347b39efa2eb3be7a9a16ab6612bf68e34e7c069bfb2a78f0bed382d024be8ef

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 05:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eab5167f2fc67c0c8d9ed61f300789a6_JaffaCakes118.exe
Size

5.6MB
MD5

eab5167f2fc67c0c8d9ed61f300789a6
SHA1

e340a8febe8144f096b4cf62c15940d84e0dc127
SHA256

347b39efa2eb3be7a9a16ab6612bf68e34e7c069bfb2a78f0bed382d024be8ef
SHA512

a15c05fda9c899c0d6e41b2fd42728e468f86adcf6656b5e9bfcc645f4390e1f5bed4b3924cb141d221585a845bcc64d54c372fe31c6adc49a9ea7412e3cdfdd
SSDEEP

98304:J8xZ1WHMBaUDvqr8HSB6smen6EamSkyuRt8x1nAnpIDEH9TytTd6/O2:KxZEHgaUDgx1n6EH7uCxdkTd6/

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	eab5167f2fc67c0c8d9ed61f300789a6_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3948	PPStream.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WinPcap\Memory Diagnostics Tool.lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\TempAbout Java.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\Word.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\Windows PowerShell (x86).lnk	PPStream.exe
File created	C:\Program Files\WinPcap\TempSystem Configuration.lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\TempGoogle Chrome.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\Task Manager.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\TempODBC Data Sources (32-bit).lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\TempMemory Diagnostics Tool.lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\TempDisk Cleanup.lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\Paint.lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\iSCSI Initiator.lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\Office Upload Center.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\TempTelemetry Log for Office.lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\OneDrive.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\Administrative Tools.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\PPStream.exe	eab5167f2fc67c0c8d9ed61f300789a6_JaffaCakes118.exe
File opened for modification	C:\Program Files\WinPcap\TempTelemetry Dashboard for Office.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\OneDrive.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\TempFirefox.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\TempFirefox Private Browsing.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\TempOn-Screen Keyboard.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\TempWindows PowerShell ISE (x86).lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\Wordpad.lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\dfrgui.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\TempSpeech Recognition.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\TempExcel.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\Spreadsheet Compare.lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\Spreadsheet Compare.lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\Word.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\TempWindows Media Player.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\TempCheck For Updates.lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\Narrator.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\TempMath Input Panel.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\System Configuration.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\Office Language Preferences.lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\TempAcrobat Reader DC.lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\TempNarrator.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\7-Zip File Manager.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\TempMemory Diagnostics Tool.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\TempRecoveryDrive.lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\TempCheck For Updates.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\Office Upload Center.lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\Telemetry Dashboard for Office.lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\TempTelemetry Log for Office.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\Remote Desktop Connection.lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\config.ini	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\Office Language Preferences.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\VLC media player - reset preferences and cache files.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\TempConfigure Java.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\Registry Editor.lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\Check For Updates.lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\TempConfigure Java.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\TempOffice Language Preferences.lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\TempWord.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\Windows PowerShell.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\ODBC Data Sources (64-bit).lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\Google Chrome.lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\Immersive Control Panel.lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\Magnify.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\TempWindows PowerShell.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\TempRemote Desktop Connection.lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\TempRecoveryDrive.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\TempGoogle Chrome.lnk	PPStream.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eab5167f2fc67c0c8d9ed61f300789a6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PPStream.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	eab5167f2fc67c0c8d9ed61f300789a6_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3948	PPStream.exe
3948	PPStream.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2800 wrote to memory of 3948	2800	eab5167f2fc67c0c8d9ed61f300789a6_JaffaCakes118.exe	82
PID 2800 wrote to memory of 3948	2800	eab5167f2fc67c0c8d9ed61f300789a6_JaffaCakes118.exe	82
PID 2800 wrote to memory of 3948	2800	eab5167f2fc67c0c8d9ed61f300789a6_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\eab5167f2fc67c0c8d9ed61f300789a6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eab5167f2fc67c0c8d9ed61f300789a6_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Program Files\WinPcap\PPStream.exe
  "C:\Program Files\WinPcap\PPStream.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WinPcap\Google Chrome.lnk

Filesize
2KB

MD5
36ac1a7c73f0fd2f5f5eb3bd2b752f05

SHA1
881856bb7c0f40f98b12dfb19414bfb5d116d916

SHA256
9b2722920113bde2898a39d91bdd6038bbca518db0b254da506496c003454246

SHA512
c79fa68656e3ffd5c4b973371b14144e6af5c5937a9ef86cd2f58e2ba49b535a303699aa25077ee19d9492b084fbce002d27567bf693bfa527f030d06ac86bb8

