HomePremium\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\UltimateN\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\eval\Ultimate\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\eval\UltimateE\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\OEM\StarterN\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\_Default\HomePremiumE\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\eval\ProfessionalN\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\UltimateE\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\eval\HomePremiumE\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\OEM\Professional\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\eval\HomeBasic\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\eval\HomePremium\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\ProfessionalN\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\UltimateE\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\UltimateN\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\OEM\HomePremiumE\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\WCN\it-IT\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\OEM\EnterpriseN\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\HomePremiumN\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\eval\HomeBasicE\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\StarterE\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\UltimateN\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\Rondo\\WallpapeR.bmp"	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe

Drops file in Program Files directory 64 IoCs

Processes:

e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FORM.ICO.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Training.potx.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\PicturesToolIconImages.jpg.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FALL_01.MID.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15035_.GIF.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14539_.GIF.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0390072.JPG.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\PREVIEW.GIF.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ApothecaryResume.dotx.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101859.BMP.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099188.JPG.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTFORM.DAT.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\QP.XML.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Contacts.accdt.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\PINELUMB.HTM.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00172_.GIF.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDREQ.CFG.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mru_on_win7.css.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR3B.GIF.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\WHOOSH.WAV.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.HK.XML.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared24x24ImagesMask.bmp.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\OriginMergeLetter.Dotx.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02074_.GIF.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\feature.xml.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCAL.XML.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21334_.GIF.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\LoanAmortization.xltx.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\THMBNAIL.PNG.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME11.CSS.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGSIDEBRV.XML.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01243_.GIF.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Earthy.css.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341475.JPG.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR21F.GIF.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files\Microsoft Games\Solitaire\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\Microsoft.Office.InfoPath.xml.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\VCTRN_01.MID.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe

Drops file in Windows directory 64 IoCs

Processes:

e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe

description	ioc	process
File created	C:\Windows\Panther\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-dot3svc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_ba1cc5c862844f35\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ehome-epgtos.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_cc39e164ed9f744a\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..omebasicn.resources_31bf3856ad364e35_6.1.7600.16385_en-us_77f885dc30a2b58b\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sonic-symphonypal_31bf3856ad364e35_6.1.7600.16385_none_cd66bc3541f90a26\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-gadgets-rssfeedsgadget_31bf3856ad364e35_6.1.7600.16385_none_ab6782291b0ca7be\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\Vss\Writers\System\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\watermark.bmp.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..terprisen.resources_31bf3856ad364e35_6.1.7601.17514_en-us_9cbb1d5656f57791\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-cpu_31bf3856ad364e35_6.1.7600.16385_none_a79a90daaf5bbeef\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7601.17514_es-es_53d92c4ec2b28e59\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_netfx-aspnet_webadmin_code_b03f5f7f11d50a3a_6.1.7600.16385_none_09906177615c2112\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ie-antiphishfilter_31bf3856ad364e35_8.0.7600.16385_none_1622b3b244141a27\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..-ultimate.resources_31bf3856ad364e35_6.1.7600.16385_de-de_4106c47800c64a15\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..epremiume.resources_31bf3856ad364e35_6.1.7600.16385_de-de_a5ac6196f231571d\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..l-starter.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7b1837e63163037f\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_wwf-cperfcnt_31bf3856ad364e35_6.1.7600.16385_none_1f7373be61daf614\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..epremiumn.resources_31bf3856ad364e35_6.1.7601.17514_en-us_1a07d4da952d4d02\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..cognition.es-es.ale_31bf3856ad364e35_6.1.7600.16385_es-es_3c034162a988d835\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..omebasicn.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ab03602b9d6cb924\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..ultimatee.resources_31bf3856ad364e35_6.1.7601.17514_de-de_d4c812c90da12283\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\inf\ServiceModelEndpoint 3.0.0.0\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\UninstallPersonalization.sql.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-cpu.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a9893e83c110fe46\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..terprisee.resources_31bf3856ad364e35_6.1.7601.17514_en-us_36242a66d0a3fac8\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-n..35cdfcomp.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f1bcbca1e780b68c\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-e..rtingcore.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_018b4fa043769680\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_netfx35linq-addinutil_31bf3856ad364e35_6.1.7601.17514_none_29443e96f9fb6564\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..homebasic.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_e119eb1646de0342\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_00f087462bef45b7\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_netfx-regsvcs_exe_config_v1_31bf3856ad364e35_6.1.7600.16385_none_dd975ffb8de73e55\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_7e7f3bd0c60c7e17\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..terprisen.resources_31bf3856ad364e35_6.1.7601.17514_en-us_63cc1fc1c4366aaa\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..terprisen.resources_31bf3856ad364e35_6.1.7601.17514_de-de_71d9774db1afe542\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-n..35cdfcomp.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_7e0a31f5b1cdade5\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_ce76f352fa54bd75\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-n..s-directaccessentry_31bf3856ad364e35_6.1.7600.16385_none_52b3ba1508e42ec5\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..g-fdprint.resources_31bf3856ad364e35_6.1.7600.16385_en-us_cb425691a3c4dfa7\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-xpsreachviewer_31bf3856ad364e35_6.1.7600.16385_none_7b64ef799c494a30\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..l-starter.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7b1837e63163037f\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_prnca00z.inf_31bf3856ad364e35_6.1.7600.16385_none_ea189c313845a10e\Amd64\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SplashScreen.bmp.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_355dd017d9254149\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..eraccount.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e185cfc7615ec6b0\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..terprisen.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_064ef2a4b72f72b1\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-n..35cdfcomp.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0267af49be0713f6\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-o..sc-style-rectangles_31bf3856ad364e35_6.1.7600.16385_none_258f1924c482b7a1\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_cc7ce9d4d87afd2c\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..omebasice.resources_31bf3856ad364e35_6.1.7600.16385_de-de_8c1265b3f9ecd8c9\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..ultimaten.resources_31bf3856ad364e35_6.1.7600.16385_de-de_8b1e0795efcd31f1\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\SQL\fr\Tracking_Schema.sql.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..lprovider.resources_31bf3856ad364e35_6.1.7600.16385_it-it_795ac2ac69664653\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-snmp-mgmt-api_31bf3856ad364e35_6.1.7600.16385_none_47815118cd38388a\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-mlang_31bf3856ad364e35_6.1.7600.16385_none_bd28e772321016e1\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..fessional.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_d027e638f114b913\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_es-es_5e391147391d2f55\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Windows\Prefetch\AgGlGlobalHistory.db.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\Logs\CBS\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\inf\PERFLIB\0410\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\WPF\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-e..eady_eula.resources_31bf3856ad364e35_6.1.7600.16385_es-es_959ec7b53a342ec3\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_cffa1c7732c576aa\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe

description	pid	process	target process
PID 2280 wrote to memory of 1568	2280	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe	cmd.exe
PID 2280 wrote to memory of 1568	2280	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe	cmd.exe
PID 2280 wrote to memory of 1568	2280	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe	cmd.exe
PID 2280 wrote to memory of 1568	2280	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
"C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\en-US\ReadMe.bmp

Filesize
3.5MB

MD5
58c3ce31b5687583c67761fa8a092f9d

SHA1
cc3dd0f11895648b264d8890827059f618f2797f

SHA256
e4b82a227f1af1d7ea08eebcbef5fc927b025683f5077d3be3635949576201e0

SHA512
5aa50cbe95922a2a2e4f3bc8e7fefaf8e4f4eb990986aa41e96bb077f422fe70e475227fcb2c915864108abe2ff0f5eae281eb177f58d590461249b1a4a573d0

