Analysis
-
max time kernel
810s -
max time network
811s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
10-08-2024 10:13
Errors
General
-
Target
file.ps1
-
Size
1B
-
MD5
7215ee9c7d9dc229d2921a40e899ec5f
-
SHA1
b858cb282617fb0956d960215c8e84d1ccf909c6
-
SHA256
36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068
-
SHA512
f90ddd77e400dfe6a3fcf479b00b1ee29e7015c5bb8cd70f5f15b4886cc339275ff553fc8a053f8ddc7324f45168cffaf81f8c3ac93996f6536eef38e5e40768
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 20 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Drops startup file 2 IoCs
-
System Binary Proxy Execution: Rundll32 1 TTPs 1 IoCs
Abuse Rundll32 to proxy execution of malicious code.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops desktop.ini file(s) 51 IoCs
-
Enumerates connected drives 3 TTPs 49 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory 3 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
-
Drops file in Program Files directory 1 IoCs
-
Drops file in Windows directory 10 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
-
System Location Discovery: System Language Discovery 1 TTPs 17 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 64 IoCs
-
Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 64 IoCs
-
Modifies Internet Explorer start page 1 TTPs 1 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 42 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\file.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" C:\Windows\system32\diskmgmt.msc1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding1⤵
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\Volume\{18111a60-3d65-11ef-8487-806e6f6e6963}#0000003AFFF00000" "" "" "65d657873" "0000000000000000" "00000000000005D4" "00000000000005D8"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Windows Sidebar\sidebar.exe"C:\Program Files\Windows Sidebar\sidebar.exe" /showGadgets1⤵
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5401⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\OptionalFeatures.exe"C:\Windows\system32\OptionalFeatures.exe"1⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\userinit.exeC:\Windows\system32\userinit.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE3⤵
- Modifies visibility of file extensions in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s /n /i:/UserInstall C:\Windows\system32\themeui.dll4⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies Internet Explorer settings
-
C:\Program Files (x86)\Windows Mail\WinMail.exe"C:\Program Files (x86)\Windows Mail\WinMail.exe" OCInstallUserConfigOE4⤵
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE5⤵
- Drops desktop.ini file(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /FirstLogon /Shortcuts /RegBrowsers /ResetMUI4⤵
- Enumerates connected drives
- Modifies registry class
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s /n /i:U shell32.dll4⤵
- Drops startup file
- Drops desktop.ini file(s)
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" C:\Windows\SysWOW64\mscories.dll,Install4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\System32\ie4uinit.exe"C:\Windows\System32\ie4uinit.exe" -UserConfig4⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\ie4uinit.exeC:\Windows\System32\ie4uinit.exe -ClearIconCache5⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32 advpack.dll,LaunchINFSectionEx C:\Windows\system32\ieuinit.inf,Install,,365⤵
- System Binary Proxy Execution: Rundll32
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32 C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m5⤵
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /06⤵
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s /n /i:/UserInstall C:\Windows\system32\themeui.dll4⤵
- Sets desktop wallpaper using registry
- Modifies Internet Explorer settings
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail.exe" OCInstallUserConfigOE4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /FirstLogon /Shortcuts /RegBrowsers /ResetMUI4⤵
- Enumerates connected drives
- Modifies registry class
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s /n /i:U shell32.dll4⤵
- Drops startup file
- Drops desktop.ini file(s)
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Windows\system32\mscories.dll,Install4⤵
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level4⤵
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x15c,0x160,0x164,0x130,0x168,0x13fdd7688,0x13fdd7698,0x13fdd76a85⤵