Download Submit
C:\Program Files\WinPcap\PPStream.exe

Filesize
11.1MB

MD5
b44ab093d9a79c78298a062bbd9cdb09

SHA1
39a190f3df565cf240d5eb3b060793b569245377

SHA256
de05eea194cc7dc82a88ff14ca6af8299ab5c74409bc70187c0b4fc671a6dfac

SHA512
63057dadc3a57c8f0e19510d12a258d2ab46eefe78508391cc2cca405ed7e08a3141a95ca6bb88da29e547ddfd1c39800aeaf57ad8833f32a6967b10016cfa84

Download Submit
C:\Program Files\WinPcap\TempAbout Java.lnk

Filesize
1KB

MD5
6048554c3b00002ba215c3ebb24a0629

SHA1
d6d95fa1bf4d0c394ef78bdea9a5c70023c43113

SHA256
04878e9a9c19ac392bba3f6f76ab38e5a02567c292f4e74ac2e00d755298e904

SHA512
4da33ad4a26ca5b45a8fe93da1287636ac9e310823990aed1b352c5c68de3529a489147bf21663086995908782baa1409e2a0559c0c648e3d2f81c15d4c7b72b

Download Submit
C:\Program Files\WinPcap\TempAcrobat Reader DC.lnk

Filesize
1KB

MD5
0f6068e2934699bc1dc0200d06195f20

SHA1
0feedc14fd44d9a810c4124cdf03a22e387db4a0

SHA256
d117ca8b00370c93a784ff7ea5efc8a6c8f9991e87d732582fe33d0f859918c7

SHA512
2ba28b5299691d14afb850a19bdbd1367753fb3cd5c62a525a022a5dd27a7c2854429f2dbfa265f9e45b0fe350383297f56b20d1e0db8454a418be394a4dd763

Download Submit
C:\Program Files\WinPcap\TempCharacter Map.lnk

Filesize
919B

MD5
cd448daf1c2668d6d2d40e7be5a6cb2c

SHA1
b534277465f81110d555cf0cb14eb955f142c2d6

SHA256
3766690e1eee36347d5ef232e24d869d3a84b5b2de3a99c04f8497438e43f363

SHA512
c1cd18e09fa88bb62a54c6469b6a8f77866e7ec9e2cf46ebc5ff1f0b2883a8c3fdfb43e690d810015e9ebad8a8d26e8e41a07d445a2f983d3979331ab8a57f6f

Download Submit
C:\Program Files\WinPcap\TempExcel.lnk

Filesize
2KB

MD5
ff3a658245039e3ca78fb28059eeaa80

SHA1
13df0c25c8409b20f988768c044add7efc07b272

SHA256
a7547e0fcb4c8268e6424ab76e36a0cabda729c06faf629c61cf4bc0e13fa0ff

SHA512
4ee59b9c3b2caf76f984a369f8b05702df82397dbf5fa165d85e0a49270809714860fb9712c66de78e58adb476c3370397c23b838237c5ce1aa87ca2eaea4294

Download Submit
C:\Program Files\WinPcap\TempFirefox.lnk

Filesize
1KB

MD5
46d22193cd7c18fcbe8af4892cf006ba

SHA1
8a92f99302dc3b718ceb9edbc646eaf1d938e1ce

SHA256
829e2ccf4e75a2e81a3beb715ef9a77420127c834fed5e08df00c4369a500c60

SHA512
0af0873ebe80de41d6506fdef4fd9a7f2013fdcf3a4c29bc2ba6a9c33395fccc3b3e76d674b27eec89cb6034460587713d885f87b70cfd4a86d8be84bcb52dc5

Download Submit
C:\Program Files\WinPcap\TempImmersive Control Panel.lnk

Filesize
2KB

MD5
2baafb3b32b7a347ededd0764903dfd3

SHA1
37869fff67ac5cb8d7963827c705dadb04c1e7eb

SHA256
376350b762792040040a8aa732d0812f95a63c6541621e84b013b865916c4405

SHA512
70272d9601ff603ef22ed21c57b453a6cb00c271d887ee4dd8faa5aa952bed6b891d662622c0f492e41e1b78ca07c6688045b17e34799dc6fdf1607d98a75659

Download Submit
C:\Program Files\WinPcap\TempMemory Diagnostics Tool.lnk

Filesize
929B

MD5
3f46ebc8ee8f79852b3d5952f667b423

SHA1
cde703f480c8151ce5fc0c7aa37c57a716a30bea

SHA256
0a77a4d4a1c4f8100cbfd27c2c259942cfd2044a1be202c9e0dbd1ad8d4d62c9

SHA512
598c323c4bd7baab6b1f128f524b87cc5af8878c55523e71520cefb3c75e2e1287a0dfccb4b970884d2e6e135b4e5038349a4daab9f75ac100dbbc08c6a6ee5c

