Resubmissions

20-10-2024 02:00

241020-cfbreathkm 9

20-10-2024 01:55

241020-cceznatfnr 10

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-10-2024 01:55

General

  • Target

    http://roblox.com

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 20 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Drops startup file 2 IoCs
  • System Binary Proxy Execution: Rundll32 1 TTPs 1 IoCs

    Abuse Rundll32 to proxy execution of malicious code.

  • Drops desktop.ini file(s) 55 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Drops file in Program Files directory 9 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 32 IoCs
  • Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
  • Modifies data under HKEY_USERS 9 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of FindShellTrayWindow 31 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://roblox.com
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2724
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2724 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2736
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
    1⤵
    • System Location Discovery: System Language Discovery
    PID:2548
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:2716
    • C:\Windows\system32\csrss.exe
      %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
      1⤵
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious use of WriteProcessMemory
      PID:2388
    • C:\Windows\system32\winlogon.exe
      winlogon.exe
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2604
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x0
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2352
      • C:\Windows\system32\userinit.exe
        C:\Windows\system32\userinit.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1104
        • C:\Windows\Explorer.EXE
          C:\Windows\Explorer.EXE
          3⤵
          • Modifies visibility of file extensions in Explorer
          • Boot or Logon Autostart Execution: Active Setup
          • Drops desktop.ini file(s)
          • Drops file in Windows directory
          • Checks processor information in registry
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:2908
          • C:\Windows\System32\regsvr32.exe
            "C:\Windows\System32\regsvr32.exe" /s /n /i:/UserInstall C:\Windows\system32\themeui.dll
            4⤵
            • Drops desktop.ini file(s)
            • Sets desktop wallpaper using registry
            • Modifies Internet Explorer settings
            PID:2912
          • C:\Program Files (x86)\Windows Mail\WinMail.exe
            "C:\Program Files (x86)\Windows Mail\WinMail.exe" OCInstallUserConfigOE
            4⤵
            • Drops desktop.ini file(s)
            • System Location Discovery: System Language Discovery
            PID:840
            • C:\Program Files\Windows Mail\WinMail.exe
              "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
              5⤵
              • Drops desktop.ini file(s)
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:1568
          • C:\Windows\System32\unregmp2.exe
            "C:\Windows\System32\unregmp2.exe" /FirstLogon /Shortcuts /RegBrowsers /ResetMUI
            4⤵
            • Drops desktop.ini file(s)
            • Enumerates connected drives
            • Modifies Internet Explorer settings
            • Modifies registry class
            PID:1720
          • C:\Windows\System32\regsvr32.exe
            "C:\Windows\System32\regsvr32.exe" /s /n /i:U shell32.dll
            4⤵
            • Drops startup file
            • Drops desktop.ini file(s)
            PID:1268
          • C:\Windows\SysWOW64\rundll32.exe
            "C:\Windows\SysWOW64\rundll32.exe" C:\Windows\SysWOW64\mscories.dll,Install
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2688
          • C:\Windows\System32\ie4uinit.exe
            "C:\Windows\System32\ie4uinit.exe" -UserConfig
            4⤵
            • Drops desktop.ini file(s)
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Modifies Internet Explorer Protected Mode
            • Modifies Internet Explorer settings
            • Modifies Internet Explorer start page
            • Suspicious use of AdjustPrivilegeToken
            PID:2724
            • C:\Windows\System32\ie4uinit.exe
              C:\Windows\System32\ie4uinit.exe -ClearIconCache
              5⤵
                PID:548
              • C:\Windows\System32\rundll32.exe
                C:\Windows\System32\rundll32 advpack.dll,LaunchINFSectionEx C:\Windows\system32\ieuinit.inf,Install,,36
                5⤵
                • System Binary Proxy Execution: Rundll32
                • Drops file in Program Files directory
                • Drops file in Windows directory
                • Modifies Internet Explorer settings
                • Suspicious use of AdjustPrivilegeToken
                PID:2296
              • C:\Windows\System32\rundll32.exe
                C:\Windows\System32\rundll32 C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m
                5⤵
                  PID:3064
                  • C:\Windows\system32\RunDll32.exe
                    C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0
                    6⤵
                      PID:1908
                    • C:\Windows\system32\RunDll32.exe
                      C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0
                      6⤵
                        PID:1504
                  • C:\Windows\System32\regsvr32.exe
                    "C:\Windows\System32\regsvr32.exe" /s /n /i:/UserInstall C:\Windows\system32\themeui.dll
                    4⤵
                    • Sets desktop wallpaper using registry
                    PID:1264
                  • C:\Program Files\Windows Mail\WinMail.exe
                    "C:\Program Files\Windows Mail\WinMail.exe" OCInstallUserConfigOE
                    4⤵
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of SetWindowsHookEx
                    PID:2924
                  • C:\Windows\System32\unregmp2.exe
                    "C:\Windows\System32\unregmp2.exe" /FirstLogon /Shortcuts /RegBrowsers /ResetMUI
                    4⤵
                    • Drops desktop.ini file(s)
                    • Enumerates connected drives
                    • Modifies Internet Explorer settings
                    • Modifies registry class
                    PID:1936
                  • C:\Windows\System32\regsvr32.exe
                    "C:\Windows\System32\regsvr32.exe" /s /n /i:U shell32.dll
                    4⤵
                    • Drops startup file
                    • Drops desktop.ini file(s)
                    PID:1496
                  • C:\Windows\System32\rundll32.exe
                    "C:\Windows\System32\rundll32.exe" C:\Windows\system32\mscories.dll,Install
                    4⤵
                      PID:2492
                    • C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
                      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level
                      4⤵
                        PID:2376
                        • C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
                          "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x1401c7688,0x1401c7698,0x1401c76a8
                          5⤵
                            PID:1264
                          • C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
                            "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
                            5⤵
                              PID:1088
                              • C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
                                "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x1401c7688,0x1401c7698,0x1401c76a8
                                6⤵
                                  PID:2264
                            • C:\Windows\System32\dzuhbf.exe
                              "C:\Windows\System32\dzuhbf.exe"
                              4⤵
                                PID:1868
                              • C:\Program Files\Windows Sidebar\sidebar.exe
                                "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
                                4⤵
                                  PID:1700
                                • C:\Windows\SysWOW64\runonce.exe
                                  C:\Windows\SysWOW64\runonce.exe /Run6432
                                  4⤵
                                  • System Location Discovery: System Language Discovery
                                  • Checks processor information in registry
                                  PID:2588
                                  • C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
                                    "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
                                    5⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:1792
                                • C:\Windows\System32\mctadmin.exe
                                  "C:\Windows\System32\mctadmin.exe"
                                  4⤵
                                  • Drops desktop.ini file(s)
                                  PID:2560
                                • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
                                  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"
                                  4⤵
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious use of SetWindowsHookEx
                                  PID:588
                                  • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe
                                    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe" Adobe Reader;65916
                                    5⤵
                                    • Drops desktop.ini file(s)
                                    • System Location Discovery: System Language Discovery
                                    • Modifies Internet Explorer settings
                                    • Suspicious use of SetWindowsHookEx
                                    PID:2052
                          • C:\Windows\system32\Dwm.exe
                            "C:\Windows\system32\Dwm.exe"
                            1⤵
                              PID:1368
                            • C:\Windows\system32\rundll32.exe
                              rundll32.exe uxtheme.dll,#64 C:\Windows\resources\Themes\Aero\Aero.msstyles?NormalColor?NormalSize
                              1⤵
                                PID:884
                              • C:\Windows\system32\rundll32.exe
                                rundll32.exe uxtheme.dll,#64 C:\Windows\resources\Themes\Aero\Aero.msstyles?NormalColor?NormalSize
                                1⤵
                                  PID:2284
                                • C:\Windows\system32\wbem\wmiprvse.exe
                                  C:\Windows\system32\wbem\wmiprvse.exe -Embedding
                                  1⤵
                                    PID:2724

