17b4d01d32c64a62e36496829da323fe308437048ca87143de7365fabd4194fd

Analysis

max time kernel
357s
max time network
358s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 03:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
Size

33KB
MD5

0d2c400c967b3df9f1c5e193e9ffe482
SHA1

2b09bd6fb74d067e107727a7494ddd33eba47338
SHA256

e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a
SHA512

55366092f2c6d036ac23b7832a59eabb78e31c9dec1a390fadc2173e3cbccf064ec657f0df7303769ed6769437c193c2d589f2760d82dda45b6b274e805f35b4
SSDEEP

384:XKrBEMQmrwynWHmetF/2zmb/yzU0JBECvQgdxyllliReMGm4hEEZGIG5YBg49YZT:FMpBWH3HdbOygUhobYBraZs2SM6Q

Score

10^/10

defense_evasion discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files (x86)\Internet Explorer\en-US\ReadMe.html

Ransom Note

<html> <head> <meta content="text/html; charset=UTF-8" http-equiv="content-type"> <title>jaff decryptor system</title> </head> <body style="background-color: rgb(102, 204, 204); color: rgb(0, 0, 0);" alink="#ee0000" link="#0000ee" vlink="#551a8b"> <div style="position: absolute; top:0; text-align:center; width:100%" > <h1 style="font-family: System; color: rgb(102, 102, 102);"><big>jaff decryptor system</big></h1> </div> <style> .center { width: 1000px; padding: 10px; margin: auto; background: #fc0; } </style> <div style="position: absolute; top:15%; left: 30%;" > <p style="border: 3px solid rgb(255, 255, 10); padding: 10px; background-color: rgb(223, 213, 209); text-align: left;"><big><big>Files are encrypted!</big></big><br> <br> <big><big>To decrypt flies you need to obtain the private key.<br> The only copy of the private key, which will allow you to decrypt your files, is located on a secret server in the Internet<br> <br> </big></big>❶<big><big> You must install Tor Browser: https://www.torproject.org/download/download-easy.html.en<br> <br> </big></big>❷<big><big> After instalation, run the Tor Browser and enter address: http://rktazuzi7hbln7sy.onion/<br> <br> Follow the instruction on the web-site.</big></big><br> </p> <br> <br> <center><h1><big>Your decrypt ID: 0582710216</big></h1></center> </div> </div> </body> </html>

URLs

http-equiv="content-type">

http://rktazuzi7hbln7sy.onion/<br>

Extracted

Path

C:\Program Files (x86)\Internet Explorer\en-US\ReadMe.txt

Ransom Note

jaff decryptor system Files are encrypted! To decrypt flies you need to obtain the private key. The only copy of the private key, which will allow you to decrypt your files, is located on a secret server in the Internet You must install Tor Browser: https://www.torproject.org/download/download-easy.html.en After instalation,run the Tor Browser and enter address: http://rktazuzi7hbln7sy.onion/ Follow the instruction on the web-site. Your decrypt ID: 0582710216

URLs

http://rktazuzi7hbln7sy.onion/

Signatures

Renames multiple (4027) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 6 IoCs

Processes:

e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\ReadMe.txt.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\drivers\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\drivers\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\drivers\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ReadMe.bmp.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ReadMe.html.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2196 cmd.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

pid	process
2196	cmd.exe

Drops file in System32 directory 64 IoCs

Processes:

e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe

description	ioc	process
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\EnterpriseE\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\fr-FR\ReadMe.bmp.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\Ultimate\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\_Default\UltimateN\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\eval\Ultimate\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnts002.inf_amd64_neutral_ad2aa922aa11af2c\Amd64\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnts003.inf_amd64_neutral_33a68664c7e7ae4b\Amd64\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\eval\UltimateN\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\ReadMe.html.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Windows\SysWOW64\license.rtf.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\UltimateE\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\eval\EnterpriseE\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky309.inf_amd64_ja-jp_afbb421e3dc1cb6b\Amd64\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\eval\Enterprise\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\HomeBasicE\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\eval\HomeBasicN\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\WCN\es-ES\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\HomePremiumE\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\ProfessionalE\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\OEM\Ultimate\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\OEM\Professional\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\migwiz\PostMigRes\Web\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\HomeBasicE\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\eval\UltimateE\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\_Default\EnterpriseN\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\EnterpriseN\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\EnterpriseN\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrc00c.inf_amd64_neutral_53a58f4fd7d88575\Amd64\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\eval\HomeBasic\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\eval\HomePremium\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrc00c.inf_amd64_neutral_53a58f4fd7d88575\Amd64\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\_Default\HomePremiumE\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnkm003.inf_amd64_neutral_48652cda3bb15180\Amd64\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\ProfessionalN\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\OEM\ProfessionalN\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\eval\ProfessionalN\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\OEM\HomePremium\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\WCN\es-ES\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiabr00a.inf_amd64_neutral_6033065925bcc882\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\OEM\HomeBasicN\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\OEM\UltimateN\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\HomePremiumN\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\System32\LogFiles\SQM\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\ProfessionalN\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\eval\UltimateN\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\OEM\UltimateN\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\ProfessionalE\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\OEM\Enterprise\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\OEM\StarterE\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\_Default\HomePremiumE\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\EnterpriseN\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\Ultimate\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\eval\Ultimate\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\Professional\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\Professional\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\_Default\HomeBasicN\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\Enterprise\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\HomePremium\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\Ultimate\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Windows\System32\catroot2\edb006C9.log.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Windows\System32\catroot2\edb006D2.log.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\eval\StarterE\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\eval\Ultimate\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\Rondo\\WallpapeR.bmp"	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe

Drops file in Program Files directory 64 IoCs

Processes:

e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02750U.BMP.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\THMBNAIL.PNG.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\TAB_OFF.GIF.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewFrame.html.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\prodbig.gif.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CONCRETE\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\TAB_OFF.GIF.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\RESUME.XML.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115841.GIF.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\PREVIEW.GIF.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\IconImagesMask.bmp.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\PublicFunctions.js.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\splash.gif.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.xml.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessApplications.Runtime.xml.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00161_.GIF.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\EquityLetter.Dotx.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15019_.GIF.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR13F.GIF.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\en-US\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicHandle.png.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Median.xml.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14655_.GIF.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\SNEEZE.WAV.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\diagnostic-command-16.png.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL075.XML.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\AUTHORS.txt.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\LoginDialogBackground.jpg.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_150.png.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR24F.GIF.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01265U.BMP.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ENGDIC.DAT.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\CURRENCY.JPG.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\about.html.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\PREVIEW.GIF.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\THANKS.txt.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\COMPUTER.ICO.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03014_.GIF.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-applemenu.xml.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\SUCTION.WAV.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21311_.GIF.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21331_.GIF.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\ManagedObjects\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Horizon.xml.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe

Drops file in Windows directory 64 IoCs

Processes:

e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe

description	ioc	process
File created	C:\Windows\winsxs\x86_microsoft-windows-wwfcorecomp.resources_31bf3856ad364e35_6.1.7600.16385_de-de_1248d52c93fe6e31\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_netfx-aspnet_webmintrust_config_b03f5f7f11d50a3a_6.1.7600.16385_none_b724a267c2ccea7a\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..fessional.resources_31bf3856ad364e35_6.1.7600.16385_en-us_83a96f16be1ecf82\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..t-starter.resources_31bf3856ad364e35_6.1.7601.17514_it-it_9aff0a0726ff98b6\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..ultimaten.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e73ca319a82aa327\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e31d2d92828b5ec3\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-gadgets-cpu.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_efed75e2fbac9517\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..-ultimate.resources_31bf3856ad364e35_6.1.7601.17514_it-it_068a8aa70d654920\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\NetFx40_IIS_schema_update.xml.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..ultimaten.resources_31bf3856ad364e35_6.1.7601.17514_en-us_91a2a3662d8ffd41\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1041\eula.rtf.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\diagnostics\index\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_5c4791cafd126e03\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..soundthemes-savanna_31bf3856ad364e35_6.1.7600.16385_none_8501e89d0b011992\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_netfx-aspnet_common_sql_b03f5f7f11d50a3a_6.1.7600.16385_none_9b5d3c5138868587\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..essionaln.resources_31bf3856ad364e35_6.1.7601.17514_es-es_2db40b99b2736660\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..homebasic.resources_31bf3856ad364e35_6.1.7601.17514_it-it_cb41e15d1e0fe8c0\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..omebasicn.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_be5cbd3b6b3e4c5c\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.5\SQL\es\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe.config.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe.config.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_289b855890d86e62\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-i..lprovider.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_25d4ec0b90e21a29\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..-ultimate.resources_31bf3856ad364e35_6.1.7601.17514_it-it_dd8dde728f4e7060\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Graphics\Rotate8.ico.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_netfx-weblowtrust_config_b03f5f7f11d50a3a_6.1.7600.16385_none_b282c116d6e6d47e\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\Speech\Engines\SR\ja-JP\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ie-antiphishfilter_31bf3856ad364e35_11.2.9600.16428_none_dde9296580ccbddf\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..ultimatee.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_eee4e052cd1adbab\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-garden_31bf3856ad364e35_6.1.7600.16385_none_f7a4bf1e15863e21\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..for-management-core_31bf3856ad364e35_6.1.7601.17514_none_288b7acec3a75696\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-xwizards_31bf3856ad364e35_6.1.7600.16385_none_77fe6053a02b5dc7\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-fax-common.resources_31bf3856ad364e35_6.1.7600.16385_de-de_fcb2dd5d6182f5ae\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..omebasice.resources_31bf3856ad364e35_6.1.7600.16385_de-de_61da96604705f464\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..terprisen.resources_31bf3856ad364e35_6.1.7601.17514_en-us_1aca4d46a08df107\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe.config.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..ultimatee.resources_31bf3856ad364e35_6.1.7600.16385_es-es_bc7b845ad586d402\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..omebasice.resources_31bf3856ad364e35_6.1.7600.16385_it-it_c1ae04d6b2f5d213\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..terprisen.resources_31bf3856ad364e35_6.1.7601.17514_de-de_71d9774db1afe542\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..-lpksetup.resources_31bf3856ad364e35_6.1.7601.17514_de-de_559eb6a7b33ef039\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\legacy.web_minimaltrust.config.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\web.config.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Windows\inf\PERFLIB\0409\perfh.dat.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..terprisee.resources_31bf3856ad364e35_6.1.7601.17514_de-de_8d33546de1c5ef03\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-powerdiagnostic_31bf3856ad364e35_6.1.7600.16385_none_9654ef966755d06f\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..l-wallpaper-starter_31bf3856ad364e35_6.1.7600.16385_none_f08164982f2fecda\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_netfx-machine_config_ocm_b03f5f7f11d50a3a_6.1.7601.17514_none_81fa0191bdd08961\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-e..eady_eula.resources_31bf3856ad364e35_6.1.7600.16385_es-es_959ec7b53a342ec3\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..-ultimate.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e9c2f754efcb477f\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..fessional.resources_31bf3856ad364e35_6.1.7601.17514_es-es_f5f7b0a614550298\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..m-starter.resources_31bf3856ad364e35_6.1.7601.17514_de-de_8a445b750021d88a\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..essionaln.resources_31bf3856ad364e35_6.1.7601.17514_it-it_16b2136334d4d376\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-n..sh-helper.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9b3b900d1741a8cd\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sonic-symphonyntsc_31bf3856ad364e35_6.1.7600.16385_none_d75d6085d60aa50d\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..-calendar.resources_31bf3856ad364e35_6.1.7600.16385_en-us_dd95cd2390bb17bc\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..-startern.resources_31bf3856ad364e35_6.1.7601.17514_es-es_c82940e03ac63534\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..ultimatee.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_1f13ba22df0a61ce\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\inf\TAPISRV\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\_TransactionBridgePerfCounters.h.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..m-starter.resources_31bf3856ad364e35_6.1.7601.17514_es-es_8f1f29d5a784472a\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_wiabr00a.inf_31bf3856ad364e35_6.1.7600.16385_none_1ff46c750309ff30\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1046\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe

description	pid	process	target process
PID 2632 wrote to memory of 2196	2632	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe	cmd.exe
PID 2632 wrote to memory of 2196	2632	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe	cmd.exe
PID 2632 wrote to memory of 2196	2632	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe	cmd.exe
PID 2632 wrote to memory of 2196	2632	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
"C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Services\ReadMe.bmp

