Analysis
-
max time kernel
932s -
max time network
853s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
06-06-2024 13:55
Static task
static1
Behavioral task
behavioral1
Sample
Рахунок-Акт_№_5748259_від_01.06.2024_по_договору_№_Х2_1-2448,_ТОВАР.pdf
Resource
win10v2004-20240508-en
General
-
Target
Рахунок-Акт_№_5748259_від_01.06.2024_по_договору_№_Х2_1-2448,_ТОВАР.pdf
-
Size
212KB
-
MD5
3f7efbed13f96db816b587b8fcfdc9ce
-
SHA1
9890f9fbff05a18bfedca041903f0ef8140a198a
-
SHA256
44351a40b74e96ac46873045badd2debe01b281bc3686375320c9daed1c768af
-
SHA512
fa98f4e69db86bdb71cc88386c62cedc856954d40923e56eb4fb3e6bf99e110d24c098f0aaf4ddd23bd8817ea42e5f3160464d1c40d9e83a526a8f86e6457723
-
SSDEEP
3072:ggU0/AviT312hh+GQD3wL7D3b9/KS1tH+FdSzLT3gn9WZhzdGeQiKv70q8g8:g6/vT312WWcS3HVzLTwWlA3sN
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
autopsy64.exejava.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation autopsy64.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation java.exe -
Executes dropped EXE 9 IoCs
Processes:
autopsy64.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exepid process 2224 autopsy64.exe 4452 java.exe 6296 java.exe 6504 java.exe 6704 java.exe 6728 java.exe 6216 java.exe 4988 java.exe 8084 java.exe -
Loads dropped DLL 64 IoCs
Processes:
MsiExec.exeMsiExec.exeautopsy64.exepid process 5272 MsiExec.exe 5272 MsiExec.exe 5272 MsiExec.exe 556 MsiExec.exe 556 MsiExec.exe 556 MsiExec.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe -
Enumerates connected drives 3 TTPs 47 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exeautopsy64.exedescription ioc process File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\F: autopsy64.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe -
Drops file in Program Files directory 64 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\tcl\tzdata\Asia\Samarkand msiexec.exe File created C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\tcl\tzdata\Pacific\Chuuk msiexec.exe File created C:\Program Files\Autopsy-4.21.0\platform\config\Modules\org-netbeans-modules-favorites.xml msiexec.exe File created C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\pytz\zoneinfo\America\Eirunepe msiexec.exe File created C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\pytz\zoneinfo\Antarctica\Macquarie msiexec.exe File created C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\pytz\zoneinfo\Asia\Omsk msiexec.exe File created C:\Program Files\Autopsy-4.21.0\docs\pgAdmin.PNG msiexec.exe File created C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe msiexec.exe File created C:\Program Files\Autopsy-4.21.0\platform\update_tracking\org-netbeans-modules-editor-mimelookup-impl.xml msiexec.exe File created C:\Program Files\Autopsy-4.21.0\autopsy\gstreamer\1.0\x86_64\share\locale\pl\LC_MESSAGES\glib20.mo msiexec.exe File created C:\Program Files\Autopsy-4.21.0\autopsy\gstreamer\1.0\x86_64\share\locale\ro\LC_MESSAGES\gst-plugins-bad-1.0.mo msiexec.exe File created C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\tcl\tzdata\Europe\Athens msiexec.exe File created C:\Program Files\Autopsy-4.21.0\docs\if_export.png msiexec.exe File created C:\Program Files\Autopsy-4.21.0\jre\bin\api-ms-win-core-processthreads-l1-1-0.dll msiexec.exe File created C:\Program Files\Autopsy-4.21.0\jre\lib\ct.sym msiexec.exe File created C:\Program Files\Autopsy-4.21.0\platform\config\Modules\org-netbeans-modules-uihandler.xml msiexec.exe File created C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\pytz\zoneinfo\America\Indiana\Knox msiexec.exe File created C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\tcl\msgs\mk.msg msiexec.exe File created C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\tcl\tzdata\Etc\GMT+9 msiexec.exe File created C:\Program Files\Autopsy-4.21.0\autopsy\rr-full\plugins\direct.pl msiexec.exe File created C:\Program Files\Autopsy-4.21.0\autopsy\solr\server\solr-webapp\webapp\WEB-INF\lib\jackson-dataformat-smile-2.12.3.jar msiexec.exe File created C:\Program Files\Autopsy-4.21.0\docs\fd_dataSourceFilter.png msiexec.exe File created