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Program Files\Google\Chrome\Application\SetupMetrics\acc5120d-45c5-4833-a33a-90fb3f975a67.tmp

                                    Filesize

                                    488B

                                    MD5

                                    6d971ce11af4a6a93a4311841da1a178

                                    SHA1

                                    cbfdbc9b184f340cbad764abc4d8a31b9c250176

                                    SHA256

                                    338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

                                    SHA512

                                    c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

                                  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk

                                    Filesize

                                    1KB

                                    MD5

                                    2cc35f24339bde300006b33f51881925

                                    SHA1

                                    f8866e4074643cab177985d7944147ad175a4b2b

                                    SHA256

                                    e8f18a9250d0e7f97e0555494f1720d3ea17fb0adb2b17627cf9886817635038

                                    SHA512

                                    670eac3a90cb6a7fb0ea0c93f8d260fef87fec36698df3c7344c9e420e84fa9382986777fa755064a7a5ca1f79aee146693a72bea9896f38f13aaee05818cf65

                                  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini

                                    Filesize

                                    964B

                                    MD5

                                    46a4eca2a791d84afecfd9f129a567df

                                    SHA1

                                    004f2926d9377cc23c5b68ce26907435b8539643

                                    SHA256

                                    06b6d34db7e9ebecc07e0b53fedb2a9bc2d4563b1d2037b7630fbc002942baf7

                                    SHA512

                                    dbeecf882210add0dd4ac57f75ccdf6a9604c3308e92f70747313f89a7f9c590f4e1cdd507e53ee37e0a1b7e437320dc6ec1299d406ef34ddd67dfd900fddd98

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                    Filesize

                                    342B

                                    MD5

                                    b189bb55362d91edac053b7b1bfb2546

                                    SHA1

                                    76739d98644beaaae2e895e97ba9c3eba9acfba2

                                    SHA256

                                    bf2bbda1f1c232f362d5f81a5daaeab60027927e9d1bbf7b55569540e334e663

                                    SHA512

                                    ba2e74b99ff0ddc565fbb0430fd2cd3b3ebb87025e24a981571292243f329df63a6cdf88a0b114674e078bd7b0262f0ef6ffc90f1c982016365afb188a44c14f

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                    Filesize

                                    342B

                                    MD5

                                    9ec0fa160afe0b0ce82ee20e56b7fa48

                                    SHA1

                                    d1b3c7d107b3ffc53eb36210fc96341980a71a34

                                    SHA256

                                    cc24717071ae735e9d269c3386753876dca6e469da85616fc4a4007cf477f80a

                                    SHA512

                                    41a54449e0c648b90135503aafae5180dcb7f0d5aa58b3c8ab58a584fe980d569cc255d94ff20209d7f4a8fe12edb010baf3ff1bad44b00d40f1b469ba2226ba

                                  • C:\Users\Admin\AppData\Local\Temp\CabFA68.tmp

                                    Filesize

                                    70KB

                                    MD5

                                    49aebf8cbd62d92ac215b2923fb1b9f5

                                    SHA1

                                    1723be06719828dda65ad804298d0431f6aff976

                                    SHA256

                                    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                    SHA512

                                    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                  • C:\Users\Admin\AppData\Local\Temp\TarFAA9.tmp

                                    Filesize

                                    181KB

                                    MD5

                                    4ea6026cf93ec6338144661bf1202cd1

                                    SHA1

                                    a1dec9044f750ad887935a01430bf49322fbdcb7

                                    SHA256

                                    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                    SHA512

                                    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                  • C:\Users\WINDOW~1\AppData\Local\Temp\RGI2694.tmp

                                    Filesize

                                    24KB

                                    MD5

                                    3006752a2bcfeda0f75d551ea656b2ef

                                    SHA1

                                    b7198fc772be6d6261ed4e76aca3998e8f7a7bdb

                                    SHA256

                                    dfd64231860c732dced3dc78627a7844a08d5d3e4cd253fd81186bae33cc368a

                                    SHA512

                                    3fcfa7c8f46220852dc7efef5b29caba86825d0461a35559f26dbb2540c487b92059713f42fe1082a00a711d83216db012835673e1c54120ffa079e154950854

                                  • C:\Users\WINDOW~1\AppData\Local\Temp\RGI26D7.tmp

                                    Filesize

                                    3KB

                                    MD5

                                    a828b8c496779bdb61fce06ba0d57c39

                                    SHA1

                                    2c0c1f9bc98e29bf7df8117be2acaf9fd6640eda

                                    SHA256

                                    c952f470a428d5d61ed52fb05c0143258687081e1ad13cfe6ff58037b375364d

                                    SHA512

                                    effc846e66548bd914ad530e9074afbd104fea885237e9b0f0f566bd535996041ec49fb97f4c326d12d9c896390b0e76c019b3ace5ffeb29d71d1b48e83cbaea

                                  • C:\Users\WINDOW~1\AppData\Local\Temp\chrome_installer.log

                                    Filesize

                                    1KB

                                    MD5

                                    427cc742e20366b20ef3f1efea7d1966

                                    SHA1

                                    72317ab15468da878e0c1ad7e634d94e754bd104

                                    SHA256

                                    34b856fd7cde12256f173239589cb50a3ed357d497b1219594c362b359724299

                                    SHA512

                                    b6e43e26dd0374dad37ba1e6672d730817f697cfb396fc7f79d5dcdabf8929e4f83a4956bc3aa3dacbac2d1a6b46154f69e9289a6f9acf3b214586dfe30bfc32