Download Submit
C:\Program Files\WinPcap\TempMicrosoft Edge.lnk

Filesize
2KB

MD5
a48ea56312de4f6528f040ad851724b2

SHA1
adcba206928287f0b7d21249ff87c10c018bf1cc

SHA256
5e9c427973ac85caad836140e01c8abdca92894c150be18eabbaeeab819a6121

SHA512
e6945c33ace927bbb0edcc6b4e41136324e7e254684e5ba848209c70fc491fffd496e875082c16d2c90e32b725f422c5562acea51154c90a8faca785e3ef8d8b

Download Submit
C:\Program Files\WinPcap\TempMicrosoft Edge.lnk

Filesize
1KB

MD5
692205ea67f5c2091d0e9f6412944a57

SHA1
6c3e79fba040ac4c57abef7b3282fb41ad6af15b

SHA256
cc42b3dba572786ddc7579b94e4439658bc7bac470f57896df3fa904dfd6e1c3

SHA512
db8bfa2d14e46c007e42498bdc62da26e385cd8145baa7462a9487f26f854072de5d05762ea001e4279efbd52d76f32a8cd55090d4ee05429f0b1acb759b9a2b

Download Submit
C:\Program Files\WinPcap\TempODBC Data Sources (32-bit).lnk

Filesize
935B

MD5
53203638b696bf88374101db6c250c30

SHA1
2855d87308ee434844de2aa82b92a2a093a22b53

SHA256
e4cd46036b3249e791167df9e606417e8a0b7125915e663026d5d0dc81e86671

SHA512
e5318d393d5ce5256f17130fa7352dcde52a218243ab7b971a316cd6aa40797dd9588c7a85749a9fbd45f340f1854ac6a3d25069f1668f63969e4a276c1014a4

Download Submit
C:\Program Files\WinPcap\TempOffice Upload Center.lnk

Filesize
2KB

MD5
6219125a2874a47d9ed0713b1f0b50fd

SHA1
0d9c52f31c1d52ef8ab5ce2706881d99a95bc9b3

SHA256
4a83dc81786dcbd2432165a14816d1d5040d95a73cdf4796e1f568b2ec5d0928

SHA512
791c4da5c9f68b73de55bd06be94670ac3779a4b0e7b630a9cc217172fe282e7329028d27f6c3ee9841b444410f93f7a67ba0e9a4d472cb5b0e19e9b5ff61ed7

Download Submit
C:\Program Files\WinPcap\TempPowerPoint.lnk

Filesize
2KB

MD5
2e339d3de686033cc05cc4f83ce7e7b8

SHA1
e72732dc3fc362d5284123ad7011e820979d9bf0

SHA256
4aa13901b9a4122cdba144ad660f5e0f82bbeedfc5ed224b3dbaa5689963b4b3

SHA512
a1d5b82748347a57699eb38191daeda0d18d95e3888339b776ab4a03df03e0ecb1c14903f915ca1a1e32fe65694f6115f4d4caeb8f9091483213cac6101e6926

Download Submit
C:\Program Files\WinPcap\TempSpreadsheet Compare.lnk

Filesize
2KB

MD5
921eeee572b7de56b9c61fa4d6166584

SHA1
e9964ddf849d7b1adefbac36116d8e00551129ac

SHA256
f78b3062c2c244cf0399c816c0f55dd109dfb57ee71cd79b67a31caa99111f38

SHA512
ab3089e044787816024699f36b28a7a0ee405e9305374dd2b5964cf2481d813685ce82d115d7c304c33e9c9d383c5b70ffd241cb40b6ae518091a53e7830e35c

Download Submit
C:\Program Files\WinPcap\TempTelemetry Log for Office.lnk

Filesize
2KB

MD5
065ce4dc46e912b199e1e4e7157b90cc

SHA1
002152b0cb2d21ec1939bdde724d68481ccd04db

SHA256
32aaa59893689325f2f3e54b1873561a6acabad9b66e2c768a45cf98a6bf9e86

SHA512
f04ac1315c42c06647d61257b4f57c5080519dbd7405da21d00709aa88f4d5147f9a3d6f66e7f1caccd90d48f34001cc2a54b4c1b06a709e99e47aec78d154fd

Download Submit
C:\Program Files\WinPcap\TempWindows PowerShell (x86).lnk

Filesize
1KB

MD5
47e44c362037b8d2c5bbcb38981133b3

SHA1
fa6b51e9547f986575476733ff26098f00979c76

SHA256
b254da2ba776f56e55eb261e8b54e395d3a6a1e9bea4da4bb020714e44f7abde

SHA512
2620b66a532bbbb1b18632e53e1100c6d8daf4b9a6f58af02c082feb7c42a44e933124bfedab2a7428dffeade10378d60445012ac11a1f13fb4c9441cf36ea0b