C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\plaso\parsers\chrome_cache.yaml msiexec.exe File created C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\pytz\zoneinfo\America\Moncton msiexec.exe File created C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\tcl\tzdata\America\Rosario msiexec.exe File created C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\tcl\tzdata\Pacific\Fakaofo msiexec.exe File created C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\zmq.backend.cython.context.pyd msiexec.exe File created C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\pytz\zoneinfo\Etc\Universal msiexec.exe File created C:\Program Files\Autopsy-4.21.0\autopsy\rr\plugins\autopsyntusernetwork.pl msiexec.exe File created C:\Program Files\Autopsy-4.21.0\docs\data_source_integrity_add_ds.png msiexec.exe File created C:\Program Files\Autopsy-4.21.0\linux_macos_install_scripts\add_macos_jna.sh msiexec.exe File created C:\Program Files\Autopsy-4.21.0\autopsy\gstreamer\1.0\x86_64\bin\gst-typefind-1.0.exe msiexec.exe File created C:\Program Files\Autopsy-4.21.0\autopsy\gstreamer\1.0\x86_64\lib\gstreamer-1.0\gstdecklink.dll msiexec.exe File created C:\Program Files\Autopsy-4.21.0\autopsy\gstreamer\1.0\x86_64\share\locale\id\LC_MESSAGES\gst-plugins-ugly-1.0.mo msiexec.exe File created C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\plaso\parsers\winreg_plugins\mru.yaml msiexec.exe File created C:\Program Files\Autopsy-4.21.0\docs\content_viewer_context.png msiexec.exe File created C:\Program Files\Autopsy-4.21.0\platform\modules\ext\batik-xml-1.14.jar msiexec.exe File created C:\Program Files\Autopsy-4.21.0\autopsy\gstreamer\1.0\x86_64\share\locale\ja\LC_MESSAGES\gstreamer-1.0.mo msiexec.exe File created C:\Program Files\Autopsy-4.21.0\autopsy\modules\ext\commons-math3-3.6.1.jar msiexec.exe File created C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\pytz\zoneinfo\Europe\Bratislava msiexec.exe File created C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\tcl\tzdata\Etc\GMT-12 msiexec.exe File created C:\Program Files\Autopsy-4.21.0\autopsy\solr\lib\jetty-security-11.0.15.jar msiexec.exe File created C:\Program Files\Autopsy-4.21.0\autopsy\solr\server\solr-webapp\webapp\img\ico\block.png msiexec.exe File created C:\Program Files\Autopsy-4.21.0\docs\portable_case_unpackage.png msiexec.exe File created C:\Program Files\Autopsy-4.21.0\platform\config\Modules\org-netbeans-modules-masterfs-windows.xml msiexec.exe File created C:\Program Files\Autopsy-4.21.0\CoreTestLibs\modules\ext\junit-4.13.2.jar msiexec.exe File created C:\Program Files\Autopsy-4.21.0\autopsy\modules\ext\pdfbox-tools-2.0.25.jar msiexec.exe File created C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\pytz\zoneinfo\America\St_Johns msiexec.exe File created C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\pytz\zoneinfo\Egypt msiexec.exe File created C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\pytz\zoneinfo\Mexico\General msiexec.exe File created C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\tcl\tzdata\Africa\Porto-Novo msiexec.exe File created C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\tcl\tzdata\Pacific\Easter msiexec.exe File created C:\Program Files\Autopsy-4.21.0\autopsy\solr\server\solr-webapp\webapp\img\ico\slash.png msiexec.exe File created C:\Program Files\Autopsy-4.21.0\docs\personas_cvt_accounts.png msiexec.exe File created C:\Program Files\Autopsy-4.21.0\docs\reports_case.png msiexec.exe File created C:\Program Files\Autopsy-4.21.0\jre\legal\jdk.internal.vm.compiler\LICENSE msiexec.exe File created C:\Program Files\Autopsy-4.21.0\autopsy\gstreamer\1.0\x86_64\share\locale\nl\LC_MESSAGES\gst-plugins-base-1.0.mo msiexec.exe File created C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\pytz\zoneinfo\Europe\Kaliningrad msiexec.exe File created C:\Program Files\Autopsy-4.21.0\autopsy\solr\server\etc\security.properties msiexec.exe File created C:\Program Files\Autopsy-4.21.0\docs\tagging_image_one_tag.png msiexec.exe File created C:\Program Files\Autopsy-4.21.0\jre\bin\api-ms-win-crt-private-l1-1-0.dll msiexec.exe File created C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\pytz\zoneinfo\America\Goose_Bay msiexec.exe File created C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\tcl\msgs\en_bw.msg msiexec.exe File created C:\Program Files\Autopsy-4.21.0\autopsy\rr-full\plugins\null.pl msiexec.exe -