                                  • C:\Users\WINDOW~1\AppData\Local\Temp\wmsetup.log

                                    Filesize

                                    527B

                                    MD5

                                    1174ebe09175562dd063a847ecaec6f4

                                    SHA1

                                    851a194b04556dfbeafc2b555d075a13656513fb

                                    SHA256

                                    716179a7d69b933826b4decbe13db6b0ccdc2398e5a3d911fddae75cd883c6c9

                                    SHA512

                                    1c9bc45a3e28c07b4afc4d99a305807ba937c1c6778b0e4a0c0a032288a0df9abe59fcf4f56b30478cd31b268b12b64e387be824147c259d67800744597783a4

                                  • C:\Users\WINDOW~1\AppData\Local\Temp\www2948.tmp

                                    Filesize

                                    206B

                                    MD5

                                    c2858b664c882dcce6042c40041f6108

                                    SHA1

                                    52eeaa0c7b9d17a8f56217f2ac912ba8fdc5041a

                                    SHA256

                                    b4a6fb97b5e3f87bcd9fae49a9174e3f5b230a37767d7a70bf33d151702eff91

                                    SHA512

                                    51522e67f426ba96495be5e7f8346e6bb32233a59810df2a3712ecd754a2b5d54d0049c8ea374bd4d20629500c3f68f40e4845f6bb236d6cca7d00da589b2260

                                  • C:\Users\WINDOW~1\AppData\Local\Temp\www2959.tmp

                                    Filesize

                                    226B

                                    MD5

                                    ad93eaac4ac4a095f8828f14790c1f8c

                                    SHA1

                                    f84f24c4ca9d04485a0005770e3ef1ca30eede55

                                    SHA256

                                    729111c923821a7ad0bb23d1a1dea03edbf503cd8b732e2d7eb36cf88eaa0cac

                                    SHA512

                                    f561b98836233849c016227a3366fcf8449db662f21aecd4bd45eb988f6316212685ce7ce6e0461fb2604f664ed03a7847a237800d3cdca8ba23a41a49f68769

                                  • C:\Users\Windows 87\AppData\Local\Microsoft\Feeds\Feeds for United States~\USA~dgov Updates~c News and Features~.feed-ms

                                    Filesize

                                    28KB

                                    MD5

                                    edd74e4bf544f4858d7deede007c7b26

                                    SHA1

                                    164b3e981decf807d0454459025c70ee6e6f2f36

                                    SHA256

                                    1c32e351c8122087cc2c906c30779b9608c7477be869f015d8b5b2e3ab813619

                                    SHA512

                                    7e34cd47eaefad5fcc71de6f6bd2656c8a9ae8ce5a31c4eaf55445806fbc46168d7db97303b7748452876471ed2487f6a78d1d639e0f34a4fa4b06f5c958ef8f

                                  • C:\Users\Windows 87\AppData\Local\Microsoft\Media Player\CurrentDatabase_372.wmdb

                                    Filesize

                                    1.0MB

                                    MD5

                                    3932679c5a6800dcd033625d22706e33

                                    SHA1

                                    6dd374f6d577c89b706465852edb4459caa1dbfe

                                    SHA256

                                    aa9104391700d61ddd14bcf245d268493a096d4c0cc801acfcb0e52641817931

                                    SHA512

                                    ae5ad0e2887ad1891b2ec81771ed6990350776f8787ce395933faecfe3b77ca94de05cd03ff6b18d4bedb526ffa1929081b8683e95e82b7e9bb4680a2c31bb86

                                  • C:\Users\Windows 87\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

                                    Filesize

                                    68KB

                                    MD5

                                    7057aeaa2156ab2d556660065cd0f028

                                    SHA1

                                    1ed29318357a5c98329329211ca4e1770898b23b

                                    SHA256

                                    746ded812d5fee4880d0487a56181c33b5c5e516c17490d68fc24ab437133532

                                    SHA512

                                    09c4a99cec59d57482ce27ec1dff245c5603b0a3bed34308ddcc141d08ac5250d9f843869b730cff71c6644631cd2f0e0d55fcff814620f4cd407667be500308

                                  • C:\Users\Windows 87\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore

                                    Filesize

                                    2.0MB

                                    MD5

                                    f12a88d883c786b07da87135afdd90e6

                                    SHA1

                                    7be158171902f737194837e3067e7c952eef3417

                                    SHA256

                                    f57b772a87c9d73450a102d3f053a64fd1f708bb2150398c5177ec625c01c829

                                    SHA512

                                    86baa355c95bb98e497094285ab40d73648d7ebae8a3a31d6be5c94d716b1221aab25137abcd547e73e47609d42736ef1ccd8452d924730842b7a1cb8831da85

                                  • C:\Users\Windows 87\AppData\Local\Microsoft\Windows Mail\edb.chk

                                    Filesize

                                    8KB

                                    MD5

                                    7b732de80871981a8521b646dd40d1f3

                                    SHA1

                                    6145ab69cec5f4f9ce60f715a928f9f4587c7311

                                    SHA256

                                    4dd21d1e4ba3fe44107279e625b6b2818b0e421bf6462685ef20ebb08855f917

                                    SHA512

                                    9a24c4d6e4f92bde8d0e069cf3341743133645c56a2a645c37a8ce5344998ceeb8114d3771b5d0d054fddfd1280ab673ec988864d2c15c5fe0e0654832dc1545

                                  • C:\Users\Windows 87\AppData\Local\Microsoft\Windows Mail\edb.log

                                    Filesize

                                    2.0MB

                                    MD5

                                    e11dfa94f8788a3162a281f949ccbd11

                                    SHA1

                                    9f9b21850f3dbb396d663e6aa01a56dd564b8340

                                    SHA256

                                    b8283ca6ca36b0dd97c211dbc984a6e0a721e3f9a12d8b531d02098251a18c77

                                    SHA512

                                    24571bb0d81be6609a96f693adc5c0a5a2558500ec2ceee38bc32b54f4c9fc5e4914b044782b8a29fbd1199e86a657bf45574368b007ed809e56c3355076b4a3

                                  • C:\Users\Windows 87\AppData\Local\Microsoft\Windows Mail\edb.log

                                    Filesize

                                    2.0MB

                                    MD5

                                    0b74c5d2d33fb117533ca2f9c47d2127

                                    SHA1

                                    98efcdfd19bff666ce421bc8e471424e0b87d845

                                    SHA256

                                    002d28caebeab46a42bb147ac67e54c594f6da81fcb6b277e7ae07ebb5f9d83c

                                    SHA512

                                    6ed31897a3a868783bc5958d5ae494ad36c96c83a9ada1204dc121e04420c5132c9511289dabc6ae8ed721f5b5b34abb55488523bf42c81f268ddeac0c60480c