Filesize
3.5MB

MD5
d9d46f5c1d462e6fa986c08b89e8223d

SHA1
e237a3843427f183ac8cbd6ac91c3d53fc0e64dd

SHA256
4036e1539be43744284758f08b6bd8039bcb9ddb12aeff01f8aa2f5619b94268

SHA512
3a6e661e9000ce290f0082838bc6dc33e1d2187aaf6c0c7bf360eec1c0140bb0f00b9283ffc725f85e890e0527651198a3ff8dfb1e68fc09dd1afb0f18fbc226

Download Submit
C:\Program Files (x86)\Internet Explorer\en-US\ReadMe.html

Filesize
1KB

MD5
b92b5c1b1159a4b56f5ebf5d8112b622

SHA1
5ac4bcd88117003caa5f330c0cde8450252f87cc

SHA256
767b55d49a37655e186ed1b71f69218da846a945ff00e902baa778840dda6736

SHA512
a5599fc6f2330db6c5541ba8af8737b4816dd1171d9d40c6f2404e71754feffd35b34c8c9ae1fbfa88a88810d594da9e0de119342cc5d8e29e66e7ea45de2fdf

Download Submit
C:\Program Files (x86)\Internet Explorer\en-US\ReadMe.txt

Filesize
482B

MD5
cfbd7fa17c72a3b5c84e940dcca2b69d

SHA1
9c7cf35fb08fc0c086cdc64acbb19605e42fbf03

SHA256
ba42b3018667de48aacc23c8a634712907148431998993691296bb1b09818afc

SHA512
cb41f5e7a43879fb2ec495bc8c658c43421da7da271b25c56ec89136ac2723b1a8d2173e65506cf9bd404ca8a22f5945fd11254985c752b722cc79bcb25f5ca5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\TAB_ON.GIF.jaff

Filesize
490B

MD5
a6ae0cfbf3eb596a81371089167227ee

SHA1
adff680a7fa080b2ea13224253c15668d4659b90

SHA256
fdf0e2af89ab6a8b65948dbb25ccdeb915fd30431673fd8bb4440e084debd3e5

SHA512
d97944dc1e5cff2fbf2b2e5c1a69a65240926107286e5f492c0810a355c30fe094714c280ed98024790b12115f249935048348a882ba33253370fe03e03173b7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\TAB_OFF.GIF.jaff

Filesize
618B

MD5
05304a96ee2be2cb1fd9eb29ec1278a4

SHA1
c576782af8839787d371b7aa0748e7e81696aff4

SHA256
5889d5d344df5a3caa626d159c7a77e6e55711d5313ca8d58d8ef8971960c7db

SHA512
d409e65b3249ab48d1daf45b8171c14110cac73bb12b4054d5d24db9895d643d8f8043a4f81a8a99af61f48f3ffaad6be3a84a2276146e9bbd833d1b90ee335b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\BUTTON.GIF.jaff

Filesize
458B

MD5
2352c1e232f2d1937e2fc3e644de24f8

SHA1
5ca092a056e1170afd94c244cf89461faa7ba548

SHA256
5857a28d90dfb5d07597b0aa336512d474459ede117b82fc7fddb459e852edec

SHA512
d88638c77024a99a386a9d8ce75d80613f077d91ef2356be8257047ad40872e8e45bb80f2844efd02b0b3556c06180b328278631a0592fd9d8dee4a5029c3cc6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF.jaff