Drops file in Windows directory 13 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\e5d58b2.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI5E12.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5E61.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI71CB.tmp msiexec.exe File created C:\Windows\Installer\e5d58b4.msi msiexec.exe File opened for modification C:\Windows\Installer\e5d58b2.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI5D74.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\{2A4C0A28-0E75-421F-AB76-B872FCCBEB4C}\autopsy.exe msiexec.exe File created C:\Windows\Installer\SourceHash{2A4C0A28-0E75-421F-AB76-B872FCCBEB4C} msiexec.exe File created C:\Windows\Installer\{2A4C0A28-0E75-421F-AB76-B872FCCBEB4C}\autopsy.exe msiexec.exe -
Detects Pyinstaller 1 IoCs
Processes:
resource yara_rule C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\psteal.exe pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000b7d72a8ac39dc2e30000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000b7d72a8a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900b7d72a8a000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1db7d72a8a000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b7d72a8a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Checks processor information in registry 2 TTPs 28 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exejava.exejava.exejava.exejava.exejava.exeAcroRd32.exejava.exeAcroRd32.exeautopsy64.exejava.exejava.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 java.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision java.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 java.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision java.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision java.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 java.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision java.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision java.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 java.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision java.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 autopsy64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision autopsy64.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 java.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision java.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 java.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision java.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 java.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 java.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 6108 timeout.exe -
Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXENETSTAT.EXENETSTAT.EXEpid process 6424 NETSTAT.EXE 4956 NETSTAT.EXE 5436 NETSTAT.EXE -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies data under HKEY_USERS 3 IoCs
Processes:
msiexec.exedescription ioc process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b msiexec.exe -
Modifies registry class 64 IoCs
Processes:
AcroRd32.exemsiexec.exefirefox.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots AcroRd32.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} AcroRd32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 AcroRd32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" AcroRd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\D1A1DAA61C0451544B6DAEA561F7AF77\82A0C4A257E0F124BA678B27CFBCBEC4 msiexec.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell AcroRd32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" AcroRd32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" AcroRd32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000adbc178a40a1da01d53ca08c40a1da016197d78d40a1da0114000000 AcroRd32.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 AcroRd32.