                                  • C:\Users\Windows 87\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

                                    Filesize

                                    9KB

                                    MD5

                                    7050d5ae8acfbe560fa11073fef8185d

                                    SHA1

                                    5bc38e77ff06785fe0aec5a345c4ccd15752560e

                                    SHA256

                                    cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

                                    SHA512

                                    a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

                                  • C:\Users\Windows 87\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini

                                    Filesize

                                    174B

                                    MD5

                                    e0fd7e6b4853592ac9ac73df9d83783f

                                    SHA1

                                    2834e77dfa1269ddad948b87d88887e84179594a

                                    SHA256

                                    feea416e5e5c8aa81416b81fb25132d1c18b010b02663a253338dbdfb066e122

                                    SHA512

                                    289de77ffbe328388ad080129b7460712985d42076e78a3a545124881c30f564c5ef8fb4024d98903d88a6a187c60431a600f6ecbbe2888ee69e40a67ce77b55

                                  • C:\Users\Windows 87\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk

                                    Filesize

                                    2KB

                                    MD5

                                    79fcee66d8b1f20a14c99007956fc44a

                                    SHA1

                                    ea5c098d628358ff38124c8887fe9e954b053f78

                                    SHA256

                                    43538a53f0b9b3c867f25d6e05b2f8d3d64784a5e006a7346a4652d6f6f943ea

                                    SHA512

                                    1aa6e284e58f7126927a476c249bf89f2a9057c43a4574f4bb4e749d2725ae97d85f53048be7ae73cb310e1ab2bca4bae152ae47dd6e168fbb78db8031e7742a

                                  • C:\Users\Windows 87\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk

                                    Filesize

                                    1KB

                                    MD5

                                    47b2e1c4ddd5fa161f4e7314222d7a29

                                    SHA1

                                    f8e0a57ad324aa0ce6eafcbee54361cfc3fac7a4

                                    SHA256

                                    20b9ba1869ed5d109962522c7c9a09e2675c457edd780f3723d33f9b40475772

                                    SHA512

                                    07c8e9fcc6441c45540ced17802aea9fc84197733cc13af77516813c3beb346ae2748445ae99318309cbdc2da8e69e622dd91e658b7e9ba27d424eae6f5acf1b

                                  • C:\Users\Windows 87\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini

                                    Filesize

                                    82B

                                    MD5

                                    1c61dc21f9b83172d65be1e94b79026f

                                    SHA1

                                    7324473ddda64b87c299bf6e3b9e9aff53f7fd74

                                    SHA256

                                    8e920d7893b682a049f6a5097f880d915dc2d7bf8bc87ae558cd7f14466d5d1b

                                    SHA512

                                    9660cde4d7606826c2fb6623460a2a286339970256e677c8abf8189fd1d58e0284c024bbf5c0bf539189dafa3e8d5269c1e0f7e3717891f2ae4771634731bbd8

                                  • C:\Users\Windows 87\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini

                                    Filesize

                                    146B

                                    MD5

                                    9a1b13fd914dd7054b83bc1760c99ab8

                                    SHA1

                                    340c37602b11cd3cb9ae681d09bfc4c81f733742

                                    SHA256

                                    7f0a9cc0be951d60d6c8e60d1a612bfa65fa390020d7c0c80f212ba2a47a4aa3

                                    SHA512

                                    50d48a348c71fb9e89ab01e59fe599b692a1701f19d2c9de6ae09678e0a44ba95020b1989f9c776edcacacc5f2b2b348b0f31aa28c04850e69e47cda6dcaf88e

                                  • C:\Users\Windows 87\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini

                                    Filesize

                                    211B

                                    MD5

                                    e5a8eb64419f6d85a1b7aed2152616c2

                                    SHA1

                                    f5d94f8953bb235e35fccec0ea4f14ba69443081

                                    SHA256

                                    5266b08d0c1bf229ec5eafdb6dae2a4849b6b394694d34033453cf8a379725a7

                                    SHA512

                                    7c304bc842c81d3b5cff745d34b038a2a867063c65e502f4155439ba0642e8b0643f9b7254f74e85d5b150c134836b9e398a0dcb192550d97dfd431c3d93f1f6

                                  • C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms

                                    Filesize

                                    3KB

                                    MD5

                                    c135c2a69f8abf8eac46ba9fc8ba4ae7

                                    SHA1

                                    c31bd5e5ddcc64257471f4fcbc552750b2e09362

                                    SHA256

                                    c7ac64318738e1acc96e15aa5b2b617f63a3218a1d54f3f8c207af5508bf178b

                                    SHA512

                                    2ef6e619c56c9bf6ba9e24383c727a96674d6aaf550f87db982e31defee84414f56c7a825a0af8b6c99831198550187503a083aaa9f187dbadc81b9ec1f5f085

                                  • C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms

                                    Filesize

                                    3KB

                                    MD5

                                    e44712b9019e0fb757fe6d714a9cc68b

                                    SHA1

                                    2fd3d36a0ed53314376d3b9959beea50d3e072cf

                                    SHA256

                                    89245b2d412f0b789ca537372b3fb8384268ace41674aa7fb9668a505b36a2d1

                                    SHA512

                                    7d44371ccc2304c3daf4fa38d3d0a2f39cfcba97479f980a7c7b786b3bc1364eede5fb4a54f592591d3b7931686a8dcb40848c41a6cc3bfaf593eaf64904ec6c

                                  • C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms

                                    Filesize

                                    3KB

                                    MD5

                                    a02b521dcc95b48e458eb02ac77651a2

                                    SHA1

                                    3dbd253d2f9a12db8c76e99dc426e42ed35a9f0d

                                    SHA256

                                    daca98fc728725fbb4b3dfa17b6c71c837e3a34e001217d71d4bfe6cb298bc7e

                                    SHA512

                                    e2afcc8cfcee4f0dff6762870df3ce7ffd78ec73e1729ae294f5c98866fc2828779f408cc73e66e7b4a91cc89c215746b8b0a92c8b3da38460f8c3cc4fac59b6

                                  • C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms

                                    Filesize

                                    3KB

                                    MD5

                                    1ab315bb411f43b47cb4e35342aad79a

                                    SHA1

                                    53a7ffa1235ab89163f701d9e85aa9a96d9c559f

                                    SHA256

                                    df763fa8b19ff124348c1054ff9808d83ccdbd4c65c56258678e56c6dbd6f005

                                    SHA512

                                    ace04c3e5615f7fd8e321d6a1b58775e2697f52d218348eb9a2d97435ea8a091b29264d68677f10e2a7c73dac5da8644510a1e80c2f8e2bc4c06b83a95401b04