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=05⤵
- Drops file in Windows directory
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x15c,0x160,0x164,0x130,0x168,0x13fdd7688,0x13fdd7698,0x13fdd76a86⤵
-
C:\Windows\System32\txpn4-.exe"C:\Windows\System32\txpn4-.exe"4⤵
-
C:\Program Files\Windows Sidebar\sidebar.exe"C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun4⤵
-
C:\Windows\SysWOW64\runonce.exeC:\Windows\SysWOW64\runonce.exe /Run64324⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
-
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe"C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\System32\mctadmin.exe"C:\Windows\System32\mctadmin.exe"4⤵
- Drops desktop.ini file(s)
-
C:\Windows\system32\control.exe"C:\Windows\system32\control.exe" /name Microsoft.DefaultPrograms4⤵
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" /name Microsoft.BackupAndRestore4⤵
-
C:\Windows\system32\sdclt.exe"C:\Windows\system32\sdclt.exe" /BLBBACKUPWIZARD4⤵
-
C:\Windows\system32\recdisc.exe"C:\Windows\system32\recdisc.exe"4⤵
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "1176" "2232"4⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x02⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe uxtheme.dll,#64 C:\Windows\resources\Themes\Aero\Aero.msstyles?NormalColor?NormalSize1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe uxtheme.dll,#64 C:\Windows\resources\Themes\Aero\Aero.msstyles?NormalColor?NormalSize1⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{9200689A-F979-4EEA-8830-0E1D6B74821F}1⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x02⤵
-
C:\Windows\system32\utilman.exeutilman.exe /debug2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Active Setup
1Pre-OS Boot
1Bootkit
1Event Triggered Execution
1Accessibility Features
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Active Setup
1Event Triggered Execution
1Accessibility Features
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
7System Binary Proxy Execution
1Rundll32
1Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows Sidebar\Settings.iniFilesize
3KB
MD5b3931758609306742e5fe3cb40bad310
SHA18a0c926186ddb28cbddf95c584e4fbcac2f40993
SHA256fcbc62df65a9abef806c1b2999dd45850d5918d7b5a879074e1f341cace651c5
SHA5123f3b7dacdf232cb6b4f588e1a63100498d679e0d564bcff9b7e9c0e97419d49a8e1bf69a24d13ff0e65abde1997da018cbbc628ee30393ebaa46797eed810f2c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows Sidebar\Settings.iniFilesize
3KB
MD51aec8837d82983dfcdbacc0a2124db5a
SHA185d50b8b0c4b4e0367550db3c120109aa192268c
SHA256d7ff047318657bb40a29ff7830e4d174813b0951deb1167f615254dd802140f5
SHA512f504500c56e33026df15e2c2d0ebb0c107867a422d6e863cc6be339c8369d720287493766f49a033cb57b7be61cbcc58058986a180c20ec189bc0790b4099b23
-
C:\Users\Admin\AppData\Local\Microsoft\Windows Sidebar\Settings.iniFilesize
3KB
MD5c3af9218b6aeb534dc98f829f530bd17
SHA1205157d6dd14e0deb6797201758ee7ddca9e43d6
SHA256b931ff44495b474ca7f1708af686c8c8413fb7820b1133713acbc5539182c355
SHA512cf6dcf519b3e6ac56e17a7e14383d7350fa029a5fdea8b0854a8ff584e21a61da294a4c3a1b7451e02ab3daffd66225dc9b3f015fc6885051f85374376dc018c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows Sidebar\Settings.iniFilesize
3KB
MD5c6c9c8d07432e6b4d8d67c7d2325cc38
SHA12ee26228292b2d8d0d2bdac4ceb8568c8868a461
SHA25613301145cb9c543635b839562acf051ae15693a352c114673f5734d7ca9b1282
SHA512493ced8fb249feffbeef1436434a2fd169fda6e8853626d0d9896a290a9807f192361fd47bb40549ca95ed3452e847e606f34216f7ea9915179b9d6b7d573e48
-
C:\Users\Admin\AppData\Local\Microsoft\Windows Sidebar\Settings.iniFilesize
1KB
MD501c367174b6ed28a3f6e8b0ece294d2b
SHA15f822f84e478524441b6f867b7569edb4fc109c0
SHA256e2cbd882003861e326a07fed9144f5eccedf8edfc9fe495c3d3ade7142188661
SHA512e4d9e82d6b483b0074e72c59723d94c77a8b39f79592ebadb723e2973fe9662889672e7d1d93c80b5ca617d07987ef4296ef734c06404882a47142b5c68cb454
-
C:\Users\Admin\AppData\Local\Microsoft\Windows Sidebar\Settings.iniFilesize
4KB
MD518d60e948b49dbbf3e57a2536cb49fb2
SHA1449505a539eb02256626784d9318e774c74c4d3e
SHA25614a2aa203e9590f24f6091ec49887344d0593180c5a8084b32f06ecb235bd2f8
SHA512286d38119d92ab96e4eadeafa60f1a89f27d1bfd9d2cc125293002423d54bb9bd6dfb9c6731b9b41ec574fc21faa30a90405f7f62277d419f1400ebf55fdf4cf
-
C:\Users\Admin\AppData\Local\Microsoft\Windows Sidebar\Settings.iniFilesize
1KB
MD50ea780aab1d7e2375ec3ec03cebeebea
SHA1e29083a4f4697b29ba2438234b8e16b46bd01f4c
SHA2562d958f38e419e26674122d49083a8b41d0a972e4dfb02148726e67f08fca4a31
