17b4d01d32c64a62e36496829da323fe308437048ca87143de7365fabd4194fd

Analysis

max time kernel
239s
max time network
241s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
Size

33KB
MD5

0d2c400c967b3df9f1c5e193e9ffe482
SHA1

2b09bd6fb74d067e107727a7494ddd33eba47338
SHA256

e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a
SHA512

55366092f2c6d036ac23b7832a59eabb78e31c9dec1a390fadc2173e3cbccf064ec657f0df7303769ed6769437c193c2d589f2760d82dda45b6b274e805f35b4
SSDEEP

384:XKrBEMQmrwynWHmetF/2zmb/yzU0JBECvQgdxyllliReMGm4hEEZGIG5YBg49YZT:FMpBWH3HdbOygUhobYBraZs2SM6Q

Score

10^/10

defense_evasion discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.html

Ransom Note

<html> <head> <meta content="text/html; charset=UTF-8" http-equiv="content-type"> <title>jaff decryptor system</title> </head> <body style="background-color: rgb(102, 204, 204); color: rgb(0, 0, 0);" alink="#ee0000" link="#0000ee" vlink="#551a8b"> <div style="position: absolute; top:0; text-align:center; width:100%" > <h1 style="font-family: System; color: rgb(102, 102, 102);"><big>jaff decryptor system</big></h1> </div> <style> .center { width: 1000px; padding: 10px; margin: auto; background: #fc0; } </style> <div style="position: absolute; top:15%; left: 30%;" > <p style="border: 3px solid rgb(255, 255, 10); padding: 10px; background-color: rgb(223, 213, 209); text-align: left;"><big><big>Files are encrypted!</big></big><br> <br> <big><big>To decrypt flies you need to obtain the private key.<br> The only copy of the private key, which will allow you to decrypt your files, is located on a secret server in the Internet<br> <br> </big></big>❶<big><big> You must install Tor Browser: https://www.torproject.org/download/download-easy.html.en<br> <br> </big></big>❷<big><big> After instalation, run the Tor Browser and enter address: http://rktazuzi7hbln7sy.onion/<br> <br> Follow the instruction on the web-site.</big></big><br> </p> <br> <br> <center><h1><big>Your decrypt ID: 3318144683</big></h1></center> </div> </div> </body> </html>

URLs

http-equiv="content-type">

http://rktazuzi7hbln7sy.onion/<br>

Extracted

Path

C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.txt

Ransom Note

jaff decryptor system Files are encrypted! To decrypt flies you need to obtain the private key. The only copy of the private key, which will allow you to decrypt your files, is located on a secret server in the Internet You must install Tor Browser: https://www.torproject.org/download/download-easy.html.en After instalation,run the Tor Browser and enter address: http://rktazuzi7hbln7sy.onion/ Follow the instruction on the web-site. Your decrypt ID: 3318144683

URLs

http://rktazuzi7hbln7sy.onion/

Signatures

Renames multiple (4076) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 6 IoCs

Processes:

e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ReadMe.bmp.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ReadMe.html.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ReadMe.txt.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\drivers\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\drivers\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1624 cmd.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

pid	process
1624	cmd.exe

Drops file in System32 directory 64 IoCs

Processes:

e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe

description	ioc	process
File created	C:\Windows\SysWOW64\NetworkList\Icons\StockIcons\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\eval\ProfessionalE\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\HomePremium\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\_Default\HomeBasic\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\eval\Starter\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\_Default\UltimateN\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\eval\HomeBasicE\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Windows\System32\catroot2\edb006C0.log.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Windows\System32\LogFiles\SQM\SQMLogger.etl.009.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\eval\EnterpriseE\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\EnterpriseN\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\Professional\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\Ultimate\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\OEM\ProfessionalE\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\eval\StarterE\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\eval\UltimateN\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\UltimateN\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\Ultimate\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\Professional\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Windows\System32\catroot2\edb006BD.log.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Windows\System32\catroot2\edb006D0.log.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\_Default\ProfessionalN\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky309.inf_amd64_ja-jp_afbb421e3dc1cb6b\Amd64\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\OEM\HomePremiumN\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\System32\DriverStore\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\Starter\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\OEM\Enterprise\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\_Default\Starter\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\UltimateE\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\wbem\xml\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\HomeBasicE\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\HomeBasic\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\EnterpriseE\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\HomeBasicN\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\_Default\HomeBasic\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\StarterE\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\eval\UltimateE\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Windows\System32\catroot2\edb006CC.log.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\eval\Starter\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\Starter\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\OEM\ProfessionalN\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky302.inf_amd64_ja-jp_dd74fe49601b74f6\Amd64\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\HomePremiumN\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\_Default\ProfessionalN\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrc302.inf_amd64_ja-jp_64ee91a0bf7b132c\Amd64\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\WCN\de-DE\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\_Default\Ultimate\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\eval\HomeBasicN\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\eval\EnterpriseE\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\ProfessionalE\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\StarterN\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\_Default\HomePremium\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Windows\SysWOW64\com\ReadMe.html.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\Enterprise\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\OEM\Enterprise\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\ProfessionalN\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\ProfessionalE\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\eval\UltimateN\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\eval\UltimateN\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\eval\EnterpriseE\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\OEM\Starter\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Windows\System32\catroot2\edb006C9.log.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\Professional\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\Rondo\\WallpapeR.bmp"	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe

Drops file in Program Files directory 64 IoCs

Processes:

e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02754U.BMP.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME43.CSS.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\TECHTOOL.GIF.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB00760L.GIF.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN001.XML.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02750U.BMP.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-sendopts.xml.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21519_.GIF.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387578.JPG.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\MINUS.GIF.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\LINE.JPG.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-core-kit.xml.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\StarterToolTemplates.xml.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME40.CSS.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageMask.bmp.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Thatch.xml.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\THMBNAIL.PNG.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_basestyle.css.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Oasis\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15061_.GIF.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR8F.GIF.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\VIEW.ICO.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs-nio2.xml.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\THMBNAIL.PNG.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115836.GIF.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\MMSL.ICO.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\ADD.GIF.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\DigitalInk.jpg.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\PREVIEW.GIF.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files\Common Files\Services\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03011U.BMP.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\attention.gif.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsPreviewTemplate.html.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099167.JPG.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01255G.GIF.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SECRECL.ICO.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\new-trigger-wiz.gif.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\TABON.JPG.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\BlackTieNewsletter.dotx.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15018_.GIF.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\THANKS.txt.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\OutSyncPC.ico.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe

Drops file in Windows directory 64 IoCs

Processes:

e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe

description	ioc	process
File created	C:\Windows\winsxs\x86_wpf-winfxlist_31bf3856ad364e35_6.1.7600.16385_none_40b32988515caa44\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe.config.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..chrecognizerfra.ale_31bf3856ad364e35_6.1.7600.16385_fr-fr_c6d3ee54c5f97d9f\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..essionale.resources_31bf3856ad364e35_6.1.7600.16385_de-de_44ba49d32365c21e\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\ehome\MediaRenderer\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..homebasic.resources_31bf3856ad364e35_6.1.7601.17514_en-us_9ab5b3b70c426c71\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_6.1.7600.16385_none_73076dd9cf3a9dce\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_netfx-aspnet_appdata_b03f5f7f11d50a3a_6.1.7600.16385_none_27e5cecd389a11b4\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..howgadget.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6d48bdce24e57241\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..epremiumn.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0509c517051939e2\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\inf\ASP.NET\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..putername.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b68eec9e33fc6cba\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..essionaln.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_b8d7927027efe551\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-iis-odbclogging_31bf3856ad364e35_6.1.7600.16385_none_304059e2ef7d19be\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..ultimatee.resources_31bf3856ad364e35_6.1.7601.17514_es-es_d9a2e129b5039123\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..ultimatee.resources_31bf3856ad364e35_6.1.7600.16385_es-es_605ce8d71d2962cc\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-t..ied-chinese-quanpin_31bf3856ad364e35_6.1.7600.16385_none_f79af98021986eab\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-w..ar-wizard.resources_31bf3856ad364e35_6.1.7600.16385_de-de_3aebdac123cc0c12\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-w..d-line-utility-base_31bf3856ad364e35_6.1.7600.16385_none_0da2254524b4bc0c\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\SQL\fr\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..-ultimate.resources_31bf3856ad364e35_6.1.7601.17514_es-es_79ab1e6143614d40\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..epremiume.resources_31bf3856ad364e35_6.1.7601.17514_es-es_bccfa508b62ebcf2\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..essionale.resources_31bf3856ad364e35_6.1.7601.17514_en-us_19fef411813ba5c2\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..essionaln.resources_31bf3856ad364e35_6.1.7601.17514_de-de_84f7d8bcc36e68f6\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7600.16385_en-us_9777f183a374ccf1\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..-startern.resources_31bf3856ad364e35_6.1.7601.17514_it-it_5508ad2604ca3114\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_prnhp003.inf_31bf3856ad364e35_6.1.7600.16385_none_2fd781a76c9dcc13\Amd64\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\fr-FR\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..-startere.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_7cfc747fa923d94a\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..-ultimate.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_78812fe3ee90d4d8\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..epremiumn.resources_31bf3856ad364e35_6.1.7601.17514_es-es_19d331be95543ea7\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-n..35cdfcomp.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0267af49be0713f6\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..unterinfrastructure_31bf3856ad364e35_6.1.7600.16385_none_cd7aeeff1897d018\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_netfx-weblowtrust_config_b03f5f7f11d50a3a_6.1.7600.16385_none_6ad58a3fc26aab78\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..-startern.resources_31bf3856ad364e35_6.1.7600.16385_de-de_45728647f85d9477\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..omebasicn.resources_31bf3856ad364e35_6.1.7600.16385_de-de_cf07afe341c4a9c6\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..ultimaten.resources_31bf3856ad364e35_6.1.7601.17514_en-us_edc13ee9e5ed6e77\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..-calendar.resources_31bf3856ad364e35_6.1.7600.16385_it-it_6a40964d5ae60541\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..omebasice.resources_31bf3856ad364e35_6.1.7600.16385_it-it_c1ae04d6b2f5d213\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-mlang_31bf3856ad364e35_6.1.7600.16385_none_b2d43d1ffdaf54e6\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..essionaln.resources_31bf3856ad364e35_6.1.7601.17514_es-es_80b1ce4c12a13bba\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..terprisee.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_e303a28dd782739e\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ehome-services-ehsched_31bf3856ad364e35_6.1.7600.16385_none_0167f08155bf1c81\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..terprisee.resources_31bf3856ad364e35_6.1.7601.17514_de-de_0bf13b9c8eefa5a6\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2260a04d0daf0ce1\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..zlegadget.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a5f3b7a6a481da29\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Graphics\warn.ico.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallSqlStateTemplate.sql.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-e..ebargadgetresources_31bf3856ad364e35_6.1.7600.16385_none_88767a95b8bbf001\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..epremiumn.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ed75d5ee87c3a271\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..homebasic.resources_31bf3856ad364e35_6.1.7600.16385_it-it_43c8f8ac0805bca7\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2d7749943fcc6ea3\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_netfx-regsvcs_exe_config_v1_31bf3856ad364e35_6.1.7600.16385_none_dd975ffb8de73e55\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_prnep002.inf_31bf3856ad364e35_6.1.7600.16385_none_9379fee912f1f625\Amd64\ReadMe.bmp	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\deselectedTab_1x1.gif.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\UninstallWebEventSqlProvider.sql.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..omebasicn.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6c52edcc14f9fff7\ReadMe.html	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..cationnotifications_31bf3856ad364e35_6.1.7600.16385_none_175ab6276b721d6a\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1045\eula.rtf.jaff	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..homegroup.resources_31bf3856ad364e35_6.1.7600.16385_de-de_ab00b852533a224a\ReadMe.txt	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe

description	pid	process	target process
PID 2300 wrote to memory of 1624	2300	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe	cmd.exe
PID 2300 wrote to memory of 1624	2300	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe	cmd.exe
PID 2300 wrote to memory of 1624	2300	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe	cmd.exe
PID 2300 wrote to memory of 1624	2300	e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
"C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.html