Download Submit
C:\Program Files (x86)\Internet Explorer\en-US\ReadMe.html

Filesize
1KB

MD5
3a46dac3f4c10dfe74a0e3601021a791

SHA1
9ffb319517542670eafc67cd71f898b43b71b452

SHA256
44f4032bc674a2f836d1be30979456aaae5d24afaca44faba4503b92702fbba0

SHA512
ccd4beb602ce5a851b8f36de82b44169afb81c83e719ba4cdecf86c2783d8b1f6939a9db9e538f9f422e112b46c6ae55870ee9b1815e8f7a8438944697e89d2a

Download Submit
C:\Program Files (x86)\Internet Explorer\en-US\ReadMe.txt

Filesize
482B

MD5
adbe4d91680b52c82987a920a1918431

SHA1
1871a4fd7983481a765b41d2dbfcf201a767221b

SHA256
5daf04f81052209f8b9fe65793e5be28b27243ce1c56178d088e8e835e6e9124

SHA512
bfdd9f632b519377bf2ba3fcc19442789acdf1b10faecbcd593d17cae1f61deb7796bf050cb2da3d23188db53a9660b6705ac15a051e6311a075eb9593d64e9e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_OFF.GIF.jaff

Filesize
617B

MD5
e19fe113a3de76c2d36171b1dde45b52

SHA1
6d23f5ad34ef87b3440b6c06e05365c14b42f9fc

SHA256
300115fe5e446400ef5f9fe0118599ccbf1e5496de87a24a62c8e25dd1b6e055

SHA512
0d6642a42619043418b1be88189471127a899256c1c7e5aefa69389cf23731ee108c86aee6e959d6882519a07b480c983cbd7833448c997d4b289f30b808de8d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_ON.GIF.jaff

Filesize
489B

MD5
7b2fffc2f0eaa5571da2acdb0f74c9c1

SHA1
a74f6da4e247b568ec50c4fefb079066f76a75b4

SHA256
702ae305be310bc75db0568e58fb3d0078ad959674162f72ce6cde391ed0e151

SHA512
bd17148b359c1462fcd4f68a2b7ee55ae4312353cdd2d95747280c76b3e0561dcd02e3419e40003d873600dc5d83f83a8b1ca235302146e50f12620b2c658d73

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\BUTTON.GIF.jaff

Filesize
457B

MD5
aeec8563857d4e88ae292653fe3596c2

SHA1
045a66823cbf4c677681188854920de194d0f8e7

SHA256
ab2aa57e575dc552c7c3f7ef1453fcd372aaeb7fb13f9e6722b0b5bad27a7029

SHA512
13ba5f27c18bcf9956467d092addb2669d76dd17d27e7dc8c98532d468936031698f5708c1c2b9e10247529aa7c58d49ab2515415afe41041697b63ae42038a1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF.jaff

Filesize
777B

MD5
3f01f7e5e7e38198b03b2586a5be8583

SHA1
f34a0062a380e4da911927a7582d6860ba4ffb07

SHA256
fde5dbd46b23a8b3e2688e255758f13d0722aea56f1d845b93c8c7af4969f272

SHA512
2fc9fe74e02ab092f54c4e41ebf0dc6f2f33bdb0b717891b00449d74d9c27ee5e7fde02419ba23790b5469dcb4a9eb5f71d11a20e944784aa3bb57142b9ecae3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF.jaff

Filesize
1KB

MD5
d546455a6e81e30e49496053f98695ef

SHA1
2e78022d097357c739813dabda1edbba43d7692f

SHA256
db2f33e28e503d727eb977335a7f9969a8dcfbd6ad9e1e75aecfdee37f8a0855

SHA512
67a883ac9340cfd04771f0f7bea5f8550b17144c8cd8ebd4806ba7ec090e36e20bf0fbc9a961ab9d12099c543d9ab26e2ca0dce8aacb9c97b17ce0a3a61a486a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.NO.XML.jaff