Filesize
778B

MD5
b8885404aed05928f9c493470fdb95f0

SHA1
22c3442a540a57e5772953a64a3deeb2bbee3535

SHA256
38abd0d4d00329468b3dd182685ec0dc9e12c55a3eeb18dcee528669cd0e284e

SHA512
34be47cfd9f22bb63fd0696d1ce3d79aabb273f884454c6e85d57fc91b68a34d85100d35d8d80ea70cd61217fdc4a226627e8c209525baf2c91f9461be61291f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\TAB_ON.GIF.jaff

Filesize
1KB

MD5
a16200564cdcb588ca540f93a53a7dc1

SHA1
53cdea292ef0db1305bbdeb74c6568b3986bdffa

SHA256
c59bba269d2169380b5076250cdbdb576d73cf7a5964bcf86b06351d80ab42f8

SHA512
9b40aa6bb4b9f8c9da1279e91d575b474da881cbd724f3e80e6d7e3a2bbddbb876d304e2a7f0a8a1de0bf6535c3b7404e9cc1d6af487133cdba3fa0517144594

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.NO.XML.jaff

Filesize
1KB

MD5
719d2e28cc0eb103a53658c1f7011212

SHA1
92fd0ba6c44c5629990589616883db478086545b

SHA256
c245f3e5643eef8a3204814b4f952513a2d222b88b0ce378e795fde939e37362

SHA512
7bcfb177bc65fcd36f33d5f5bbb65a201f9563012b4c26c803bd6ec062020269c105644ec6cd758f2a5cbab96705af9086a0cc62cf347b668088c4719726ad1c

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif.jaff

Filesize
426B

MD5
1cbe2e58157a22882cb05e3f88c48bb6

SHA1
f842aef3198367b7cd52e3ee91508e5bfbbfc49c

SHA256
3a0033dabc65867d7ce2853951e9e4b01a705453b8afe7b06e63fe3ec91e7392

SHA512
96212f5927fcc5916d1d0a085fed350300def7a816a48befc9dcb015a7c8b5fb36e6c21c1596820a01d83e2f9296611d32815985af2d67b3f4501ceb3a506358

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\license.html.jaff

Filesize
9KB

MD5
e1dd2c95265f33c04b153699fb25260e

SHA1
9336b504a5fb20a0e2d41703261e54e62fc81ba0

SHA256
a58317f522f073a2b45e079445544e36055cf326466991208df4db8bf0d4a94f

SHA512
68b4f85387fd914eede17b27baecd3c84acb1cfc4115dc995356ab48b978c514b0ee84ad359ed2ceff1b4225235de25b244214febf195d8498ff3f9752c3bdd6

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html.jaff

Filesize
12KB

MD5
f82fc43f5af424cb3ef4db466e16326d

SHA1
742b20773687eec8a9280d17781a5404ac1ec4d8

SHA256
691762dc8c26b0390d1446bb36c01ac011b65248d94e8bb457baadfdd040efb0

SHA512
8d35595bf678e1d1348792c9f72983b94ceeb97c55c3c1981f36d91b579d51cc6630e18289e7fa651f9057de5972269bb6833b6186770544a8f837135ebb8823

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\000006.log.jaff

Filesize
282B

MD5
cb0caa7a31faad958e1336f27bba6500

SHA1
d60eae58767222d839963ebb869f7b222b547c28

SHA256
32ef903dbfbe32450ce7ff64aa143fb397ffab67bc230740f71f9ceb13c41cec

SHA512
2047eb41b0ae5d321ff3ac5c901193f6c2f96296ffcadb2d40aa6eb17cba688fa95727386e2b9dada6a10943c40d0f3440d84202c2d908905c4638a3a0c6ef88

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.jaff

Filesize
48KB

MD5
1a42d75f6972f0eb5903096f7b297c9b

SHA1
1ee4d288ac113a37881be956012751dc86243489

SHA256
417a5e929c97bf9732b39ac798532cea07ccb84fb136e07fcce45638317249de

SHA512
967d0dadad75d364da8334b297a21c16c8e63a468ef9b1bd0b57e0a123b531961157cbdb90b962b6f6dbe219a82ff36e15202d7a441948040ef195b03c088f0e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ilasm.exe.config.jaff