Download Submit
C:\Program Files\WinPcap\TempWindows PowerShell ISE.lnk

Filesize
1KB

MD5
71bf2d994e1d726f6379cf4fd9111402

SHA1
db97832296fda2873087a105ea2fa16374888d72

SHA256
871ff6b53069a4eca9cc73e4bcef8b4c291c5683c9cccd01774ce7b3d15a7352

SHA512
50757a50b8f37781dcd1d5fff036e50fc564e758e56e763142a5f29d9548e6b6825f8ca9c99fa2e37400c82b77c7a0c248df49a145b8346625e2425f4f2cd287

Download Submit
C:\Program Files\WinPcap\Tempdfrgui.lnk

Filesize
905B

MD5
e70cb09d251024f22d37a2b969dec291

SHA1
5787acfaabc4f0d5e9fce5cfc032a0da3f487abb

SHA256
7cb5eb0264ee411eadbe9888cba244762aee9dcb92ba9d229664fa7d10dcadad

SHA512
f7c3b7e85cc754068317fce03c4d754826058e43b84c05e0cd663fac0618263003a30a1c551373acd0eaeb253c8a7a1990e1d6f0bec4c5de19f20838f4422029

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip\7-Zip File Manager.lnk

Filesize
1KB

MD5
3857cacf3a2ce89001797c8cc1c7d25f

SHA1
0d900fbf1c6814d66ea07736b7bcf97c622afe87

SHA256
9f17edc0aee6c5a4ffcae8aa03e03746b3288db032362a0e0971a1347026eba0

SHA512
e68f110f5a813c3fdf1dad56e39f01501bcedf4cebc9c148e89f3890a579464354f7ba8f4cbe880574239d356f54d9e9864076b93b1c2d85b1f5674619550b6b

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Speech Recognition.lnk

Filesize
971B

MD5
c440633c460f46572c6144bd608ca4b1

SHA1
085b830e62d1c50a0aa03704249d54e9401048f0

SHA256
edf80caf3840e9eac53262e12579b8317f7dc54c9d13cfcac2f091afd7443402

SHA512
60b6356ee371eb3f4fcff4d2e4e5773476deb43b688d626b7b0fe821b7d566f87f886f7c2db2e1fc976ccb210d4e216635e70ef54ff272fc1056409618e30c75

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Math Input Panel.lnk

Filesize
1010B

MD5
a5ba2630a0aacc17a2042e4989d29cac

SHA1
d057f5a38b0503fc3b6b65015baf2925a5a681af

SHA256
d27891c9d91599a0ea2a4add734439c84399d5e941857f3a0648144cb76db4a2

SHA512
d57a98d3c661f595a49d52b872f22aa60367e852eb11bbb876afc4f4398cb0d6d22813c976faa74cab0bdb7784b92b010b62d8b1909a5f3152b1fffbb6359426

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk

Filesize
924B

MD5
f40a87d378aa6621c534d1068a32771a

SHA1
5f506d0fbb82d64d3e160db36f92030ff402befb

SHA256
4e80f83a831cbb8695353d69c405e06ccb62bbd2ddee35060c739c39e0caf7a6

SHA512
a4c0adbd8b098ce8dbaa2bf6ff980b2ce929d594fcd0a92a7314178399db33fd4e3aca3e2b85d75d8f52a0cb536363ba809a292a84d2a3039b249b6cc2fba55d

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk

Filesize
920B

MD5
1735059141792439f18e13c21cc62ee2

SHA1
94475cf374aa94c64eb1afa2b3b8915abc00c63d

SHA256
6e9e34bf2a77597bd8b92f910dab7960a2b1598868dde0616797c1e52b4ef1c8

SHA512
13023c160f4d92bed881c2edf0d61bbd2608d4c2e3e5d806692a7cba1d2bec574f1c86516dc8bf901d630b4406285edeb602a36f6931b6196198c573d7ae14fb

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Quick Assist.lnk

Filesize
946B

MD5
44a2aa9e2d8a61375e47dab71b2112c3

SHA1
cf3e5aae7f46938fa136c8cb67d03f1600ffd5a2

SHA256
836fc32f598e45496fb8d995ac70c1fb755f939314f7b32d90b8cf349156883e

SHA512
ece5caf54ff02b0abee430b8da938d67c6563df354bb8fa6efc77957c4f4c12f9421f0a0ea438adc9fa4a4fc27e539f242f53164d96ffbd8d32e3631852989ba

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Remote Desktop Connection.lnk

Filesize
1006B

MD5
4cf817b45165a7ca2dda2b4c2adbc13c

SHA1
0486e29c7db56454a26b36aee9b2fd4b6a288bd1

SHA256
c6134ddcd067ce6aeae5a2ede155b0f637bec192e039ca72403c34f307307f9d

SHA512
9274e6ff7036cb90a57df39dbfd7f3b5642bb5b487d6d15b8e1aabe88a6ef5001503ebad308b8bac7e636034352981fe3d8d5efc3fbd62f875c5c76ebc3c0595