Filesize
1KB

MD5
6276d2ae1fe73625484a985404675d4f

SHA1
750083f4852a7ad210b222aabbdc0a99689b2db9

SHA256
e110f40bbd910d845dcd536479032b1fc2c0b17a1e5f59cf91a007dedaaeaefe

SHA512
759fbbae3e4bd9fd65d7b3fbc6e80eaccebbb485e2b1a1ef06df5039143bcdb8c6e8b8b8a92cda87a2919d13f654a637d89dc23fa1191454d76cc22106c1100c

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif.jaff

Filesize
425B

MD5
1edfe90774391d158546e29528c4698c

SHA1
b4f7bbe73d89a2119b04690cee5dfbb55366f32a

SHA256
699f5c89eb9a30e4540212a8409da5af0972df39bc9b05b582b017189fff448d

SHA512
1d6ea4ce631450fbe0c2f93c121b510361f57480c97451b647b2eafcd6c9260d5d16c3257bd18125d32a4e24999610a7cd3bd64f8c76cecbeefdd6ec4ceca7fd

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.jaff

Filesize
12KB

MD5
ebb7ae0d55798dc571ade1045e00c041

SHA1
497972d7a57031cf429ea3646ea4758bd9f0d95c

SHA256
90715bff0c24bd1272f5593a76ab2e9f598eac0bf300a75a4b511aa3ab90a2f3

SHA512
e00b648f82b6d7dc94643e347f65412497878be5ca1eaa36de6df30538ed7eb1b99944f350b62d09e2765f3ab3e2aaec53d534132b7fbbf1d2c888e1cc2deb80

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html.jaff

Filesize
9KB

MD5
d80de0457d3db29f32ac63828ebcc4b8

SHA1
7f275665774e797b7f1db769e825ad1c5b35b898

SHA256
412b30c16ab674f0be5e316379fbe736bec8815d8c90b5795fad8e6970cf341b

SHA512
511d6e7ee92e9bacf7b929961c4a85d3be42069e353dd5f1ff1a095d9fcc5c6d866dad4bfe7816650b743c0b05b77de52a94dfe94d1689046961ae1fc0fa52aa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.jaff

Filesize
48KB

MD5
47607045c2c43dfe9ec8815496c30778

SHA1
c2e376584f5d3e20764605a1d20102416cebb10b

SHA256
4cefcfc58247f51a19e6f19ec8f32024b54dff7e66d21a3139e11b970762e5b1

SHA512
27a679450e0d7f9c0120aa8e6ec3348c014b4da175b6baa1e775e3d7570b2f536539046a7b1b8b7f05613c171fa521e2f99986d874c8f4b504fe0cf8d2d143aa

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe.config.jaff

Filesize
457B

MD5
0c11e68f563439a620537d461db9f88a

SHA1
c23fb49ef0371348e51bfc8a47b090a36ad63a57

SHA256
1c13c0253b3638abd31000a8611e191bc6dea0aea1007b24a4f57df3926774db

SHA512
7ab90a26a763b2841385c598feb85f381eafba4be298d0e319ce371a492bb13cea5ba51bf3fbcd7d5208fdab0ecb0a7ae52489d2157098530f068eb06e096cec

Download Submit
C:\Windows\Microsoft.NET\Framework64\v3.5\EdmGen.exe.config.jaff

Filesize
425B

MD5
bc4e63ff2afdbd01872355904760b453

SHA1
036672989c2869a19d1ee95d98f48a54a403a16b

SHA256
09f324a15bf0421549b6e4a7c9976f44a5fe9cd39e85006ce00d51ed564d25ec

SHA512
0806aad79c3337f1e29903618b5bf8706c78f6d9fb7702ddcc0ebc285fb4f588b45f966fc4c9e3ab38886a3c83c881a0c3a6b2a98bd35e6fdeb632f311c62cfc

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_leftCorner.gif.jaff

Filesize
345B

MD5
d5bd54f0288820e942c3527f047daa8b

SHA1
ccc376f9b14fd946830827281a0e9a42835de1a6

SHA256
f513b89a662f4f6bbed5fd5e80d3aedc82572731bdc336d5ddd5996ab093f5c7

SHA512
981ea6925a6b65d93db33d32726af3a6b1eaa02fc815c8b21f34f8a690bff1618e6969c8e83b5af58bc872c1f6a0757053a6072fd69d03ac94f541b0b6aeddd8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_rightCorner.gif.jaff