Filesize
1KB

MD5
620140c427b4b5abc7e5e9a7fa054755

SHA1
e76aa64a897f59a8a8b771507089e0cc3ac482ff

SHA256
be2c3f21825b8ccca7b0f0dcba835ddb7c8affb985098b7df947c374b8bb5020

SHA512
552cbf2a0f6a0b33f7e744a4eb7a0ee67274ef18d9026c7d167d6432f45699ee9bf215a188057c7abafe9a2a8669fb762c5291cb7b373edbdde2907adfa3f301

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.txt

Filesize
482B

MD5
50f7e8e41f49fe52410d2293c15729de

SHA1
65e3b893df8d3121f5d6eb996c5b8e899fb17a69

SHA256
1cead1525c4e91cc6f5ead299a4e35f5d26a314b3fe970b160a34158d44cdaee

SHA512
502a7ba8b3be8bff67b6b302fc1f0d38020f3ce31797ea8f47158187abf29558da747bb4d1c91a45f2b1a729eeb5c96af208323edd422a18ff9db1c73b8839d8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\TAB_OFF.GIF.jaff

Filesize
618B

MD5
6d455cba89063ee9c3e4ec68b354f695

SHA1
bde21e139a0b7a3437891e62e988a49cc89a62fc

SHA256
6f4541a5582618ed06f215584cf28417cbfb30456f1190418536d1bf8603fb0f

SHA512
fb332bb16d355598d2daa8628d271c4b8a34d138138689ba30e6c948b42eee83adce5b92b2e46120d350ec1f7c66aba9520c3d62b0c140e42ff33f626f1ce366

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\TAB_ON.GIF.jaff

Filesize
490B

MD5
5a3f4841adee0b619fa2f0a79dec02af

SHA1
5337599119a5365f32107c1198ae45678be7f061

SHA256
94e279d57324e2370e794c42bc4ba4129851ae85ab1d72a1d007bfac7c56da9c

SHA512
3feaf8849f5415cd06e223591e119692cc9ca3ecd500d71012d03d51633f71af75f6194de6170e25cd1f22c63265f2b822e568d8f64178a12c34a2430be6b92c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\BUTTON.GIF.jaff

Filesize
458B

MD5
80b8f5ca3e4d4c06acfe1a7fdc5a0bee

SHA1
55b28c7b86b59a539d155291f52e1e9aa6ee4a90

SHA256
ec000264c9f9c71b307f0343a53d8cd549f556cad312f424248e721b28ffa48f

SHA512
9ebe54c7b538024220a910323ccc20744020dea67b2b11cce457dd65784f8f3368a8d44a0524eb9be00d128402df9f5b4a4c7c43adb25ed70dcf693672242d79

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF.jaff

Filesize
778B

MD5
e6c4435d652d6dea1097a8eb9b1d687b

SHA1
215d40d45c3e8bb7264f4c91f82d744999ba7710

SHA256
b89406879deb7b059ac29db3ba0b11d9a1232571455029218aca8ea50007dae5

SHA512
d577de2f33e603fc8dc61a7578b7924473abb0ed7daa51395ceb1a6e6880b44e27a9181898a01257ee360eca5bd19b019f98936a9b0e8c81e93c1b2d21e01975

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF.jaff

Filesize
1KB

MD5
afa20f630486b7fe145b467be4d0c1f2

SHA1
c58e6b1385d6d11034e360f21348f6c619713d12

SHA256
db506486d4b754b13c0664cf68fd2c72e72d551b2903225f5c5352f5761b7548

SHA512
48495ccc85a3c7037ee6b4eab115bfc25dc0dae48789207b6cb4a916d661c623126620dcf2ad25ba18fd9ae5112887c3f8cd33f8c45269f30591aa702ced23f1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.NO.XML.jaff