                                  • C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms

                                    Filesize

                                    3KB

                                    MD5

                                    1d1ee02ab709a9f5ff51df53de338a4d

                                    SHA1

                                    0d947e30bd9a13be842107bf8805a8bf69a0c871

                                    SHA256

                                    ae6b44bf265cebd6ecabf4b3357326ce631e98c54db8c75164e6edf4ebf8e331

                                    SHA512

                                    49df197b8b87fa67c9d5a2edf99d571b7fb190423ba3181ac8aa2f6ceb75bfe00c66b343a51a342d584ed540a953879f1d34937e45f753b5b6aa454726500856

                                  • C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms

                                    Filesize

                                    3KB

                                    MD5

                                    518297d1dbbcd7730362bd4e6279b614

                                    SHA1

                                    306c7aa11a78cb583350595e5b8d5331341d9982

                                    SHA256

                                    68f45b3d002fa5ed2d4afb22a78ae63c4041ab2ba7a5dd9f246d0f8a23ebf463

                                    SHA512

                                    3b7e08bed0a7d12ca2b560fa4b316b76aef8b43b1dd50b5b64f4f632db635d2ee7a679feb5e6847bc69a785c2af9c1fb3e05c594fd34616f7890fd58ed812496

                                  • C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms

                                    Filesize

                                    3KB

                                    MD5

                                    a75f4e6f234c3e9adb0de2b630e526e9

                                    SHA1

                                    48f4b8e64def91ec54a43333636e774d600b695e

                                    SHA256

                                    bcf7c6887d119d4a5f891206fc74425b4cb18c1677e0a1b9317b8cdefb8a297e

                                    SHA512

                                    afc89ce43a01c1e29cccd104714b4d3b6a576c91831278eda6322325c038477eba735fa4c51e5a72a9e1cb52f400a4792662cdac54f184445b5db79fd7d91464

                                  • C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms

                                    Filesize

                                    3KB

                                    MD5

                                    fb3973bff11fab049a5afacabc339123

                                    SHA1

                                    842ad211690f13e21998071223443e2a96d9f814

                                    SHA256

                                    f91d6a35247e0743f6ceac3a99c9192493e0f1fc57a60755a5aa557af314ee9b

                                    SHA512

                                    a4c13a9b2f636e97f53e5b4d751804ee2de166f10981ddf087b56b5e40df88740c30ba4c9fd8d496c99fe338942d7f8ca5f2dee5a811d69b8081c15ebeceb240

                                  • C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini

                                    Filesize

                                    151B

                                    MD5

                                    0ff56a4620c3221ff64ec61a3a0d3033

                                    SHA1

                                    3a45320be12b585dcdc5ab2af5ea1455b2c919a1

                                    SHA256

                                    0b0a65accca705494739d03b6c2ea769c78cd0eee996bc95b0c6ebc0941f4b1a

                                    SHA512

                                    962a340efeb6d18c85e5872997eebb83374e114be088689690ba438f0db8e2e4df6c24713a35cfaec518f58d5322cf9617638ea55ff279a9d161c4fdf9af74f6

                                  • C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini

                                    Filesize

                                    274B

                                    MD5

                                    453249f95d75eb5e450eb91fa755e1c8

                                    SHA1

                                    3e200e187e8cd21d3d1976ea0f7356626254de18

                                    SHA256

                                    01bef150c18e377a57843965d55f18f0b5cb3fa867c5ab30f1e67eacd6ece48a

                                    SHA512

                                    6125ffc1ab457bc1ba957c78c2a89ca54060c1969c4a981acf71025a1d79760159816d5fc36e351429de3bb5820e755b9bc22386f3d6892bfdf3da67d86f157c

                                  • C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini

                                    Filesize

                                    432B

                                    MD5

                                    f107d0270e21a2fe91099fdc15918d44

                                    SHA1

                                    dabc2f24f4a4e90053743166e5c4175dcf2b2d2d

                                    SHA256

                                    eb315c9d165b4916e3b00e4d148b53a6c03a2f0694a6a8821d98e76f935ca6a8

                                    SHA512

                                    b5d51c0d6abe99121d4f4f1d236def4260b7d5c26c501d7735eba4f58e2597db0e89b2b1df16545e49fc39649806e5305efb912328541bdd31c01ff3d2bda49c

                                  • C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk

                                    Filesize

                                    1KB

                                    MD5

                                    5c3050419f28b41869ba66db61817748

                                    SHA1

                                    5aee2ad2dc2da38359fd13349bf1a48b9e1c55bc

                                    SHA256

                                    c23812e04ef2c7678c8b1d2dcb8c7d8c8bb5e35d4c8c7e8d0a606391c367b38c

                                    SHA512

                                    01e58e7bd7737887b61b58b2a4b7fd25f75493443c967484ab3b762b0e3ec19d347824a8946edd7bfffcf48282a51130f448dc9cb1b25c26d5ad26e7104dc639

                                  • C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini

                                    Filesize

                                    738B

                                    MD5

                                    3a33faac6513738fd86f43dff8989882

                                    SHA1

                                    afd4390e6b63c40e55ca08d27661a23d657b01a2

                                    SHA256

                                    21a4315cbae2b0e8db633e86c344171da86f115bcbbb745680ff6f577668c910

                                    SHA512

                                    8d7a47cba6b4d0da36151221c373625b67e44354b7cde41b5c3657e73a843b22a0a5b0bf92a4cbc32eac70b8292d674821085acf92bb58b94ea4542458c94b57

                                  • C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini

                                    Filesize

                                    174B

                                    MD5

                                    548b310fbc7a26d0b9da3a9f2d604a0c

                                    SHA1

                                    1e20c38b721dff06faa8aa69a69e616c228736c1

                                    SHA256

                                    be49aff1e82fddfc2ab9dfffcb7e7be100800e3653fd1d12b6f8fa6a0957fcac

                                    SHA512

                                    fa5bb7ba547a370160828fe720e6021e7e3a6f3a0ce783d81071292739cef6cac418c4bc57b377b987e69d5f633c2bd97a71b7957338472c67756a02434d89f1

                                  • C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk

                                    Filesize

                                    1KB

                                    MD5

                                    6ebf7e74b0e452f75d422e82e460eac1

                                    SHA1

                                    23ca01eccfbee7aa5b1cf7b611fd6b5a8c4e64c2

                                    SHA256

                                    a83e414905e745998e8257fcce0575c9f7ddcc25d7798d640d97856aec736bb2

                                    SHA512

                                    370ee022c382051dcdc56814c3596f829f3009e2abb26809ee07f002371502749ca3643b79dbeae2d7349a63f25838a3912a0fb6b0d983a7c6387380fce12fd7