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 AcroRd32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\82A0C4A257E0F124BA678B27CFBCBEC4\AuthorizedLUAApp = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\82A0C4A257E0F124BA678B27CFBCBEC4\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 AcroRd32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" AcroRd32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" AcroRd32.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg AcroRd32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" AcroRd32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" AcroRd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\82A0C4A257E0F124BA678B27CFBCBEC4\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" AcroRd32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" AcroRd32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" AcroRd32.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ AcroRd32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" AcroRd32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 AcroRd32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" AcroRd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\82A0C4A257E0F124BA678B27CFBCBEC4\MainFeature msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\82A0C4A257E0F124BA678B27CFBCBEC4\Version = "68485120" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg AcroRd32.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell AcroRd32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\82A0C4A257E0F124BA678B27CFBCBEC4\Assignment = "1" msiexec.exe Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 AcroRd32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" AcroRd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\82A0C4A257E0F124BA678B27CFBCBEC4\PackageCode = "A4E9A51DEB6C1974A8803DC304706DD0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\82A0C4A257E0F124BA678B27CFBCBEC4\InstanceType = "0" msiexec.exe Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 AcroRd32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" AcroRd32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff AcroRd32.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} AcroRd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\82A0C4A257E0F124BA678B27CFBCBEC4 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\82A0C4A257E0F124BA678B27CFBCBEC4 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\82A0C4A257E0F124BA678B27CFBCBEC4\SourceList\Media msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\82A0C4A257E0F124BA678B27CFBCBEC4\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU AcroRd32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff AcroRd32.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 AcroRd32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" AcroRd32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" AcroRd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\82A0C4A257E0F124BA678B27CFBCBEC4\ProductIcon = "C:\\Windows\\Installer\\{2A4C0A28-0E75-421F-AB76-B872FCCBEB4C}\\autopsy.exe" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\82A0C4A257E0F124BA678B27CFBCBEC4\SourceList\Net msiexec.exe Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 AcroRd32.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags AcroRd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ AcroRd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\82A0C4A257E0F124BA678B27CFBCBEC4\ProductName = "Autopsy" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\82A0C4A257E0F124BA678B27CFBCBEC4\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\82A0C4A257E0F124BA678B27CFBCBEC4\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\82A0C4A257E0F124BA678B27CFBCBEC4\SourceList\PackageName = "autopsy-4.21.0-64bit.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\82A0C4A257E0F124BA678B27CFBCBEC4\SourceList\Net\1 = "C:\\Users\\Admin\\Downloads\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\82A0C4A257E0F124BA678B27CFBCBEC4\SourceList\Media\1 = ";" msiexec.exe Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 AcroRd32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" AcroRd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\D1A1DAA61C0451544B6DAEA561F7AF77 msiexec.exe -