SHA512a9a21789e6147244a864e735042ad44909250efeab0ec8b036b2b543838e2a85aaa4db0a8b43596e915f49ed324cbdbc52368bfe84090b1bd01e455f84cae5e6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows Sidebar\Settings.iniFilesize
4KB
MD5a167432fb990840d32224a8bcd419e35
SHA125dda7a33cb763d761648cff73afb7afc54d9fba
SHA256c392ba1a12c7bc9248b53b4ce805752d18868422a729d7a00cb4e02c560a3edd
SHA512ca982b33ada4083cef1ed3d407c5aa0ea5b39d31db27f20f07c7e9e833d511a44a2d412377aa8999d8426f2f327535ebc251d5e41b476a2ad131f10ba2a16011
-
C:\Users\Admin\AppData\Local\Microsoft\Windows Sidebar\Settings.iniFilesize
2KB
MD58026d645539c8f7ac2e78697acfe4532
SHA15ab621fc2965f29b8d73ee7b91ac67d159cf3c91
SHA2560a1a68494e1c8ceed3bc53dbe102a0aeb6075d3d7c9793b2d95a391fe9727b30
SHA5120132875d0092e261b5bf94287ce9a2365ac0e0b50039e22e82f8db29c2dcdceef51b1f9f289e34ad7d46dcfafe19769c1b8825ebc7f00d0bd85521d85f0e5e41
-
C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Crashpad\settings.datFilesize
40B
MD551fcc3c956c38c031ac9a52474993006
SHA1f9fb0093b818b668b4aac6c3d287a0df5c05a809
SHA256cf0eb5375a94e76a9dda15188628bee03c7ab66e9efd835e2947b428c65efd19
SHA5126883ef12559c25c65d7584bb3e5d9e6fe32d7d357ed355ce12c6e9338a7dc6340227b00cd18bc0ac29cebb30e208c6c9367b811d1a1ee3efd66f95356aa89456
-
C:\Users\Guest\AppData\Local\Microsoft\Feeds\Feeds for United States~\USA~dgov Updates~c News and Features~.feed-msFilesize
28KB
MD59c8fda1889acf863cf51a9ab5cc1040b
SHA14db8218d42204b53f4eade795d0891197d2dcf90
SHA256c0a93b5f6695da4d08c6dabc5b5ae337abde6d64dffd8f937c7cecef2591f03e
SHA512045603258806ee73267e1cbbb2209c4ca250e37a7f00721e5aac1bb0ce8256f8b14f765cb2b50224ec245cda81b1223a92d2b7dc8d099a71347b4c8570bf20ba
-
C:\Users\Guest\AppData\Local\Microsoft\Media Player\CurrentDatabase_372.wmdbFilesize
1.0MB
MD55ad078731f64bcfcf33de76df2e5f936
SHA19d0bb2642d247606ef275a629cbc6502a501e96b
SHA2564719e9aa8b16141987c1c05cb5da6e95327f820f7e758f6c94b8d3ff8f920557
SHA5120e2c2a58efbc893a5089954bb40948760b162eb26542394078c7a1f5e01dda390544802bb52efc6a15b72b792066bdb1d6db666f2fe3c9e3d1cb14b50a2b785f
-
C:\Users\Guest\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdbFilesize
68KB
MD5ee78a670ded2da13fdcae3b44d9d7602
SHA13729b71a13544359dc559a0003a1060a5bd727b9
SHA2564e82fc05a6de9fc6a7f0af2caae938bd4597b6b19da3c12d2f86ebac7a7ffc2b
SHA51216e15323f5261679f420740ac3b9653a7d451fd8d5f81b3f803831bd673ab74aa485952bf61e5a4f28f6cb638344106cb74b4dcc76c1af372f595226521422ba
-
C:\Users\Guest\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStoreFilesize
2.0MB
MD585f13ff349c6a82d97e2da4cc0a7528a
SHA121b32aefb5807101bb2609aff7d4b57a091b3743
SHA25640c0d2eae5670915bf2376d581e64cfebd7ca5f1a19fa0e943b4a5cbce88351a
SHA512b59b8cf37250e2b224cffa0d1039889fb3257531793a2a874936766df191474dc7ca88efc50f62edfa6ff40bc8e4ac73d5f34c9a7562a11bf747261aac70c38e
-
C:\Users\Guest\AppData\Local\Microsoft\Windows Mail\edb.chkFilesize
8KB
MD58cea13144b4ec38520da69b50bac198f
SHA1b424e4797ed2938103b12d9689ed871c3e39d4a1
SHA256bf7adbe926fcbfbbd45a78206ae9a6e084bd027b24cda889dbe71876dc3bdfb1
SHA5120f622fd3d45bfed1f6c826c2bb7fc7177d2691706c3ce0bc86ba29d7d8d33611efea692d71a6cc7128a108dfa3715b263d1b58f045b8d909f7e49e1f7643d4a5
-
C:\Users\Guest\AppData\Local\Microsoft\Windows Mail\edb.logFilesize
2.0MB
MD5f023103bec2cf3e471729153ffe3aa8c
SHA183977c52d76f371a10a2dc0790291190ca7861bb
SHA256801ba7f1601a7477f2988cbb90652e36d5b34859207b92edeeb218e54f862c2c
SHA512e971576ae770efe210a440d46b490ef9a31ef3b7e251d2e7d928e28e1a259bd3da521badc1be49764a48546ef3fc805539097450b9466816a5148bfa217e858c
-
C:\Users\Guest\AppData\Local\Microsoft\Windows Mail\edb.logFilesize
2.0MB
MD5996701f54e3efcbd4a8c20cb449cd90d
SHA12218c85d8265f676cee0992701fd9e2ad07d16fa
SHA256aa03feb1048b2e1fcc4288a9b6bce347a06fe4843cc46f7eeb6550006018b080
SHA512126659b23567ca23c7514c776c5893f4c3f640f2b06bf7b3121e6399b7d5fb882c4afcb0929f310443ae8132b80c01da28794eb632bfd755a105af04c09fe361
-
C:\Users\Guest\AppData\Local\Microsoft\Windows Mail\edb.logFilesize
2.0MB
MD52ba7eadf3fe5fc5582a05278d3a5afb6
SHA108a86c0a2bcc74d8b08d79028e3cff08a9eef34d
SHA256e800525c00b322d351b48bc0b89f3981fcc9f5ec4d76da34b2d3310655451e0a
SHA512d3cfb73a6f331b72d196a9c3894692d3d33aaa4d225a1324de17fad20baa41563306bbccdce1d05f1ddac50f9ec4ab3532af638a2ab4bb800737eb59fc15e953
-
C:\Users\Guest\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XMLFilesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
C:\Users\Guest\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.iniFilesize
174B
MD5e0fd7e6b4853592ac9ac73df9d83783f