                                  • C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini

                                    Filesize

                                    2B

                                    MD5

                                    f3b25701fe362ec84616a93a45ce9998

                                    SHA1

                                    d62636d8caec13f04e28442a0a6fa1afeb024bbb

                                    SHA256

                                    b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

                                    SHA512

                                    98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

                                  • C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini

                                    Filesize

                                    174B

                                    MD5

                                    7f1698bab066b764a314a589d338daae

                                    SHA1

                                    524abe4db03afef220a2cc96bf0428fd1b704342

                                    SHA256

                                    cdb11958506a5ba5478e22ed472fa3ae422fe9916d674f290207e1fc29ae5a76

                                    SHA512

                                    4f94ad0fe3df00838b288a0ef4c12d37e175c37cbf306bdb1336ff44d0e4d126cd545c636642c0e88d8c6b8258dc138a495f4d025b662f40a9977d409d6b5719

                                  • C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini

                                    Filesize

                                    338B

                                    MD5

                                    e4e50dfa455b2cbe356dffdf7aa1fcaf

                                    SHA1

                                    c58be9d954b5e2dd0e5efa23a0a3d95ab8119205

                                    SHA256

                                    9284bd835c20f5da3f76bc1d8c591f970a74e62a7925422858e5b9fbec08b927

                                    SHA512

                                    bef1fad5d4b97a65fec8c350fe663a443bc3f7406c12184c79068f9a635f13f9127f89c893e7a807f1258b45c84c1a4fc98f6bd6902f7b72b02b6ffbc7e37169

                                  • C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini

                                    Filesize

                                    174B

                                    MD5

                                    17d5d0735deaa1fb4b41a7c406763c0a

                                    SHA1

                                    584e4be752bb0f1f01e1088000fdb80f88c6cae0

                                    SHA256

                                    768b6fde6149d9ebbed1e339a72e8cc8c535e5c61d7c82752f7dff50923b7aed

                                    SHA512

                                    a521e578903f33f9f4c3ebb51b6baa52c69435cb1f9cb2ce9db315a23d53345de4a75668096b14af83a867abc79e0afa1b12f719294ebba94da6ad1effc8b0a3

                                  • C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini

                                    Filesize

                                    174B

                                    MD5

                                    a2d31a04bc38eeac22fca3e30508ba47

                                    SHA1

                                    9b7c7a42c831fcd77e77ade6d3d6f033f76893d2

                                    SHA256

                                    8e00a24ae458effe00a55344f7f34189b4594613284745ff7d406856a196c531

                                    SHA512

                                    ed8233d515d44f79431bb61a4df7d09f44d33ac09279d4a0028d11319d1f82fc923ebbc6c2d76ca6f48c0a90b6080aa2ea91ff043690cc1e3a15576cf62a39a6

                                  • C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg

                                    Filesize

                                    627KB

                                    MD5

                                    da288dceaafd7c97f1b09c594eac7868

                                    SHA1

                                    b433a6157cc21fc3258495928cd0ef4b487f99d3

                                    SHA256

                                    6ea9f8468c76aa511a5b3cfc36fb212b86e7abd377f147042d2f25572bf206a2

                                    SHA512

                                    9af8cb65ed6a46d4b3d673cea40809719772a7aaf4a165598dc850cd65afb6b156af1948aab80487404bb502a34bc2cce15c502c6526df2427756e2338626062

                                  • C:\Users\Windows 87\Contacts\Windows 87.contact

                                    Filesize

                                    43KB

                                    MD5

                                    1e74ccaa1012dcf71981a8e90a2940dc

                                    SHA1

                                    1e023fd50354be4e4e9cad10c590576bdc9efd96

                                    SHA256

                                    d53a5cf535cfe0a52f96ffa5634bfa8b7ae2b5a129f174877850387c0a6c8c18

                                    SHA512

                                    3757f63977173416a5059c3de250ccae51d28f8a7628bb550af0e6c0551e1b8146c3bcf57b295114ef99309cb996d6d886951869f260624ee99aa7965f2e37f9

                                  • C:\Users\Windows 87\Contacts\desktop.ini

                                    Filesize

                                    432B

                                    MD5

                                    eefa7f76ff11a5ec21bb777b798ac46c

                                    SHA1

                                    2e7a65ea8427d13a92ea159a5b8859ff99d2a836

                                    SHA256

                                    840b46ed74821b5b61ca9ddc51a91cfe9151d11a494c89f183fadc02a78ac8ae

                                    SHA512

                                    111301e33c0b33c154ffff274db5eb167de0ddb4e769cab9a2d9fcd2882e6192053149abbcb00d17ae5f7661bafecc1111aff2025c89d07b247633bbccb0e3ef

                                  • C:\Users\Windows 87\Contacts\desktop.ini

                                    Filesize

                                    412B

                                    MD5

                                    449f2e76e519890a212814d96ce67d64

                                    SHA1

                                    a316a38e1a8325bef6f68f18bc967b9aaa8b6ebd

                                    SHA256

                                    48a6703a09f1197ee85208d5821032b77d20b3368c6b4de890c44fb482149cf7

                                    SHA512

                                    c66521ed261dcbcc9062a81d4f19070216c6335d365bac96b64d3f6be73cd44cbfbd6f3441be606616d13017a8ab3c0e7a25d0caa211596e97a9f7f16681b738

                                  • C:\Users\Windows 87\Desktop\desktop.ini

                                    Filesize

                                    282B

                                    MD5

                                    9e36cc3537ee9ee1e3b10fa4e761045b

                                    SHA1

                                    7726f55012e1e26cc762c9982e7c6c54ca7bb303

                                    SHA256

                                    4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026

                                    SHA512

                                    5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790

                                  • C:\Users\Windows 87\Documents\desktop.ini

                                    Filesize

                                    402B

                                    MD5

                                    ecf88f261853fe08d58e2e903220da14

                                    SHA1

                                    f72807a9e081906654ae196605e681d5938a2e6c

                                    SHA256

                                    cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844

                                    SHA512

                                    82c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b

                                  • C:\Users\Windows 87\Downloads\desktop.ini

                                    Filesize

                                    282B

                                    MD5

                                    3a37312509712d4e12d27240137ff377

                                    SHA1

                                    30ced927e23b584725cf16351394175a6d2a9577

                                    SHA256

                                    b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3

                                    SHA512

                                    dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05

                                  • C:\Users\Windows 87\Favorites\Links\Web Slice Gallery.url

                                    Filesize

                                    134B

                                    MD5

                                    873c8643cbbfb8ff63731bc25ac9b18c

                                    SHA1

                                    043cbc1b31b9988d8041c3d01f71ce3393911f69

                                    SHA256

                                    c4ad21379c11da7943c605eadb22f6fc6f54b49783466f8c1f3ad371eb167466

                                    SHA512

                                    356b13b22b7b1717ded0ae1272b07f1839184e839132f3ab891b5d84421e375d4fc45158c291b46a933254f463c52d92574ce6b15c1402dfb00ee5d0a74c9943