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk

Filesize
939B

MD5
782bb0804de7e116a2fafe7a65f7e15a

SHA1
2557a9407b99518888e2d6ab7c30c63b16aa2eb4

SHA256
4912c0ed1dd1394121b2585d952ecb66bad92d45d768a1786a1f164885daea21

SHA512
f91d50e6a4246073820bb458106b01a5c6621afc4bcf1306a7b798df91d535b7b3d832830becd5c4570917d8e0944536542ba69269beed4c205f969aab5bcf61

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Steps Recorder.lnk

Filesize
920B

MD5
1f85f35841001bf5696510ceebc65b7a

SHA1
85ec0af0d0e22214679ebcc004d2dd6fb19a7361

SHA256
4a754852b88756b763dd7b6301227b0d687c1714de29ac09a9ea85647848a620

SHA512
67c54d4234af16cefe109acaf3441ad5a0dc23c2b30c32ebd50d986d7c8d07b853995906cec2712a30c47fcad27f916cc974c448a5360741ddb9c37ea593f5e8

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Fax and Scan.lnk

Filesize
932B

MD5
47a9538afac6e70e000621f0785d99ae

SHA1
f96b91bdee203361f6ba04d389ed4e9a36f59aee

SHA256
55f28ae2e28be1fab67b32022729d53d0e19b28f406365825e6138727c29fda7

SHA512
3a66f1089b12b8da90be3b1a439667596df43ebaeef8fb862e13e1069c8cab584842ef33f3050ebaf49fd25b5b1fb16c454d360ebc5e603073528c71946025d0

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Media Player.lnk

Filesize
1KB

MD5
cc4c668cb005d17f4ff09d9ee643696a

SHA1
1967ba83ba28fd15b59fdf77a6f4d0cf150c6eb6

SHA256
ed27e761692b03e2f5d0279196adde49ebf36865aa08b1961b26148a857094ef

SHA512
4b25c749a2c1fcc7a4f1f9a405f7adb85e12a0a9ff47ceaa0803d3cac178586a9dfaf782bc4350429e8f30f0e6af2702f9ebbd6fa188191aed009a9cc77a790a

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Wordpad.lnk

Filesize
964B

MD5
09bb9be59e7ac55c49ab018f9ce43144

SHA1
4292f63dd152e3bcf71e5ba20f16ea858e15723d

SHA256
333e670c4f780d2c59d0777b3b43448caee2ef30998cf3eb76675ac69cd408da

SHA512
8c7b6bf9d25776d0eedfa69780bfb32f50af338987953542849f3bb9a450dca23fa160374286ad859de591918d62b024882bf7e42e4aadd1763b06e200609955

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Disk Cleanup.lnk

Filesize
919B

MD5
e58491d1186c2ed24223c8653126fbfe

SHA1
338ee74a4e4490a06feed9fe3a968b70623a42d9

SHA256
bf2aeb2ed6f787266a7314de2ed1df4f9f7687bb3f2e2e5ecc156650bdb10c9d

SHA512
4efe91a5eab922857f5bfe43b55d5f524829f1a45b15d4337a2b6b007cf6131f192055dea9c96f47738f0838066ff0942d663e9c7bf1095345765c89ffa95992

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\ODBC Data Sources (64-bit).lnk

Filesize
935B

MD5
a9e3265c5f58d1dcea709852b442b361

SHA1
a04591189f0388cfa0743860b7d86a522db97705

SHA256
43d06ecd641501b9ce7d1b5f41324cc9fc2d6a4926fd1ad760cc8bbd3802b84e

SHA512
5d3286f3af2191726155b6d40025e8e1e4b3468b0703323afdeff09eef33e4bd4b6f8e0700d1a70c3ab3e73f8fba59d05b1e27ba4c242f5b4330d0a0ec05894f

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\RecoveryDrive.lnk

Filesize
939B

MD5
0cf6d113a617ee164fe4e8455dd145e1

SHA1
658e72eae8c9391ec56e82aab220786cabe03871

SHA256
f941568f6d254898ddfac1cf143d4d65b0e40f39ed6e69988eebbb2b8094e71e

SHA512
06dde28282e9f4a5c044b286a0f3afec1fb5e8981fa4dead56c6e54528f53a271f0c96d2504cd29220c9c316e6cc2d30eda09cbefde226a6bd1bb5187b9806fe

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Registry Editor.lnk

Filesize
873B

MD5
6afd6e91537eefbec9335c30637684df

SHA1
e44a5423c238115fc33e67b208f28f599b4470ce

SHA256
4c1b9700ef261738427ba08fad54f22d3477587fbc601e4a18330170cf008fae

SHA512
14e46b77ad2bc922d14dc30d89aec6c882b9661b050aa38b89f6a807895bde2b0bd0ca27644c76b50bf11b6cf1075c6e5ad78a625dc9609cf9850cb878612179