SHA12834e77dfa1269ddad948b87d88887e84179594a
SHA256feea416e5e5c8aa81416b81fb25132d1c18b010b02663a253338dbdfb066e122
SHA512289de77ffbe328388ad080129b7460712985d42076e78a3a545124881c30f564c5ef8fb4024d98903d88a6a187c60431a600f6ecbbe2888ee69e40a67ce77b55
-
C:\Users\Guest\AppData\Local\Temp\RGI1989.tmpFilesize
24KB
MD53006752a2bcfeda0f75d551ea656b2ef
SHA1b7198fc772be6d6261ed4e76aca3998e8f7a7bdb
SHA256dfd64231860c732dced3dc78627a7844a08d5d3e4cd253fd81186bae33cc368a
SHA5123fcfa7c8f46220852dc7efef5b29caba86825d0461a35559f26dbb2540c487b92059713f42fe1082a00a711d83216db012835673e1c54120ffa079e154950854
-
C:\Users\Guest\AppData\Local\Temp\RGI19AE.tmpFilesize
3KB
MD5a828b8c496779bdb61fce06ba0d57c39
SHA12c0c1f9bc98e29bf7df8117be2acaf9fd6640eda
SHA256c952f470a428d5d61ed52fb05c0143258687081e1ad13cfe6ff58037b375364d
SHA512effc846e66548bd914ad530e9074afbd104fea885237e9b0f0f566bd535996041ec49fb97f4c326d12d9c896390b0e76c019b3ace5ffeb29d71d1b48e83cbaea
-
C:\Users\Guest\AppData\Local\Temp\chrome_installer.logFilesize
1KB
MD53a53e176a482653e94ed2f404c20b5b9
SHA1e6137acf567f7b6d5eee5da0aa56190a610c6513
SHA2560d8a173a1c51caa43547857318ded2d25ef28b6fb71bebeb0c74e298c3644222
SHA5126674763169adb5eff46ea44cf77b1870103f41ceaaa0f3ce488d663eaa062a46f85d3dd661610215806bef5d53e4b0d12e8ecdcd7b53a17a0fe555ce58a50485
-
C:\Users\Guest\AppData\Local\Temp\wmsetup.logFilesize
796B
MD5e3190d033bfae231c1e3a41a94de3d19
SHA1e2c3be94f49f82411a0c9ff664c710f2e926dfb2
SHA2566f95216a1b0ce2b639879b5d8f8d70d8b4e17ea236fc52d81b47d1a2570218bc
SHA512666385cc28a3d1025de2c9a94117b66a44d7a9db239e16ce0da76fbe2c3ee988a406c2acf12d318a70c5c3808ec9f468ae52313544ab88609c6f33329f98a5bf
-
C:\Users\Guest\AppData\Local\Temp\www1D18.tmpFilesize
206B
MD5c2858b664c882dcce6042c40041f6108
SHA152eeaa0c7b9d17a8f56217f2ac912ba8fdc5041a
SHA256b4a6fb97b5e3f87bcd9fae49a9174e3f5b230a37767d7a70bf33d151702eff91
SHA51251522e67f426ba96495be5e7f8346e6bb32233a59810df2a3712ecd754a2b5d54d0049c8ea374bd4d20629500c3f68f40e4845f6bb236d6cca7d00da589b2260
-
C:\Users\Guest\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnkFilesize
2KB
MD5c033ef314308ab291f573900a821fd33
SHA16723b17099de3e434dc2df52a9fbe5275c875dc3
SHA25641dd849a0d41d730e4562145805a3f55c7b7a3fde994c3872a6280a4f90f7377
SHA51233047e3bbaebf75e434c2c3f1d25f1c212053b8e3afcd81c89a7d6cc0407e3a34b9607a8245188d44c04f4e04f2fe27dd8624beac1fa3ac104fa4b6469ff7e72
-
C:\Users\Guest\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnkFilesize
1KB
MD547b2e1c4ddd5fa161f4e7314222d7a29
SHA1f8e0a57ad324aa0ce6eafcbee54361cfc3fac7a4
SHA25620b9ba1869ed5d109962522c7c9a09e2675c457edd780f3723d33f9b40475772
SHA51207c8e9fcc6441c45540ced17802aea9fc84197733cc13af77516813c3beb346ae2748445ae99318309cbdc2da8e69e622dd91e658b7e9ba27d424eae6f5acf1b
-
C:\Users\Guest\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Media Player.lnkFilesize
1KB
MD51753862b9596fd4e83ec9b4b0c472cd4
SHA1c8516b2d82a332ddc4f0d099071db9874934578e
SHA256159f450db4ab4a07c182ab8cb7a165f23c61ab4ab1d3e14a77a5e8de31e0f6e5
SHA512c95c14e449f72d92db5e02a4e6531340de33dff702e7493a971b6f2209b2602e12071faba735e75ee59d75792b2ca60d7cddcf54a9e537e336a93548482f9eb5
-
C:\Users\Guest\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.iniFilesize
82B
MD51c61dc21f9b83172d65be1e94b79026f
SHA17324473ddda64b87c299bf6e3b9e9aff53f7fd74
SHA2568e920d7893b682a049f6a5097f880d915dc2d7bf8bc87ae558cd7f14466d5d1b
SHA5129660cde4d7606826c2fb6623460a2a286339970256e677c8abf8189fd1d58e0284c024bbf5c0bf539189dafa3e8d5269c1e0f7e3717891f2ae4771634731bbd8
-
C:\Users\Guest\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.iniFilesize
146B
MD59a1b13fd914dd7054b83bc1760c99ab8
SHA1340c37602b11cd3cb9ae681d09bfc4c81f733742
SHA2567f0a9cc0be951d60d6c8e60d1a612bfa65fa390020d7c0c80f212ba2a47a4aa3
SHA51250d48a348c71fb9e89ab01e59fe599b692a1701f19d2c9de6ae09678e0a44ba95020b1989f9c776edcacacc5f2b2b348b0f31aa28c04850e69e47cda6dcaf88e
-
C:\Users\Guest\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.iniFilesize
211B
MD5e5a8eb64419f6d85a1b7aed2152616c2
SHA1f5d94f8953bb235e35fccec0ea4f14ba69443081
SHA2565266b08d0c1bf229ec5eafdb6dae2a4849b6b394694d34033453cf8a379725a7
SHA5127c304bc842c81d3b5cff745d34b038a2a867063c65e502f4155439ba0642e8b0643f9b7254f74e85d5b150c134836b9e398a0dcb192550d97dfd431c3d93f1f6
-
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-msFilesize
3KB
MD5955a4c7fb331585547e764180f1d987d
SHA1cdc26796f85293e3a3ca50bcc8cf50c2e7f2e514
SHA2567d41bef05bc84053c9af9c399be32ec36830cef069dded1e6d6dae1105efb2a8