Filesize
1KB

MD5
89c847cb7d66faaf927344e8fe2c7243

SHA1
d995fd581da0a8fea17a49caa9e45d0735ef1ae3

SHA256
5f5399742b5580e7b1a4b5bdf327ef590481e1f8c08ad5d6562fe5410578b541

SHA512
a7a216b0dd4b89631deda3462c99a4580d20159f3d343f42787f1e3bf16b4fe91afa4aa86a738d52ddf045556ddcb1fbe919598ed891df6a79e41a5f79e486c3

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif.jaff

Filesize
426B

MD5
867c514a458b4addeccaed6d8ff396b4

SHA1
ab297887123284719fd96f46928d6ca25a72be12

SHA256
20c3ec350c0f9a7fd06a0d858d7c7feb7abca53a04559f8ed4b351d7a81e7a11

SHA512
758a5e445713c0dc39e1fc982e10024e1d5b4c37144e8d7769d4381bc3f0dabbccecadf3b6b0b2c71400c2e145747680eb0f17754df628a62d968292252b7ba7

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html.jaff

Filesize
12KB

MD5
3904ad89061092ef95ba47b653009c35

SHA1
303025fa51504ee42df1d135c0b03ccfdcf0622e

SHA256
bc672d9d7db49c9be69bcee11ae67fea39105ae5499aa75ddc02be7ba8337b6e

SHA512
ed65a5a5503f6dd99a7f44a5fb11bf1acc75f64a679c2edc2d7d879f3545ccfe829774e1fe574705759c525a07549b41d4252ff757e4d9513be2b4e836594e83

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html.jaff

Filesize
9KB

MD5
8f7924500bdfe9cdea8899f8b136f4dc

SHA1
33b4510797b48b1af873e2ba734ebd92d8ac72dc

SHA256
55e39ccf2b22f9ebc17e981a5920ad7e3138e90a7e01872684e5297c26b13116

SHA512
c6561b48d19166ee51348854cd07725f919a341811daae9f123c3544d3c82051051092844aa69923987bb1b10961ff72d5b760150c779533ae5ccf1c930f6af4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.jaff

Filesize
48KB

MD5
87aea3c258d10f886cda8ff2be94eb1e

SHA1
da0f422eaa67a551a68875ec1376ee4158ff5443

SHA256
9f695b6c5cedb4eee420885c68e4c4861188307a01b443ee11126521efbe7bef

SHA512
39061606976d0e37d148ad01b800b00d6c628a0ba55d84f01b3b1c392e98bd60778f9f5da6558363d9babd96ac5fe842f00915cbbe8c847edb3d848851ad5391

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe.config.jaff

Filesize
458B

MD5
3e4355bf4d405e821a2f55fe049adc47

SHA1
0d17eedd3bc378a78237bb9fdc486171c46f8e82

SHA256
b5194f10039129fcf2f60ad10b0ea772dfd5e5be21805b41b88eef76e9b41f20

SHA512
8be6da292e64a7eab8f28373aa23a832efd84cfdcb62b70f0215224e23936aeadf8b707e52b1d638bfeeac974069b639ac73f8aca73582d44ba70468a7c791a8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe.config.jaff

Filesize
490B

MD5
fb0b865b5a48a0775f86dcec60e61929

SHA1
27bbc9251ee673076de57718414ab8a1e721b418

SHA256
49cf92abab6f9d4a3d119af67f288058c3fc25c91ecfdac19cde1a1082fe89fd

SHA512
014bddd54fac054543b7805ac56d5fd2fde8754848f1c1c8008878939af15e4ab5a66fd81aa3811ed8dd30373c031eb6d26e81a0472eb374b348482626c384b3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_1x1.gif.jaff

Filesize
330B

MD5
ee1b37732a39cd267c46d0881e73666e

SHA1
1f8556f5797074ac912b34c2fcbbb8f211b3133f

SHA256
0113fae9d139b505af6a654aee704399e3eb2b9d3fedbecad035eaab72ad6724

SHA512
7d225b696188cc721493a9f849ac1079cc3f252768d2a232505d3d32cabf0bf9c5fac177f0ad7d45f4519fd96a6067dfdda31e1efaa05584556d9848f781e3eb

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\unSelectedTab_leftCorner.gif.jaff