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Resource Monitor.lnk

Filesize
909B

MD5
dced378745981998960a77973a36b77e

SHA1
70ea8ee6a697bd6faeacdb0898989431fca2916c

SHA256
a92378e21a76e4fa3403b3ce9733c545382d9647683305006c4757e58c1cebcd

SHA512
4e705f83b1818f27a764833114c8b1406ebb0ceb28276cabb51a4e018f66cc94aa3acceaa4c371135a3acbe5654413c0b3860254c7c26a0ede88ba41b4a37e0d

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration.lnk

Filesize
935B

MD5
30cf04959c648a7428acb46e12af29c6

SHA1
1a21c2dc0b4f22d21fa7497d2787a1e78d10c453

SHA256
061d6f60ea14d7fce54aee71fc93874eb432f5a119fa899288612d4b2bcb48f5

SHA512
41402163a12f75ff6647e32262bc416a36e40063a1739dedff96ee137132014423a06f66191eee70f193a5213ba643c0e2f0d53ef18bd2f1496585ccda76acd7

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Information.lnk

Filesize
929B

MD5
fd4be00970c531355bf4d3f704285db1

SHA1
371e8c2effef82c3aef1854be3f1e96b40f82e91

SHA256
364d30cacff8dde168bdfd0da04c7d78c7a9320b831f117eb2f832feafcd38f3

SHA512
2c9b130c34116b129aa16ac76b3c4b14e391e8b122cdd939e320b5ea25d1720209c7e759c7550d2c9ae9c1d22a3f2b31efc040a6b57b6a5edb7e9254e0937a9c

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\iSCSI Initiator.lnk

Filesize
917B

MD5
21a39ddc1a40cbadaebb4216b1482e4c

SHA1
2fcf1f7f130df5ec1f42566a1e1386020db4b006

SHA256
0fa38153b69dd0342729df0649d792a2e113f55d76466cf710815b4f7aa4383e

SHA512
bef05fbbc68568bbca6c66abd9773b7958a1009d29c97da4a16cc6345b12864dd1af4a9c0520ba5df56f79da70666af105d65f6cb5f934d8eb5def2509784661

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox Private Browsing.lnk

Filesize
1KB

MD5
45093f5a0f326ba0d9f25b9c7d3bdcbe

SHA1
bf441a5112ebb96e588591cd03819652f9ddd0f9

SHA256
fdf395731b8fb6076aa3b313b6aa96c0e26ccc0746e5c19a393ff69e8c5a1369

SHA512
70e4acc6d645df14a62e3acd4397724c0416e15a7adea6ade9dbb0556d91bf4880ed44f0f3fd6ad1085ce37baf47c562d177638d2fd8e3930c55e2e67ae85022

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk

Filesize
1KB

MD5
955b362ccc5823caa06429e9f5e9261b

SHA1
627c0eab4ad342baebd842bb22e793a01b33cef3

SHA256
2be20c6ee53f79cd4574291619b139467fd55e0c88023579529aa891de358905

SHA512
88aa7644798fcfb81b0be7ef23d07e520888e411df245df84cf2b7c78ecd1cd5357d9400b9967f1d4f6faeec15670307c529df37af71de87d8a57e4db6f9a668

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Check For Updates.lnk

Filesize
1KB

MD5
b7afcc6fe08ad6d6a5fb3d8ab1eccc7d

SHA1
391e8f5f20e3c3c7fff7801af5103d9f3eb3d3c9

SHA256
4c9a92a8faa4579b4641a6932a95e33fbdedf575b7361f14973b0925038de129

SHA512
e5a3247eb56362b1b780ea480b6cf1c4a5fd82e640c5bc5a3152af0a505d04ff08184bb124637a02011b2c5ee4c1b7048d118179658d67b2b30b275c846ab44d

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Configure Java.lnk

Filesize
1KB

MD5
a14471b2b8c0ebed90cec61242d114cd

SHA1
7e2f6c96bf65ceab0edaaef82464b8b7ec87b5fd

SHA256
a198fd686410208f6c017a3262c60fdb97139927552d718edba2ec4708bc66a0

SHA512
f974ceb48ad17ebcf8007a52a7e007083cdbfac2c624c5ea4009fecabe7e8d000c06dad43080607f82373a90126e5f15fe0d9f5fa1ee099eba68e3ba3611ed3e

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools\Database Compare.lnk

Filesize
2KB

MD5
3c2d5f99954c800ebd7fe55764fca620

SHA1
624296f4ba0c5f61ac853ec87dab76281a36daec

SHA256
62af4da3a9f2c3ee6f86e2e85f74eb15ffb9d337ca992e791bc3c29bf28ee85b

SHA512
c4702c73c4c8f0b105188099ee31b2e8fb6fdc66917e030d8a3dc194b4d6e79da95294a879cbbb1d94d8cbadb8fb00b2afe04c7e3d7cfef2fb69a349a7a958a6