SHA5122df934d61d04d80ef90dbed6b660eb32ec68567f20620ce6ac2fee91d17223e592126a908d1d3b523a52a008feba54495f7f6c49fae28bd3b53c1dee0c97458c
-
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-msFilesize
3KB
MD5990457fd9d0a39c012f501dc5a1b690a
SHA10f91b4f8d00acf1a01d7586123f5262707249f3a
SHA256dc0707b14a372e1cab862bb46c07cebbdbe785a1265eb8c777b27bfe3eb9729b
SHA5120bf914269e2332069dbc71ef6336c1735424b2fc0968fe2575688c18b3323cfd518d12d5178c9df502994de7adf82b5e0f89cd4e4f7a00a3dbaa730164f74dc9
-
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-msFilesize
3KB
MD58f3129f6bc20f1c88aa0cf68b5a0ef6f
SHA1eae93bbe351c8aae72488e52a428ff7e08604e18
SHA256b38d49429439eb90f60ddf52c3645cb690d9e0bf0d293c056622759575d58905
SHA512347f8f9fc1eacdbf03f2672d5f70a658efe65c9ae911464c3092f8041c9c67c0f0ce324a50de5e2e7dd32b9480aaf654db90b6362da3e5d8f87a9ed3b3927b6c
-
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-msFilesize
3KB
MD53fb9d5ed3f4de359dcac5f17cbabeaf3
SHA11307534fd9766b9af8cdb545dcbad972d3ca6275
SHA25680a4a0d21ca56a593a055d1579693b6c52de3bcd5850eb5979e4cc1e307bd98d
SHA512672174b39157f41b026f484b115e8f1e89b7138bd385fb36983322def35937f12df2a34192882cb81687924121435162fc085c35a67cd0547557339550ac554a
-
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-msFilesize
3KB
MD5923f339dbc4ef37639c9bf803291ad4e
SHA106bd74a1691ea96b91fa8784a916290d7a6809e3
SHA256e6994acd3e9bf2a52f8a4c3f72cd21d5c2e6f2de78fe1b5565acd4cb2090b865
SHA512ff91c752316c1e1d6f030b98cadb06b4ebc1a6e8d94513f56592929fcc1c86fca7bbdb2aa07c18b93134dd58e15472e5095c7819ed187fa3eed3286f839e290e
-
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-msFilesize
3KB
MD54300b139557fd24ad73010754de7b626
SHA1c382977610a397f35b5db6a2c5535768b5a4f2ce
SHA256ba21f79b9d113f0fa54fc938d6cb76c9aa269d41082279753a026febacaaafd5
SHA51254f925ef005f26444fd58c46f312a37554dca3e134a5416b3d715f2e0efaa1ad6969307b9a7b74db14de75981c2c689b38c0fe15e7c36090e0ef1748ddfbbdb2
-
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-msFilesize
3KB
MD5ab79dce192c973bfc677375c487f28c7
SHA117e86def2420639bb2fe8543f6a75b6a29db7e3f
SHA2565e3bde754d2ef131a2c8ac545d008d64b123f99723527be6e2a3b36abc4c38f8
SHA5128020824d105e7a07a813b241ad8af9154381e4c23a6fc847b87ff753cc1bf55eab7de78ce68d28ed908f8075a1d67015fc4bd94ff759a600ab1f3354775cac2e
-
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-msFilesize
3KB
MD545218737ee1b7ab19d1e0b78451d2eaa
SHA139aeab5526f58efd4ab5c356670b1c3ab097920f
SHA256cf56b77d59a4abaf21bbdec2d3bdb30707b714b849b82bfc6072ad26a321cf5e
SHA5125f15cf97580e2dfdd1eacc2a27a9b8de3d05ac81dddb8cdf88f22b10e9871b8da6e7ba03b207eeda5f951e3ac0274ef2b081c3c7019e866322eb6439983381ed
-
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Libraries\desktop.iniFilesize
87B
MD5764bcd12f24f7fa8fa5887f720a19179
SHA15c8348269c4161726f49fe257f0bf1d9179489dd
SHA256d3cdda5c91a4998c77a697056ab5b3f23f44483de31714d3a069e4a67055c518
SHA512581d7c9076f036482ea5b116fbc179e402f2264239c1f118af3fc9c2914eb23583b770f3d9e6f8d03c9017ee24a3d88873d547bb0d200017de72121c41dec160
-
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Libraries\desktop.iniFilesize
274B
MD5453249f95d75eb5e450eb91fa755e1c8
SHA13e200e187e8cd21d3d1976ea0f7356626254de18
SHA25601bef150c18e377a57843965d55f18f0b5cb3fa867c5ab30f1e67eacd6ece48a
SHA5126125ffc1ab457bc1ba957c78c2a89ca54060c1969c4a981acf71025a1d79760159816d5fc36e351429de3bb5820e755b9bc22386f3d6892bfdf3da67d86f157c
-
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5afe4de1b92fc382.customDestinations-msFilesize
15KB
MD5e8e1ec65358db66cf907a84ef00fa7a2
SHA193c82c6ed2da2d7f6fb6ceb7da7a30344b31d916
SHA25690fc96703d4206347de247f15534afcef9959c1477f8869886347748c567fc9a
SHA512eb65c2d01bd8bedd4ad04d8c25d6ebf8c05972e12362baed5a19d9ea5fd10c5baa2280ef6b74e0c8538a95403f08ee6f8e34527b34447c1173af0397011ac250
-
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Recent\desktop.iniFilesize
432B
MD5f107d0270e21a2fe91099fdc15918d44
SHA1dabc2f24f4a4e90053743166e5c4175dcf2b2d2d
SHA256eb315c9d165b4916e3b00e4d148b53a6c03a2f0694a6a8821d98e76f935ca6a8
SHA512b5d51c0d6abe99121d4f4f1d236def4260b7d5c26c501d7735eba4f58e2597db0e89b2b1df16545e49fc39649806e5305efb912328541bdd31c01ff3d2bda49c
-
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnkFilesize
1KB
MD5609518dc06a595de1abf0d40d4443557
SHA13549e2b3f3da1d09e08c76107211463a0edd3b15
SHA25671b77e297b735c5e7885e95ee108bb07cd0b4ed6356d611c15b086529cd49d24
SHA51256f44e97e6e667425ea9920ae2d1064dfd3dc630b3327cbac5f7588916eaa446110b0374edbb0420bad87e73d5f31a7b6e198df6c11f94acaec6ffecd3ff1c6b