Filesize
345B

MD5
c94fa6ca0646b1fa00c716d14113417f

SHA1
993ebd8d02d3f21547401253cdf0c3299148ec57

SHA256
21345ff35ed1dc6ebfef4ee3fc627f2060d95c8106b3d71c3bc78891754e2d44

SHA512
f1e11a2a47bec771e2ae7fd7b6c4e32bcb9d14a1abc23512ccf06a2d772c7dec6182192c82e5e9dc42093687d90317cde79960a7d017e66ea62dcd7aaffd9e47

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe.config.jaff

Filesize
441B

MD5
deeb38404b0292ece4558c1834babf49

SHA1
e51bb32061056541b168d2e78c40420c91d12df9

SHA256
c6f3c5177af39d649639a3eb297cd716a0fdad33d85c60033e6ab5e55fa4b40b

SHA512
d41718140379142f56a0c5e9a5ae4297d2e683765fff1ee264ea94949d3e12c45cdd55d1b4155464ae9fbc1cd0533f874a068771078caab680b9e2441ab776f4

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe.config.jaff

Filesize
489B

MD5
6d746b5a07a09516766f95a6d5326997

SHA1
6d9b5acd4d5f2913b6a95307bf2a97eb75bcbc93

SHA256
1ec20d1e92f94f5c29ea6e78dc17f88d98ba2b7ac90a22a5301eb799f723ebc6

SHA512
2cf550c70aede52cf66747d467bfe699bce4ffaea7af955a073dddb0c40d8b47b61ae48888608929866553e3634ee9b09bdad9e11f21f34928d447f63f5596dc

Download Submit
C:\Windows\Microsoft.NET\Framework\v3.5\SQL\ja\DropSqlPersistenceProviderLogic.sql.jaff

Filesize
2KB

MD5
1445c9119491e64969d721a31888b528

SHA1
8bd09f3f9da250f0628d11f3a2a630290d6d66a2

SHA256
5ea2972e8f548bc8b72b6188e6f463f6c7a279e10ec962cd574bd8bae3a3b802

SHA512
aad2f084e609a94185b3d0e549ebc2a6ceca2e7b28d960046326f2eeca893a38a8f9b7026730d25c72c119b048fcfbd785c9360010d3d133c776fa4a8cb0e380

Download Submit
C:\Windows\Microsoft.NET\Framework\v3.5\SQL\ja\SqlPersistenceProviderLogic.sql.jaff

Filesize
13KB

MD5
750d4dc7bde47ef76a441a14c2449d06

SHA1
d92d706061a9fc4f4edc5704091656dee3027e82

SHA256
b8f3ca26050817cc6079805c007874d09329f8ca95ee532e2df3e69825c7dff5

SHA512
58291afe47065c028eb0b3f151d50a609ac963ff5020bda27ff5e0d6f3eb7f68a32d98c98407790ea40b22a9eea085981718e67c5ed4ba6f7c457dd1f00ef17b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_1x1.gif.jaff

Filesize
329B

MD5
ada413e008cdef885150bf038c1d0c5f

SHA1
8c5844866ed6b5c74f68acc9fa50f4f3f57391e7

SHA256
7505c62f8e32fea2240b5a383050211f6276feb95bdbd2d63da398b869dfdf40

SHA512
a483343a9e393f9df53a437e6f5fd1fd0e9e243bb5b7461e2879868978d62ebb3392079f1a9d7b50e25cf6b753ba4af8c9305191d488120b09478901d3f12abd