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools\Office Language Preferences.lnk

Filesize
2KB

MD5
1b7b416c08a2af0b678d4e07c0150b2d

SHA1
a58dd4fe4382236e851223b4065aa4842b7f204d

SHA256
68a86a7b55fc3c83d635b3fc737101c843fa5912528fe9afc60a7e47cc351733

SHA512
01de580cf23443029e01fd0104950dc2044ba6bec1c39c5f3e6a22d045ba49b08b76bc9671739a7ce2a9f7347cc8a34d1b5b6a7b95ade57f90af0d7924228edf

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools\Telemetry Dashboard for Office.lnk

Filesize
2KB

MD5
aa9f75a2a3ff80ebeef6061878440fde

SHA1
c3993a7b7031f822fbd25416459ce9d916386a93

SHA256
6e449cfe0d8c1110fb2ef450ffc6d94116039f9d869f8d828bbb32ff4943f5e7

SHA512
f4b256efc5b39f868b7326c6e6a42cef93271d1f4cd484765f625aee4b1c40059faff9681cfbf40510d9fab29ee074523e9a54cdeb9948fc6153471f636d8a20

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OneNote 2016.lnk

Filesize
2KB

MD5
8263e822b9a1037a24b065fc3775dfb4

SHA1
2d1e60214a16034cf37e46f8ed8401ed7e4ad540

SHA256
177c28892fbcca1f23e9ec4430cab2cb3951585d0caee6f91b116c6ba9c54c63

SHA512
100ccdfb227ff44506e1f8566d1fa6ab0a0030bed89e2cb733784b5afab7d4757585bc6c0f05d80115fec954bf5b42ad211ab50413dc0f064a3fb00e4a5cfca9

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Task Manager.lnk

Filesize
917B

MD5
81eb085168615cbbdcc5f1080d43fc11

SHA1
b950fef2fafe98956d58ef0c4a3ba57fc8104db1

SHA256
7ab50e8b403ec54fd2e30b0f56ea3712d8e6be099f80c7a70de32165a6def5cc

SHA512
2a4aa534726d6a39f41fb0f8ca44f012cf9d0bc12e1299325c6affd557373a6e5436f9f1fa640ca9ffbd1af1c0406c7a314975a11dd56bd93744352e086c42ea

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN\VLC media player - reset preferences and cache files.lnk

Filesize
1KB

MD5
0f8674e93c27a381afdd9828a6a49f01

SHA1
c5180ce56c72a35bc63315aa0e0a428eacd25f98

SHA256
b688575a503c9087dfb8d7e00c8ef939facf4cd515d6ae10ab9c3a9d5d784d74

SHA512
67028fdf340f293e07d2711752443051edd2675e798a801fff45554e9f287f61b703a16cf7fbfee91ec2e61a36c41c1488e2900e9939264bcb63d203d710e297

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN\VLC media player skinned.lnk

Filesize
1KB

MD5
97dfede5adc6eb65c6cedf1b6ff987b2

SHA1
1fc46573a159bd374435589d6b4673f6cad3475f

SHA256
c58aa0e804cfe99ebfadc87da36b6f706871897c231208d02bdd7788b77a61af

SHA512
8b8e5f31ecd132fc701224012268352a03dd8abc724b3630ac6dbc58060c20b3697e816f3f1961480eddca65336c4ac6c69f0eac92ba0d1328c7ee029721eea0

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN\VLC media player.lnk

Filesize
1KB

MD5
c2c4e42fc6126e6df9ebe1edd3e2dbc3

SHA1
ddbf2dd501602d7a3a11597bb6892872814d1dc8

SHA256
6d5ea14b6d12c1df0111775ea95edf8538ffb349f18bea9a0d0cc716a9c024d4

SHA512
23d43c9b68718b8ad9fc805fbfdd9489cc96517515f5aa53939f30531c5e44d2db04a798e96a4373e57c4bce1cefd7fb20c6c948c196b990107dfe09425484a1

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell ISE (x86).lnk

Filesize
1KB

MD5
e1a122226318be20a1cd48edab88d325

SHA1
a526900e0226c8ac1d630ecec6f54c2e89543e30

SHA256
a320d613cc3ae143b7efeb6ef888d47b3b836caf74f994c921348f8f06f5d24e

SHA512
38607cba7b79bed5b9a0c64cce55d518fd0fd909065dbb98352dc77ae9cf76d90da92b6ed3a13a6b44b7ee4f75c632a982ab2d17483cd491c01b3d6b8df16455

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Word.lnk

Filesize
2KB

MD5
2e4b63a9d41a9b870ac28e610c1ffb1f

SHA1
af1cf9e703d53fcd55601023ff775e5992034014

SHA256
df9e376622407ae4fe71cde3ff12e809b29063a5512eeaad7361478e0eacd038

SHA512
3d66858d920cca4a901d646ab05d114ad58d99eda92b2837eb7a525612b1dc8a0305b0fefabdb705c959d76099006220671e762d133ff6b776a07b1d6ca6eb89