-
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.iniFilesize
738B
MD53a33faac6513738fd86f43dff8989882
SHA1afd4390e6b63c40e55ca08d27661a23d657b01a2
SHA25621a4315cbae2b0e8db633e86c344171da86f115bcbbb745680ff6f577668c910
SHA5128d7a47cba6b4d0da36151221c373625b67e44354b7cde41b5c3657e73a843b22a0a5b0bf92a4cbc32eac70b8292d674821085acf92bb58b94ea4542458c94b57
-
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.iniFilesize
174B
MD5548b310fbc7a26d0b9da3a9f2d604a0c
SHA11e20c38b721dff06faa8aa69a69e616c228736c1
SHA256be49aff1e82fddfc2ab9dfffcb7e7be100800e3653fd1d12b6f8fa6a0957fcac
SHA512fa5bb7ba547a370160828fe720e6021e7e3a6f3a0ce783d81071292739cef6cac418c4bc57b377b987e69d5f633c2bd97a71b7957338472c67756a02434d89f1
-
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnkFilesize
1KB
MD5d68c34d16479fc87562bc4a8b5caaba3
SHA13ce5f87670fef9314354bf725f1e8f1e7d44f209
SHA2569928516b52b98f0830a1174185d6fe86a2469e8c2495cd5aece39f0895d7df2a
SHA512f3c33226e2df65da8f776e4211b176c6056a78caff667c5fdd4611cea7a88bfc8951759caf0193946a7958b6505e8dd9f896a1f683b0b34fa8521f4be917f486
-
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.iniFilesize
174B
MD57f1698bab066b764a314a589d338daae
SHA1524abe4db03afef220a2cc96bf0428fd1b704342
SHA256cdb11958506a5ba5478e22ed472fa3ae422fe9916d674f290207e1fc29ae5a76
SHA5124f94ad0fe3df00838b288a0ef4c12d37e175c37cbf306bdb1336ff44d0e4d126cd545c636642c0e88d8c6b8258dc138a495f4d025b662f40a9977d409d6b5719
-
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.iniFilesize
338B
MD5e4e50dfa455b2cbe356dffdf7aa1fcaf
SHA1c58be9d954b5e2dd0e5efa23a0a3d95ab8119205
SHA2569284bd835c20f5da3f76bc1d8c591f970a74e62a7925422858e5b9fbec08b927
SHA512bef1fad5d4b97a65fec8c350fe663a443bc3f7406c12184c79068f9a635f13f9127f89c893e7a807f1258b45c84c1a4fc98f6bd6902f7b72b02b6ffbc7e37169
-
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.iniFilesize
174B
MD517d5d0735deaa1fb4b41a7c406763c0a
SHA1584e4be752bb0f1f01e1088000fdb80f88c6cae0
SHA256768b6fde6149d9ebbed1e339a72e8cc8c535e5c61d7c82752f7dff50923b7aed
SHA512a521e578903f33f9f4c3ebb51b6baa52c69435cb1f9cb2ce9db315a23d53345de4a75668096b14af83a867abc79e0afa1b12f719294ebba94da6ad1effc8b0a3
-
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniFilesize
174B
MD5a2d31a04bc38eeac22fca3e30508ba47
SHA19b7c7a42c831fcd77e77ade6d3d6f033f76893d2
SHA2568e00a24ae458effe00a55344f7f34189b4594613284745ff7d406856a196c531
SHA512ed8233d515d44f79431bb61a4df7d09f44d33ac09279d4a0028d11319d1f82fc923ebbc6c2d76ca6f48c0a90b6080aa2ea91ff043690cc1e3a15576cf62a39a6
-
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpgFilesize
627KB
MD5da288dceaafd7c97f1b09c594eac7868
SHA1b433a6157cc21fc3258495928cd0ef4b487f99d3
SHA2566ea9f8468c76aa511a5b3cfc36fb212b86e7abd377f147042d2f25572bf206a2
SHA5129af8cb65ed6a46d4b3d673cea40809719772a7aaf4a165598dc850cd65afb6b156af1948aab80487404bb502a34bc2cce15c502c6526df2427756e2338626062
-
C:\Users\Guest\Contacts\Guest.contactFilesize
66KB
MD5f92dc14892b16d41af4d28471ad78e81
SHA1cac0425e3500d40eae09cd76ad4a2d30c2083f36
SHA256d875aca6d5a4a3fa8054cbae42857044f7ae2a2f9eb194b58306538bc3856b81
SHA512c463c125be68326e3cc764d7dc6b2213dfc0f440d7e75b6e7f1e789f422a603fa23ebb08a9d0bd7c501f6bcc21aba20e9497ee1b5c694e45547c247683c73316
-
C:\Users\Guest\Contacts\desktop.iniFilesize
432B
MD5eefa7f76ff11a5ec21bb777b798ac46c
SHA12e7a65ea8427d13a92ea159a5b8859ff99d2a836
SHA256840b46ed74821b5b61ca9ddc51a91cfe9151d11a494c89f183fadc02a78ac8ae
SHA512111301e33c0b33c154ffff274db5eb167de0ddb4e769cab9a2d9fcd2882e6192053149abbcb00d17ae5f7661bafecc1111aff2025c89d07b247633bbccb0e3ef
-
C:\Users\Guest\Contacts\desktop.iniFilesize
412B
MD5449f2e76e519890a212814d96ce67d64
SHA1a316a38e1a8325bef6f68f18bc967b9aaa8b6ebd
SHA25648a6703a09f1197ee85208d5821032b77d20b3368c6b4de890c44fb482149cf7
SHA512c66521ed261dcbcc9062a81d4f19070216c6335d365bac96b64d3f6be73cd44cbfbd6f3441be606616d13017a8ab3c0e7a25d0caa211596e97a9f7f16681b738
-
C:\Users\Guest\Desktop\desktop.iniFilesize
282B
MD59e36cc3537ee9ee1e3b10fa4e761045b
SHA17726f55012e1e26cc762c9982e7c6c54ca7bb303
SHA2564b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026
SHA5125f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790
-
C:\Users\Guest\Documents\desktop.iniFilesize
402B
MD5ecf88f261853fe08d58e2e903220da14
SHA1f72807a9e081906654ae196605e681d5938a2e6c
SHA256cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844
SHA51282c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b
-
C:\Users\Guest\Downloads\desktop.iniFilesize
282B