Filesize
458B

MD5
a75eba1447e17b50c9e0f0754784b60a

SHA1
f0bd406c093e8b59d06b17d44e6aad3822c7eae4

SHA256
dee969c26cffcc3c82edb7f93722480fa47b167dae04b27287352ce7d79bd2ad

SHA512
dd942e8fba8517a244def3e92613f9cba7cd801e983c266f35c3a5f5e8d82fb4a46327f0200c6a3cad4e62ed79b99782335b4e565e1e1b81655f25e50ff7c48d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe.config.jaff

Filesize
490B

MD5
d349d0906757d5e13735d96625fcf4fb

SHA1
d5f5c895a6e00e51606124a558ccd6eecb9a0935

SHA256
5e537de45e625976038311ce2d90a1a12284cd3ab4aaf48923e91711cdc0f98b

SHA512
f3fccbe7f1ea7228482161f943678c30c9ffe0c15cba6f5f90fd2aed2a2484fe32b11b582fa62c8cc85aaa3bc3cec69a3d443d8611ef9999e0b3387319f26541

Download Submit
C:\Windows\Microsoft.NET\Framework64\v3.5\SQL\de\SqlPersistenceProviderLogic.sql.jaff

Filesize
13KB

MD5
3ad51f035ffa279262656c07de6a5fbb

SHA1
d2251978a502b0df6b70d7f4efe202608a544b3a

SHA256
514c27022884e03c78a8d4ca0b24160362b51c98612cad7c1a4573330c1e7202

SHA512
9311948f4be78c71859eb11e934d87c1b26ecf77ccc048ac86e6f80d583753d9d5e09348bc6ea2070f44d6493e4175a56f6bf51af81444a905e4d819518cf8fc

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_leftCorner.gif.jaff

Filesize
346B

MD5
188b6fa25b8b362a7c622737e04af95c

SHA1
631ffc66ca28bdf719b7fff06aabfffb95346b81

SHA256
f13dbcfb41875c953edac474d7311e5ac7ceb078db29cb85c1b700d633056351

SHA512
3df9cf103b5aabac0db31eec0200224d364cc6de9befa0515fe4e2f11d17f6c77c584dbb8f7e2f5c802f0a98988549a2440dba6855d88829b515b864f3aff7fb

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_rightCorner.gif.jaff

Filesize
346B

MD5
ec47905ef9b69bb4d2ed683e96428584

SHA1
5b1e55734030c03af0c8eb1911828440cf719576

SHA256
45e39dadd592dd9a876282b754f6d30f47b863ebdaeb631b8229fead59cfbce6

SHA512
a52ed5fa15e14d33dcff8041f469e01af5bdefefba9bbbdc7cfa8f43575bd99351bba90f9ba610b382635bb3ce01464c89a32f06a720d65d195a060adc9ec5e6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe.config.jaff

Filesize
442B

MD5
62da3f21f8e04931ec3f86e8c542c51f

SHA1
9d93a1ff13bef961d3c43e4373beb3f025abfc35

SHA256
7eb9d3bde2e13802a9d2410a7c7dbb7a5e797c8d9a69721488f0d734a4bc2e0f

SHA512
8a4a246be5846946711fc739b9055a22113b7d7336f388ce891b6bef1e1b89743c9f652b4ce3d90494eb00f05fd81e6a910877e32cf3e9862c53fb4d566d5178

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe.config.jaff

Filesize
554B

MD5
18fd144384a2d6f9a333900735718877

SHA1
449aa74a92ec3166ca6ac2def916a9cbfbe3cfd5

SHA256
d8d5ed8018b5a260b092fa55ffe93785ccfbc9ab126092e1a81139a871f0119b

SHA512
d71cb68280f8417a928037e0c4e5440e2b6ea9ec98a671476c7fce4a7b9df9fa4457e60fc85c3fc8761f253890ee2feafe4675865692c5b845a4c9a11147c4e2

Download Submit
C:\Windows\Microsoft.NET\Framework\v3.5\SQL\es\DropSqlPersistenceProviderLogic.sql.jaff