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Magnify.lnk

Filesize
899B

MD5
04216502a0f7063d3c4206bb48c9796f

SHA1
a93922f92362f05945b58e5f77f73bd7ccc9e706

SHA256
467160a3f611154ba612ba718c587ea3128ca36fba7033720d028fa1348bda2e

SHA512
acc9932dabee5ab702d6bbc5a3d2d5369aa369c5bdb53a5cf4c891bb675cee0b3c6db4edf2d37f5620ce9c95a5b68066f533b17d1a13374839e498377e1b80d1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Narrator.lnk

Filesize
903B

MD5
6f9e8d9a523dbd0706db9bc2c32c62aa

SHA1
6b42c7b6bc8cb3773116981706a64ab5865c2260

SHA256
90b11a5b1123b3247dee327678c67265bf9aad98953266e769458235ad9db70f

SHA512
d6dca6e06cb57aa34650afa8746166cbc8ff8b2329a26eaa38655d8a7490b9984d22ffbb6de45c009f05365a3a80fc3eae1daa072d94a9d32bbefe4c94c24089

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\On-Screen Keyboard.lnk

Filesize
921B

MD5
aa93ac668476a46c4512d47898ef4cee

SHA1
2b6437e512acf041388975b8b968265e25345253

SHA256
718215b8fc710568130d0c931b512a465d79832cd67b6e4b3fe7d1808cb17671

SHA512
d4bc43e57a28d91464e7587003bb3c4537bef7e314215f369e4937c62149f5d2027720ac8532ec8507f3062140f16e027afbad87f16ce2234d2cab2ec4e1d4b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk

Filesize
2KB

MD5
3a3836bbe3624a67785ae9b854a163c9

SHA1
c46fafdc29aedf2924f103f332453bae5eecf94a

SHA256
7f879b07fb12dd6a931c8ef66a28cccf4b190e8cc4892432ff18e1061825e0e1

SHA512
c98ed28cffa9ade6652c7d66ee0b259dd137c7e0ae2c970fcc9598ba753b4185a25c85e23258601b78da5983718e88e05c3e8a8a39f3f86f9f6afab880e29b3a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Administrative Tools.lnk

Filesize
1KB

MD5
037e458129a1c9aab6f472d642ba62b2

SHA1
697448335bc5f6f303c6cb78960f578086a7b530

SHA256
37869f1b69c9eaa1f849fe78b22919f79dc94ea1a25b1ae17e24971823671fe0

SHA512
d9a97a2ea37911a9b7fe3e16cf7b388181f3b4e28971f3c6dfc51eee2b570e667ff864c2724a3aaefd7222c1ac72321b91718c9657d8a881eb848df105f4ce39

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnk

Filesize
905B

MD5
c0272b9e66420a5ea610ab88404fa691

SHA1
c55605878d1cede09727013edec5044f0a4e1837

SHA256
03018830ac0a7180d53a6fa9dae38680d0f25fc5dcdb8ad28df5394124e1a44d

SHA512
706ce2c100f9f45793734953ef7286c0953348d2739cdf3700ca9d5dddda26376f5602a1c379c851b9cedd0d67240e27061e97e34735ca76ff61333267642862

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk

Filesize
1KB

MD5
1fbee85d42cd3ec49b8dcd4f03dccaa8

SHA1
29a273e805a68d4b25859dbedd50a1bc43eb0429

SHA256
735a630f66cf0d05198f80fd35f6a391e9f103e8e70357e07b54bb0cb463b024

SHA512
27c98f62fef8a8da691dbb581d04f7f67d6e7a56f6356fa166d01cb1b9672e379c7db2a54cc5c1d670201c763aad4a176de7a2f5ec85c19b598c2e55c795bcae

Download Submit
C:\Users\Public\Desktop\Firefox.lnk

Filesize
1KB

MD5
d9f9fa2f8367fc20c20a2bdac0241f8e

SHA1
7b92cd3a5422213b0b5eee58e954841e59189faa

SHA256
77ea5a2ef13f18d20cd3d09cb6af35f5a2d1858ae3f27acb3a275e5d0e9517a2

SHA512
f8fa42c8522207098e36cb1a5c819e903015db643aff2b5b18b3e139b6cef08ef61de492ce3f3ba5ff21958bb1beb3dc0bb68778834dab50f73c09d6d723ad07

Download Submit
memory/2800-0-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2800-1-0x0000000000750000-0x0000000000753000-memory.dmp

Filesize
12KB

Download
memory/2800-2-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/2800-37-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/3948-38-0x0000000000600000-0x0000000000603000-memory.dmp

Filesize
12KB

Download
memory/3948-40-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/3948-646-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/3948-648-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download