MD53a37312509712d4e12d27240137ff377
SHA130ced927e23b584725cf16351394175a6d2a9577
SHA256b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3
SHA512dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05
-
C:\Users\Guest\Favorites\Links for United States\desktop.iniFilesize
140B
MD543732b12dc5e0c37046900fa2a1f0df8
SHA1dcaaf6b16847f4ff66788aa1416c137e62361d0f
SHA256e8e187d06caeb619b7a60d6fd4d1f4e9d70f5a232b02826ce3ebef56246f942b
SHA512578126bec9b73a8d55da85f4f9fd8d91b21c1b25314c706cfbd5efee5a869e85514423f0d437709c9888dc98fdd9f9778444430419d3316113d2b13540a458ed
-
C:\Users\Guest\Favorites\Links for United States\desktop.iniFilesize
224B
MD587a61a68c2db9b094112d4f4290fb795
SHA11b5e6ec32415d010e5311caea31df96b0294fb65
SHA256e25a84c6e593a5bd6592eca920fbc126d3e96c8d80f2bb0b17a36e40ed42c1db
SHA512148411b6bd6133b17c3d192594338180846df638b9fd6bef7ddeb13c3858b3eab91940102349f2827ec69111adf7e506f4340b395928672180715798b4238919
-
C:\Users\Guest\Favorites\Links\Web Slice Gallery.urlFilesize
134B
MD5873c8643cbbfb8ff63731bc25ac9b18c
SHA1043cbc1b31b9988d8041c3d01f71ce3393911f69
SHA256c4ad21379c11da7943c605eadb22f6fc6f54b49783466f8c1f3ad371eb167466
SHA512356b13b22b7b1717ded0ae1272b07f1839184e839132f3ab891b5d84421e375d4fc45158c291b46a933254f463c52d92574ce6b15c1402dfb00ee5d0a74c9943
-
C:\Users\Guest\Favorites\Links\Web Slice Gallery.urlFilesize
226B
MD5ad93eaac4ac4a095f8828f14790c1f8c
SHA1f84f24c4ca9d04485a0005770e3ef1ca30eede55
SHA256729111c923821a7ad0bb23d1a1dea03edbf503cd8b732e2d7eb36cf88eaa0cac
SHA512f561b98836233849c016227a3366fcf8449db662f21aecd4bd45eb988f6316212685ce7ce6e0461fb2604f664ed03a7847a237800d3cdca8ba23a41a49f68769
-
C:\Users\Guest\Favorites\desktop.iniFilesize
402B
MD5881dfac93652edb0a8228029ba92d0f5
SHA15b317253a63fecb167bf07befa05c5ed09c4ccea
SHA256a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464
SHA512592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810
-
C:\Users\Guest\Links\Desktop.lnkFilesize
444B
MD5ea6b762622360914cda2c9bae627d679
SHA16f2459b21cec2c275ceb3da8bcb9b68a1e1f3ad8
SHA256f2d66ab730aab681eeaf6b72dd036fd843491022c97b22ea34875b1dde7d43df
SHA5122d1bfeb77d7c04304334dbcea0109904f147d67e084b2bc3b0f48514f19593b78b7c4f4fc66148ec3005ac1aa6554687c237bdd659f3025b5a9e8ee4eaa6e373
-
C:\Users\Guest\Links\Downloads.lnkFilesize
855B
MD5e086269375b19a728bb674a00598f121
SHA115297737a90987f6fa13a66f40a778ab8c99a0f1
SHA256ce00681e93413b0cd816a0a928fc13648918d5f8ea0fe42b313f16d3b09f97cc
SHA512487f41d707b5ef551ddfc8e50532edd653e8416438c33eb766378cf145a8b2cf1f0f0545e9770bcc069c5addbb1e527b1987816e2dd5edd2596b3ee2ec07742f
-
C:\Users\Guest\Links\RecentPlaces.lnkFilesize
363B
MD50025c3a7d7c4e90e58332958b00d83c4
SHA101dd4fdb260f66923004acb5a874111a9d14da38
SHA25636db348143da1b5c16b9074940e85761950ee30b533b7ca75924f2f4ef6b253b
SHA512b5631c94bad794541d16f2fa3a02018f4b34b680b63a9f3b6a3da4329216567a7ba9ceb8d4bd18165b0e55142f42e039f160ec675c0946237c276de1a6e642c4
-
C:\Users\Guest\Links\desktop.iniFilesize
402B
MD5f458374ae40c626735132badbc5b0370
SHA13d65ce3308dd1e4bdc2edb5f082aa6d15984d08f
SHA256c053541e6dfaebf133f0e0c6712d42e9905de896814d4c10b8e728f0345700c7
SHA512e076d1f2a20fae037dd2dd7197d20b41687c9652d2e42e3c567806a0775a2a5427b3c481dc502315c5bfdf58cde908ee89e073e0124393972211ff5375f454e0
-
C:\Users\Guest\Links\desktop.iniFilesize
468B
MD592adc8410cd8cb1d0481e2adbb62c7dd
SHA1bac1444ebe0bac748966f3bee84ee11e151a4810
SHA2564a3d7ccddac5c1b437fb687e90589015b9b9ae7708ea35eed9917d1190f65694
SHA512d7c3a5df50b28e336ff24f828cdf225554d199d3c2a857e2a7baa1f2bc1fee21944733edee52bd665ebaee999f5668d03497e9bfe88d58d380b74e6046ec5d62
-
C:\Users\Guest\Links\desktop.iniFilesize
580B
MD5de8858093993987d123060097a2bad66
SHA10a89e87ba46538cb73aff1a47e4dc0bcfb4760d5
SHA2564c0d757717dec80eca8c6cbbfdda4706eb38fbbb7624933d5429dafc7bb9f0ec
SHA512fa348ac4025b599f460cb831338ce010dde8fba87587a6d078d6d594a30fee87ed112e412078c10604553f326cc7bd7627ae93b0e3d8a60cfeda0720cad29f4c
-
C:\Users\Guest\Music\desktop.iniFilesize
504B
MD506e8f7e6ddd666dbd323f7d9210f91ae
SHA1883ae527ee83ed9346cd82c33dfc0eb97298dc14
SHA2568301e344371b0753d547b429c5fe513908b1c9813144f08549563ac7f4d7da68
SHA512f7646f8dcd37019623d5540ad8e41cb285bcc04666391258dbf4c42873c4de46977a4939b091404d8d86f367cc31e36338757a776a632c7b5bf1c6f28e59ad98
-
C:\Users\Guest\Pictures\desktop.iniFilesize
504B
MD529eae335b77f438e05594d86a6ca22ff
SHA1d62ccc830c249de6b6532381b4c16a5f17f95d89
SHA25688856962cef670c087eda4e07d8f78465beeabb6143b96bd90f884a80af925b4