                                  • C:\Users\Windows 87\Favorites\desktop.ini

                                    Filesize

                                    402B

                                    MD5

                                    881dfac93652edb0a8228029ba92d0f5

                                    SHA1

                                    5b317253a63fecb167bf07befa05c5ed09c4ccea

                                    SHA256

                                    a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

                                    SHA512

                                    592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

                                  • C:\Users\Windows 87\Links\Desktop.lnk

                                    Filesize

                                    457B

                                    MD5

                                    9b91d97f399999995a4aaefe4b6637ae

                                    SHA1

                                    d0ac8c4ec8f0fcd13accb01509b7ae18886a2f5a

                                    SHA256

                                    f1b0a6bc0c1f594010af00c4a5e40bc46cbeb9615078860b68c7c14d7b8996e3

                                    SHA512

                                    a243549ea1e133d576b5c38a6ab69d6ef6845be013d820807ab2822e7c67ff04e07e0362cf8fb961989036c598d1b605ea1055db218f7477cb3ba20714ca964e

                                  • C:\Users\Windows 87\Links\Downloads.lnk

                                    Filesize

                                    880B

                                    MD5

                                    bf0fcee9183a6b6ca679c81c2b424488

                                    SHA1

                                    106030592ccbfb1478716b7d216de4097a04a1d6

                                    SHA256

                                    ec350d50a40c005cc6a0488c6b3b83c3562218681403c266928c51f37a6ef6dd

                                    SHA512

                                    85abb2933630ae8d2edc46392bce8b281bd3ac57f2a13ce6e5d179b334d7b4f1791849c2a88ad57bb286518df19a6de69fa97930c3254c2ce3317945642a8941

                                  • C:\Users\Windows 87\Links\RecentPlaces.lnk

                                    Filesize

                                    363B

                                    MD5

                                    0025c3a7d7c4e90e58332958b00d83c4

                                    SHA1

                                    01dd4fdb260f66923004acb5a874111a9d14da38

                                    SHA256

                                    36db348143da1b5c16b9074940e85761950ee30b533b7ca75924f2f4ef6b253b

                                    SHA512

                                    b5631c94bad794541d16f2fa3a02018f4b34b680b63a9f3b6a3da4329216567a7ba9ceb8d4bd18165b0e55142f42e039f160ec675c0946237c276de1a6e642c4

                                  • C:\Users\Windows 87\Links\desktop.ini

                                    Filesize

                                    282B

                                    MD5

                                    98470d9bd7fba55a0c303065f9c4f9be

                                    SHA1

                                    5303b190e29ba48332f7c90a832ef08af5a1953d

                                    SHA256

                                    3830022d5d7ef2ae2ca0a2b6ad73f0d4716b49bf7eeeaa87b618988d531b7c72

                                    SHA512

                                    134e072c3600bbb3c724c2700da399a14ba5b907153969362b3dbff32c480d39e7f5ecceebc9122a5a27265410557a16eb6bf82c9b635b90ef1fa0ae9efb849c

                                  • C:\Users\Windows 87\Links\desktop.ini

                                    Filesize

                                    468B

                                    MD5

                                    92adc8410cd8cb1d0481e2adbb62c7dd

                                    SHA1

                                    bac1444ebe0bac748966f3bee84ee11e151a4810

                                    SHA256

                                    4a3d7ccddac5c1b437fb687e90589015b9b9ae7708ea35eed9917d1190f65694

                                    SHA512

                                    d7c3a5df50b28e336ff24f828cdf225554d199d3c2a857e2a7baa1f2bc1fee21944733edee52bd665ebaee999f5668d03497e9bfe88d58d380b74e6046ec5d62

                                  • C:\Users\Windows 87\Links\desktop.ini

                                    Filesize

                                    580B

                                    MD5

                                    de8858093993987d123060097a2bad66

                                    SHA1

                                    0a89e87ba46538cb73aff1a47e4dc0bcfb4760d5

                                    SHA256

                                    4c0d757717dec80eca8c6cbbfdda4706eb38fbbb7624933d5429dafc7bb9f0ec

                                    SHA512

                                    fa348ac4025b599f460cb831338ce010dde8fba87587a6d078d6d594a30fee87ed112e412078c10604553f326cc7bd7627ae93b0e3d8a60cfeda0720cad29f4c

                                  • C:\Users\Windows 87\Music\desktop.ini

                                    Filesize

                                    504B

                                    MD5

                                    06e8f7e6ddd666dbd323f7d9210f91ae

                                    SHA1

                                    883ae527ee83ed9346cd82c33dfc0eb97298dc14

                                    SHA256

                                    8301e344371b0753d547b429c5fe513908b1c9813144f08549563ac7f4d7da68

                                    SHA512

                                    f7646f8dcd37019623d5540ad8e41cb285bcc04666391258dbf4c42873c4de46977a4939b091404d8d86f367cc31e36338757a776a632c7b5bf1c6f28e59ad98

                                  • C:\Users\Windows 87\Pictures\desktop.ini

                                    Filesize

                                    504B

                                    MD5

                                    29eae335b77f438e05594d86a6ca22ff

                                    SHA1

                                    d62ccc830c249de6b6532381b4c16a5f17f95d89

                                    SHA256

                                    88856962cef670c087eda4e07d8f78465beeabb6143b96bd90f884a80af925b4

                                    SHA512

                                    5d2d05403b39675b9a751c8eed4f86be58cb12431afec56946581cb116b9ae1014ab9334082740be5b4de4a25e190fe76de071ef1b9074186781477919eb3c17

                                  • C:\Users\Windows 87\Saved Games\desktop.ini

                                    Filesize

                                    282B

                                    MD5

                                    b441cf59b5a64f74ac3bed45be9fadfc

                                    SHA1

                                    3da72a52e451a26ca9a35611fa8716044a7c0bbc

                                    SHA256

                                    e6fdf8ed07b19b2a3b8eff05de7bc71152c85b377b9226f126dc54b58b930311

                                    SHA512

                                    fdc26609a674d36f5307fa3f1c212da1f87a5c4cd463d861ce1bd2e614533f07d943510abed0c2edeb07a55f1dccff37db7e1f5456705372d5da8e12d83f0bb3