Filesize
346B

MD5
ce455d78a3c7bddc1ce21bd63abaa3dc

SHA1
681e0e8cedd0fe6b3edfdc0425fc95b648f7993c

SHA256
40046e75093c52b672149b8941e4d33cdfba60c292179aa92f160e9fe5003671

SHA512
8fa0ec1dea28a7a8f90059b1e58298f68464b3c8ec9925366e8e3e39c25163a169ea7b1fde88b0e3ab7dce7d676793a50198342a18b0e60f6cc292d1e28227b9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\unSelectedTab_rightCorner.gif.jaff

Filesize
346B

MD5
ac2170ac5968a34fcfeef9c4b7aa5f1d

SHA1
2f33eb43e87bc5443c89b722ab6956ee50ef0890

SHA256
bd76e3b749db5e24d5f0829685a42d966c8290e6c830319fc71f49fbf9cb03ec

SHA512
f8b869e61e3c2c45b74f1bf031b906ed0d7f9e863a267ea9c95795fbfb8215f11147bbb9a956555382454b9d97f3c8b0281d700bbf8ea195b9f4f6cd9d280833

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe.config.jaff

Filesize
442B

MD5
eb1f9d8b57eec549afb8bdc3f639937b

SHA1
35eabbacd32c4222094f641d57feef2bb3ff43f8

SHA256
4e5cb3b8bf1bcf984114aa85549d755445b16adf7bd65475844723be62ce8991

SHA512
ccfa01dcfae589067a7b6ab9ea551530fe1145b23a2bf90c6fc409e54ccfbbc5a83326780bdf1205c4c79e88567a0293041eeceebe2adc2af286eb53c6655c07

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe.config.jaff

Filesize
554B

MD5
64b9a60fe86cbee1f54ab9f29c0b3c07

SHA1
e1b9f71e8dcde8c87a7cdc2220bc0dd9cce089dc

SHA256
1254b2f743f2d08356893d49c5275b6e2be4952d4177908615ffe5a9676653fc

SHA512
4895cf4a75a2044ff89e9d635d55143312b7e8bc293517fa25685b9729cfb027bfc94f394b1162e61adf991338400012a2090737b70ee522b1ec4cd9f5a9731d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe.config.jaff

Filesize
458B

MD5
907424a81cacbb3c0faa5ce743cb0752

SHA1
084b4ae0604f79072cb60c1da2656895a6455ec9

SHA256
71896959ecf2d936827b81990af19205967278eef94ca1a38a17959f8855caa9

SHA512
6ea1326edc46e334781e1f445c0489738b87e59df0c1174df86a001940908277659ff321d7bf01c0ead0b50b838fdf2ba0e131606ce32cf7dd0ab56053be3b31

Download Submit
C:\Windows\Microsoft.NET\Framework\v3.5\SQL\ja\DropSqlPersistenceProviderLogic.sql.jaff

Filesize
2KB

MD5
9b1febe05dd4574c3211b7f8389e7949

SHA1
635e4ad10457bcc2dde7a3b6cd2efaac767e288c

SHA256
d90ede19ec0a919858589329e72d2c17af7f15752812f2f4c814ef14208777c7

SHA512
e230b5faeb705003e41d65293012cf813398c9fa2e6a5b3040ff1b9b6c6124b7f4a0a5f85ad0a2cbbb0a0798ab5eba948caeeac86fcb5fdfdf61f311cb1f1539

Download Submit
C:\Windows\Microsoft.NET\Framework\v3.5\SQL\ja\SqlPersistenceProviderLogic.sql.jaff

Filesize
13KB

MD5
64db2f6079a0811d68c74a101c015158

SHA1
a0ce07946195e3e66210b1a46768772d099e3f86

SHA256
f034dcaac624501b24c4dac6bc3a0c0d6fd7b90e7730c240a5af93fcbb0e9583

SHA512
e82add39746975729b0c734505d33933b65786cd3de45c115d2b52b433ab413258ce57f78744c91b666e7f6faae24ce74cf36e796732e006b42798fc7945b7c7