SHA5125d2d05403b39675b9a751c8eed4f86be58cb12431afec56946581cb116b9ae1014ab9334082740be5b4de4a25e190fe76de071ef1b9074186781477919eb3c17
-
C:\Users\Guest\Saved Games\desktop.iniFilesize
282B
MD5b441cf59b5a64f74ac3bed45be9fadfc
SHA13da72a52e451a26ca9a35611fa8716044a7c0bbc
SHA256e6fdf8ed07b19b2a3b8eff05de7bc71152c85b377b9226f126dc54b58b930311
SHA512fdc26609a674d36f5307fa3f1c212da1f87a5c4cd463d861ce1bd2e614533f07d943510abed0c2edeb07a55f1dccff37db7e1f5456705372d5da8e12d83f0bb3
-
C:\Users\Guest\Searches\Everywhere.search-msFilesize
248B
MD50fa26b6c98419b5e7c00efffb5835612
SHA1d904d6683a548b03950d94da33cdfccbb55a9bc7
SHA2564094d158e3b0581ba433a46d0dce62f99d8c0fd1b50bb4d0517ddc0a4a1fde24
SHA512b80a6f2382f99ca75f3545375e30353ed4ccd93f1185f6a15dbe03d47056dad3feea652e09440774872f5cba5ef0db9c023c45e44a839827a4b40e60df9fd042
-
C:\Users\Guest\Searches\Indexed Locations.search-msFilesize
248B
MD5b6acbeb59959aa5412a7565423ea7bab
SHA14905f02dbef69c830b807a32e9a4b6206bd01dc6
SHA25699653a38c445ae1d4c373ee672339fd47fd098e0d0ada5f0be70e3b2bf711d38
SHA5120058aa67ae9060cb708e34cb2e12cea851505694e328fd0aa6deba99f205afaffdf86af8119c65ada5a3c9b1f8b94923baa6454c2d5ab46a21257d145f9a8162
-
C:\Users\Guest\Searches\desktop.iniFilesize
524B
MD5089d48a11bff0df720f1079f5dc58a83
SHA188f1c647378b5b22ebadb465dc80fcfd9e7b97c9
SHA256a9e8ad0792b546a4a8ce49eda82b327ad9581141312efec3ac6f2d3ad5a05f17
SHA512f0284a3cc46e9c23af22fec44ac7bbde0b72f5338260c402564242c3dd244f8f8ca71dd6ceabf6a2b539cacc85a204d9495f43c74f6876317ee8e808d4a60ed8
-
C:\Users\Guest\Searches\desktop.iniFilesize
278B
MD58e11566270550c575d6d2c695c5a4b1f
SHA1ae9645fad2107b5899f354c9144a4dfc33b66f9e
SHA2561dc14736f6b0e9b68059324321acc14e156cd3a2890466a23bf7abf365d6c704
SHA512a9fc4b17d75f85ae64315ba94570cb5317b5510c655d3d5c8fb44091ea37f31e431e99ed5308252897bdd93c34e771bf80f456c4873ef0aa58ca9bbb2e5ff7e0
-
C:\Users\Guest\Videos\desktop.iniFilesize
504B
MD550a956778107a4272aae83c86ece77cb
SHA110bce7ea45077c0baab055e0602eef787dba735e
SHA256b287b639f6edd612f414caf000c12ba0555adb3a2643230cbdd5af4053284978
SHA512d1df6bdc871cacbc776ac8152a76e331d2f1d905a50d9d358c7bf9ed7c5cbb510c9d52d6958b071e5bcba7c5117fc8f9729fe51724e82cc45f6b7b5afe5ed51a
-
memory/636-138-0x000007FFFFEF0000-0x000007FFFFF00000-memory.dmpFilesize
64KB
-
memory/1176-1811-0x0000000005920000-0x0000000005930000-memory.dmpFilesize
64KB
-
memory/1644-12-0x0000000002070000-0x0000000002071000-memory.dmpFilesize
4KB
-
memory/1644-13-0x0000000002070000-0x0000000002071000-memory.dmpFilesize
4KB
-
memory/2112-717-0x0000000002E90000-0x0000000002E91000-memory.dmpFilesize
4KB
-
memory/2112-651-0x0000000002B50000-0x0000000002B52000-memory.dmpFilesize
8KB
-
memory/2112-643-0x0000000002B50000-0x0000000002B52000-memory.dmpFilesize
8KB
-
memory/2112-641-0x0000000002B60000-0x0000000002B62000-memory.dmpFilesize
8KB
-
memory/2112-633-0x0000000002580000-0x0000000002582000-memory.dmpFilesize
8KB
-
memory/2112-630-0x0000000002580000-0x0000000002582000-memory.dmpFilesize
8KB
-
memory/2112-716-0x0000000002EA0000-0x0000000002EA2000-memory.dmpFilesize
8KB
-
memory/2112-720-0x00000000024D0000-0x00000000024D1000-memory.dmpFilesize
4KB
-
memory/2112-724-0x00000000024A0000-0x00000000024A2000-memory.dmpFilesize
8KB
-
memory/2112-628-0x0000000002580000-0x0000000002581000-memory.dmpFilesize
4KB
-
memory/2112-607-0x0000000001FE0000-0x0000000001FF0000-memory.dmpFilesize
64KB
-
memory/2112-613-0x0000000002390000-0x00000000023A0000-memory.dmpFilesize
64KB
-
memory/2112-726-0x0000000002400000-0x0000000002401000-memory.dmpFilesize
4KB
-
memory/2364-1251-0x0000000002320000-0x0000000002322000-memory.dmpFilesize
8KB
-
memory/2364-1253-0x0000000002220000-0x0000000002221000-memory.dmpFilesize
4KB
-
memory/2364-1241-0x0000000002610000-0x0000000002612000-memory.dmpFilesize
8KB
-
memory/2364-1244-0x0000000002660000-0x0000000002661000-memory.dmpFilesize
4KB
-
memory/2520-4-0x000007FEF641E000-0x000007FEF641F000-memory.dmpFilesize
4KB
-
memory/2520-11-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmpFilesize
9.6MB
-
memory/2520-10-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmpFilesize
9.6MB
-
memory/2520-9-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmpFilesize
9.6MB
-
memory/2520-8-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmpFilesize
9.6MB
-
memory/2520-7-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmpFilesize
9.6MB
-
memory/2520-6-0x0000000001E60000-0x0000000001E68000-memory.dmpFilesize
32KB
-
memory/2520-5-0x000000001B750000-0x000000001BA32000-memory.dmpFilesize
2.9MB