                                  • C:\Users\Windows 87\Searches\Everywhere.search-ms

                                    Filesize

                                    248B

                                    MD5

                                    0fa26b6c98419b5e7c00efffb5835612

                                    SHA1

                                    d904d6683a548b03950d94da33cdfccbb55a9bc7

                                    SHA256

                                    4094d158e3b0581ba433a46d0dce62f99d8c0fd1b50bb4d0517ddc0a4a1fde24

                                    SHA512

                                    b80a6f2382f99ca75f3545375e30353ed4ccd93f1185f6a15dbe03d47056dad3feea652e09440774872f5cba5ef0db9c023c45e44a839827a4b40e60df9fd042

                                  • C:\Users\Windows 87\Searches\Indexed Locations.search-ms

                                    Filesize

                                    248B

                                    MD5

                                    b6acbeb59959aa5412a7565423ea7bab

                                    SHA1

                                    4905f02dbef69c830b807a32e9a4b6206bd01dc6

                                    SHA256

                                    99653a38c445ae1d4c373ee672339fd47fd098e0d0ada5f0be70e3b2bf711d38

                                    SHA512

                                    0058aa67ae9060cb708e34cb2e12cea851505694e328fd0aa6deba99f205afaffdf86af8119c65ada5a3c9b1f8b94923baa6454c2d5ab46a21257d145f9a8162

                                  • C:\Users\Windows 87\Searches\desktop.ini

                                    Filesize

                                    278B

                                    MD5

                                    8e11566270550c575d6d2c695c5a4b1f

                                    SHA1

                                    ae9645fad2107b5899f354c9144a4dfc33b66f9e

                                    SHA256

                                    1dc14736f6b0e9b68059324321acc14e156cd3a2890466a23bf7abf365d6c704

                                    SHA512

                                    a9fc4b17d75f85ae64315ba94570cb5317b5510c655d3d5c8fb44091ea37f31e431e99ed5308252897bdd93c34e771bf80f456c4873ef0aa58ca9bbb2e5ff7e0

                                  • C:\Users\Windows 87\Searches\desktop.ini

                                    Filesize

                                    524B

                                    MD5

                                    089d48a11bff0df720f1079f5dc58a83

                                    SHA1

                                    88f1c647378b5b22ebadb465dc80fcfd9e7b97c9

                                    SHA256

                                    a9e8ad0792b546a4a8ce49eda82b327ad9581141312efec3ac6f2d3ad5a05f17

                                    SHA512

                                    f0284a3cc46e9c23af22fec44ac7bbde0b72f5338260c402564242c3dd244f8f8ca71dd6ceabf6a2b539cacc85a204d9495f43c74f6876317ee8e808d4a60ed8

                                  • C:\Users\Windows 87\Videos\desktop.ini

                                    Filesize

                                    504B

                                    MD5

                                    50a956778107a4272aae83c86ece77cb

                                    SHA1

                                    10bce7ea45077c0baab055e0602eef787dba735e

                                    SHA256

                                    b287b639f6edd612f414caf000c12ba0555adb3a2643230cbdd5af4053284978

                                    SHA512

                                    d1df6bdc871cacbc776ac8152a76e331d2f1d905a50d9d358c7bf9ed7c5cbb510c9d52d6958b071e5bcba7c5117fc8f9729fe51724e82cc45f6b7b5afe5ed51a

                                  • C:\Windows\TEMP\Crashpad\settings.dat

                                    Filesize

                                    40B

                                    MD5

                                    31acea3efb143b49d506b757cae846a7

                                    SHA1

                                    e7d42a766af99611eb138d402b4d82d44b1f9904

                                    SHA256

                                    f2313dee0685fe4fe3e237fcb61aea6be8588dc78fc51445def71320876b7667

                                    SHA512

                                    2e26d7d42a1f88ea0b80b23303c8f6021168b110155488531a52f7a47eeed849d60ccd5035315cb970a47af8ee3c935203a460c753bd036e35af96bdc4844fef

                                  • F:\$RECYCLE.BIN\S-1-5-21-2872745919-2748461613-2989606286-1001\desktop.ini

                                    Filesize

                                    129B

                                    MD5

                                    a526b9e7c716b3489d8cc062fbce4005

                                    SHA1

                                    2df502a944ff721241be20a9e449d2acd07e0312

                                    SHA256

                                    e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

                                    SHA512

                                    d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

                                  • memory/1568-539-0x0000000002CF0000-0x0000000002CF2000-memory.dmp

                                    Filesize

                                    8KB

                                  • memory/1568-604-0x0000000003580000-0x0000000003582000-memory.dmp

                                    Filesize

                                    8KB

                                  • memory/1568-612-0x00000000021D0000-0x00000000021D2000-memory.dmp

                                    Filesize

                                    8KB

                                  • memory/1568-605-0x0000000003570000-0x0000000003571000-memory.dmp

                                    Filesize

                                    4KB

                                  • memory/1568-614-0x00000000021B0000-0x00000000021B1000-memory.dmp

                                    Filesize

                                    4KB

                                  • memory/1568-507-0x0000000001E80000-0x0000000001E90000-memory.dmp

                                    Filesize

                                    64KB

                                  • memory/1568-541-0x0000000002CE0000-0x0000000002CE2000-memory.dmp

                                    Filesize

                                    8KB

                                  • memory/1568-608-0x0000000002410000-0x0000000002411000-memory.dmp

                                    Filesize

                                    4KB

                                  • memory/1568-549-0x0000000002CE0000-0x0000000002CE2000-memory.dmp

                                    Filesize

                                    8KB

                                  • memory/1568-531-0x0000000002400000-0x0000000002402000-memory.dmp

                                    Filesize

                                    8KB

                                  • memory/1568-528-0x0000000002400000-0x0000000002402000-memory.dmp

                                    Filesize

                                    8KB

                                  • memory/1568-513-0x00000000026D0000-0x00000000026E0000-memory.dmp

                                    Filesize

                                    64KB

                                  • memory/1568-526-0x00000000024B0000-0x00000000024B1000-memory.dmp

                                    Filesize

                                    4KB

                                  • memory/2352-920-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

                                    Filesize

                                    4KB

                                  • memory/2352-482-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

                                    Filesize

                                    4KB

                                  • memory/2716-481-0x0000000002D90000-0x0000000002D91000-memory.dmp

                                    Filesize

                                    4KB

                                  • memory/2908-1572-0x0000000004610000-0x0000000004620000-memory.dmp

                                    Filesize

                                    64KB

                                  • memory/2924-1088-0x0000000002AA0000-0x0000000002AA2000-memory.dmp

                                    Filesize

                                    8KB

                                  • memory/2924-1100-0x0000000002250000-0x0000000002251000-memory.dmp

                                    Filesize

                                    4KB

                                  • memory/2924-1098-0x0000000002650000-0x0000000002652000-memory.dmp

                                    Filesize

                                    8KB

                                  • memory/2924-1091-0x0000000002E70000-0x0000000002E71000-memory.dmp

                                    Filesize

                                    4KB