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe.config.jaff

Filesize
426B

MD5
089c2bc142ef909b6b7359b1ce67f0c1

SHA1
108fbd07cb8dd5a52eb04d6f7f91573b9d46a5b4

SHA256
a7438e4329161009eaa81cd5b188a82ef7dec5dfd2c170bed5c0e459ec912ec1

SHA512
1cd1f0bf7de1cadb48f5e84daa9dc07a5a364004d04fe4af69c8104d81b3bf5aac03d40077049cc0a820284400a5ed7f74a8fe2b9df758bcf247275585585509

Download Submit
C:\Windows\Panther\UnattendGC\setuperr.log.jaff

Filesize
282B

MD5
897f4f23997f24ff609de2cc6b52310f

SHA1
228030d8207b2701dc7840c470b6291dd12a557b

SHA256
1e0a358de6ea42f0ae02a1187b83d6063bd0d00d593bff872fb8a2ca5a180af6

SHA512
a02c9f92f568d4d1088620d15b7b00c91f485c6f2f8c3aa548fe9018928e456ade1f92657572666be718d80ba2aed032e6921489263ae1eab7559468dce49f3b

Download Submit
C:\Windows\ReadMe.bmp

Filesize
3.5MB

MD5
f919d983600ad99b50eb45df77755fb2

SHA1
f7e730fa9efd88faf04c40e9cf17beb90edd099c

SHA256
03f97743d19be1fac4ec6096c3a5d492f6b560690d4a9359ae5fd4822509da98

SHA512
efa1822ca8aacb121f1cccda33669b9515fc1e6d231b9b1afb1fc601efc1ace9d41a7ba269f7ca47fe4ab584c9c93584501f65ca7e8eb4001052c39518194983

Download Submit
C:\Windows\SysWOW64\en-US\ReadMe.html.jaff

Filesize
1KB

MD5
79704cedcac47af2d729163e84c9e530

SHA1
77ebe21147b9bfc3ca7c20248d483b8aa1fdeda9

SHA256
8563be430bbb46c76a78514fd8e891afab67dfa6adbd224908a2587579af19d9

SHA512
337a701b199e75a0bef737c76b0dbf1cebe022b707d0459049d7bc8a0946948fd830ee8e634052cd73f1655cb832c806a20d809f0040e1babf5d99f2ae1229fe

Download Submit
C:\Windows\SysWOW64\fr-FR\ReadMe.bmp.jaff

Filesize
3.5MB

MD5
a1d0313881a7241f944aed6d7fa74de5

SHA1
e4b202779d52b1ba21077b91b9b23723a48f0f3f

SHA256
e974b660ffe8bc11f6f671bd03554e49da25752644deb41794b201ee8ebb879c

SHA512
4bf92570a735223ffc051abaa1ad0f483a4897bdf96979849bbde7863c39802484b962fccf73b51e3b8f5ccda3107624b6267cc25a135ade21a3e95881872868

Download Submit
C:\Windows\SysWOW64\fr-FR\ReadMe.txt.jaff

Filesize
762B

MD5
b0e47dbebd0778b450a5832dced32e3b

SHA1
cd33870e57270309a3bf0aa96de078c0e5456702

SHA256
c96cf1ae19e84c29489c6461de6f4c2622e5f43b46182c7917b79f4f713c7400

SHA512
78f2376778a37d5bb3f902ffa278937c217b34fcfec99bb4e1e54d8e2ee41c19a81cf1380d3ae37c5b7bfdd548307a09fb244708589c2d44b938b4eb2fc61dbc

Download Submit
C:\Windows\inf\PERFLIB\0411\perfc.dat.jaff

Filesize
31KB

MD5
7d286af1314922e4704ab1e136a1c71f

SHA1
22ca4ffbbc9c4870eb4bfaa9d2709681b296235e

SHA256
b017475c2f214277725f7a6d413611063d8fde3a91c91cb0c024984fd8e6d0e2

SHA512
98fa3b16580fe6ec93858fb1827c2f40408cd82dee08f1f9599a0c6359eb2419fb77ec23d9ec11edee9f2888ddd4eafded4208a0660bd2622fa63c2ca98dbc40

Download Submit