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe.config.jaff

Filesize
553B

MD5
95d0e89b8c52b4edebc18d74c5b4c700

SHA1
6738bcea016ad85dcea28058c6714647ad010630

SHA256
fa887f20bd8086356e986f0058588211966b25434641dc14154dcc4f56b2ca88

SHA512
fead5a94f0bec822a50b8c734de76bb14f67b3ad12e69b56141404593c257acaba38c554e1f92f0787621cf81c1cf94123490f4b70fc114baecc67e85916ca33

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe.config.jaff

Filesize
457B

MD5
27a6c7c7822b8c34f8fbc34650f5bea5

SHA1
a232f0346514970a10bb2a68adb2e20122766050

SHA256
6e2e30552648175a3eb31cbf7adf9b07b263bdd8293e24d7652bae2c6d47ebe9

SHA512
c55ac6f0a0bd855776c25b4f23fef1921b6cd972e8c18031c92be9819b40678316b7818eb4257ebfa084d492f34dcd0b67cc4b297f50dc57ec1353eff8e49fa0

Download Submit
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WindowsUpdate.log.jaff

Filesize
281B

MD5
b30b95e867f3600ed9e6bb6d9b75be4d

SHA1
c38d6f8def212204ec253dfd20b640b2ba4875b5

SHA256
eeb52552a9f27cf4adef97dca2a84a63172f10b419daa73bbfc3e31ebe300923

SHA512
1759a5d37844e2e016e5255f3dc0cbca3dd64006a3047b64cf7b4fca7c2bdb6aebc5578f0b1e458f78dd42d656555226a26dba1719ab8f8a6f54ef45d105a58d

Download Submit
C:\Windows\SysWOW64\com\ReadMe.html.jaff

Filesize
1KB

MD5
9fa145848f3b692d3949e4e9ce0f225f

SHA1
834871ed87bb5521902119f5ef6030c71935c40b

SHA256
ca971f80b74b3ad2135bc8f7442e9248d47eb7ea87fc0a2f2eb54fc37e1ce561

SHA512
ae659082d957f981275dd2489be83dba3b44439a10c7d6402ea8c720b2d653dc8748983b48cee27c53e2a65259b29e5de04069345df4089a532b1117dbee6940

Download Submit
C:\Windows\SysWOW64\es-ES\ReadMe.txt.jaff

Filesize
761B

MD5
777d6b87840244da4b80e117bf84bf18

SHA1
7cfb42a9e3ef0eb8ffc2519724793ec0ca7d89d7

SHA256
09cf18f36bcf462a63ffd916db61923b296e0e3779113b3d4e8ae3457a073b83

SHA512
1a89831367edb3f6b693e9250062f3fe5368d97f6f0c263d6dc0a34da2ddd180594927a5c6d04b1b50f5850f94f3550d909260b27b7eb79c58bc06d0a8e165bf

Download Submit
C:\Windows\SysWOW64\ja-JP\ReadMe.bmp.jaff

Filesize
3.5MB

MD5
577ec58e43331c65c8306f99333bb477

SHA1
7bcc67a40054e83f4a297d724c995e49d2a9888c

SHA256
541964f505d61b88a36ef20ada38f5f6c9b3b92de0268ecd53ac71ff4f01289b

SHA512
3ccf18c28a8a71bb0682bfc7596ae5750d1ac728f8aa5a040c7a74d964aca5d1fc6401679ce710f1843475645afe1665f59f17c4c2d641316ca2a50ded7e123e

Download Submit
C:\Windows\inf\PERFLIB\0411\perfc.dat.jaff

Filesize
31KB

MD5
7f0ff110485850b974164ee7bed8a025

SHA1
651d56a8ed88c0cbed34f41e744c8f4742c7cee5

SHA256
5ee90c4028a25caa65f4fe04126d25ceaa91b3d909e315a42bef7c581433063a

SHA512
bfe0a1854bc03c5ef2eabe2082d360376ecf39f5332af84e58e7a78a675d27fea197bd623fd5a5915b6a7e9bfd5b85a299fb1da99a7bcb116d2f5fd8a70cfb16

Download Submit