Filesize
2KB

MD5
52a574894ec27a429adc17be53f4be84

SHA1
fc6ae101209aa25b2fc466191dc1d0dca76fb5b2

SHA256
673d9149f3f18e343ce75402e7bdff10b877963f06ecba4c0b321dcd6d0e4925

SHA512
ccfe74320714ce3ff644c3ef3ce0e1a28fd7ab89fa4f62969c0606f9a372cca68d425db7425b1986e9c03f378648535cffd1efd6461cf1a44ccb5e8f708fd967

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_1x1.gif.jaff

Filesize
330B

MD5
e30d4b277a21e0088a76a47193cfbf86

SHA1
7e0e9cae1b58623b909b70623ec5a5bce887b3b4

SHA256
2d01e4dd7e6c291c1a3403de755833a3eef37e4512fccbe9698f72ce96fb9c6c

SHA512
54e5a1d4b055df27d73497084a2e7413a6a7e034da3bafc3df9557692418365ba6d8fc460aa7c38d2166c09c304e5839a80468b5e286ae3c3569ef74e64c4a78

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe.config.jaff

Filesize
426B

MD5
425c04b51a0f822b6af7ac8b33996cc4

SHA1
25517b380acf31802896d9e89ca71af6c6e1412c

SHA256
3ce3a2e9a8699404d07013bcefc03a2d225fb6d1f41273144f91aaf6e1ccb73a

SHA512
7510057c3a4c5a7b8cb000f912d2f898d9b833b4ee39b46930b1039c59951f7a2011218d00902d8d31b6ab86ff257f8de6bfbe2bfdf52b460e19c3848902bad2

Download Submit
C:\Windows\SysWOW64\en-US\ReadMe.txt.jaff

Filesize
762B

MD5
d75f21f4fb4d700f99478a850819d433

SHA1
f733d27085b4f60259b8d90bb6be3915e77681bd

SHA256
73ae60cc2c1db3ee6661a12b456bb6f8318268e12f3aef86656d8d8504f29ef2

SHA512
4e201ca0fa854afca6eed3dd80c2a40d6f50cef757d7985694a661ea5ba6e4b4c0db30ecf38eaeb47b3c5b474f33b73c3734393473a59d6ea4d26746b74666d7

Download Submit
C:\Windows\SysWOW64\es-ES\ReadMe.bmp.jaff

Filesize
3.5MB

MD5
4d38dea841ca9f71cb65a019e9176174

SHA1
a9825d4b5e867d374a13203eaff9823049b6f429

SHA256
587b0216fab3da5f24c74804652bdbf3c2d6abc167a7d89df31c8b7f7773a67a

SHA512
affefcbe5c38ffd09a7154f5221841fffdcc4353573457621905c73bcaf618fc7dd998688e9c81e4d6a7d5aa6aac17b205d0c210f7cfad428e48d9f7d458fd85

Download Submit
C:\Windows\SysWOW64\fr-FR\ReadMe.html.jaff

Filesize
1KB

MD5
2e911d7e542fa28f0b15844b9bc528ad

SHA1
577c451b2bbfa7d9a805b42271b1f64ed8351517

SHA256
836e86c04d9852a952f7a6ee325a173901ed2a277572fc3602a7a82a76bbb25a

SHA512
ec3279ef4df2f02377d743373ced7bca463dca6a11cdc1fdab7c71a1e5674deb93b10f8b73658dfa651569d89f49aba754c6fdc4c2885102cd13c8e065edf113

Download Submit
C:\Windows\inf\PERFLIB\0411\perfc.dat.jaff

Filesize
31KB

MD5
91db1195f345f74e19dd6142f58dd92a

SHA1
d516dee4cf8d491e593bd33591e17d641f1fe1e2

SHA256
22f097cbb47c5368ef27cf63489c1e07ebc78dfd2a2678ac43729961b0026972

SHA512
618e69dba5b94f77285d2494926e306f1227c764c612c78c4fd5e40e8f689bf828cf47a2d20bd498eddd3647cf0c67ee0ae8da7d52fbbbced91463918453bdad

Download Submit