NTFS ADS 1 IoCs
Processes:
firefox.exedescription ioc process File created C:\Users\Admin\Downloads\autopsy-4.21.0-64bit.msi:Zone.Identifier firefox.exe -
Runs net.exe
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
autopsy64.exepid process 2224 autopsy64.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
AcroRd32.exemsiexec.exejava.exepid process 1440 AcroRd32.exe 1440 AcroRd32.exe 1440 AcroRd32.exe 1440 AcroRd32.exe 1440 AcroRd32.exe 1440 AcroRd32.exe 1440 AcroRd32.exe 1440 AcroRd32.exe 1440 AcroRd32.exe 1440 AcroRd32.exe 1440 AcroRd32.exe 1440 AcroRd32.exe 1440 AcroRd32.exe 1440 AcroRd32.exe 1440 AcroRd32.exe 1440 AcroRd32.exe 1440 AcroRd32.exe 1440 AcroRd32.exe 1440 AcroRd32.exe 1440 AcroRd32.exe 3284 msiexec.exe 3284 msiexec.exe 6704 java.exe 6704 java.exe 6704 java.exe 6704 java.exe 6704 java.exe 6704 java.exe 6704 java.exe 6704 java.exe 6704 java.exe 6704 java.exe 6704 java.exe 6704 java.exe 6704 java.exe 6704 java.exe 6704 java.exe 6704 java.exe 6704 java.exe 6704 java.exe 6704 java.exe 6704 java.exe 6704 java.exe 6704 java.exe 6704 java.exe 6704 java.exe 6704 java.exe 6704 java.exe 6704 java.exe 6704 java.exe 6704 java.exe 6704 java.exe 6704 java.exe 6704 java.exe 6704 java.exe 6704 java.exe 6704 java.exe 6704 java.exe 6704 java.exe 6704 java.exe 6704 java.exe 6704 java.exe 6704 java.exe 6704 java.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 1440 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
firefox.exemsiexec.exemsiexec.exedescription pid process Token: SeDebugPrivilege 3292 firefox.exe Token: SeDebugPrivilege 3292 firefox.exe Token: SeDebugPrivilege 3292 firefox.exe Token: SeDebugPrivilege 3292 firefox.exe Token: SeDebugPrivilege 3292 firefox.exe Token: SeDebugPrivilege 3292 firefox.exe Token: SeShutdownPrivilege 1328 msiexec.exe Token: SeIncreaseQuotaPrivilege 1328 msiexec.exe Token: SeSecurityPrivilege 3284 msiexec.exe Token: SeCreateTokenPrivilege 1328 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1328 msiexec.exe Token: SeLockMemoryPrivilege 1328 msiexec.exe Token: SeIncreaseQuotaPrivilege 1328 msiexec.exe Token: SeMachineAccountPrivilege 1328 msiexec.exe Token: SeTcbPrivilege 1328 msiexec.exe Token: SeSecurityPrivilege 1328 msiexec.exe Token: SeTakeOwnershipPrivilege 1328 msiexec.exe Token: SeLoadDriverPrivilege 1328 msiexec.exe Token: SeSystemProfilePrivilege 1328 msiexec.exe Token: SeSystemtimePrivilege 1328 msiexec.exe Token: SeProfSingleProcessPrivilege 1328 msiexec.exe Token: SeIncBasePriorityPrivilege 1328 msiexec.exe Token: SeCreatePagefilePrivilege 1328 msiexec.exe Token: SeCreatePermanentPrivilege 1328 msiexec.exe Token: SeBackupPrivilege 1328 msiexec.exe Token: SeRestorePrivilege 1328 msiexec.exe Token: SeShutdownPrivilege 1328 msiexec.exe Token: SeDebugPrivilege 1328 msiexec.exe Token: SeAuditPrivilege 1328 msiexec.exe Token: SeSystemEnvironmentPrivilege 1328 msiexec.exe Token: SeChangeNotifyPrivilege 1328 msiexec.exe Token: SeRemoteShutdownPrivilege 1328 msiexec.exe Token: SeUndockPrivilege 1328 msiexec.exe Token: SeSyncAgentPrivilege 1328 msiexec.exe Token: SeEnableDelegationPrivilege 1328 msiexec.exe Token: SeManageVolumePrivilege 1328 msiexec.exe Token: SeImpersonatePrivilege 1328 msiexec.exe Token: SeCreateGlobalPrivilege 1328 msiexec.exe Token: SeCreateTokenPrivilege 1328 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1328 msiexec.exe Token: SeLockMemoryPrivilege 1328 msiexec.exe Token: SeIncreaseQuotaPrivilege 1328 msiexec.exe Token: SeMachineAccountPrivilege 1328 msiexec.exe Token: SeTcbPrivilege 1328 msiexec.exe Token: SeSecurityPrivilege 1328 msiexec.exe Token: SeTakeOwnershipPrivilege 1328 msiexec.exe Token: SeLoadDriverPrivilege 1328 msiexec.exe Token: SeSystemProfilePrivilege 1328 msiexec.exe Token: SeSystemtimePrivilege 1328 msiexec.exe Token: SeProfSingleProcessPrivilege 1328 msiexec.exe Token: SeIncBasePriorityPrivilege 1328 msiexec.exe Token: SeCreatePagefilePrivilege 1328 msiexec.exe Token: SeCreatePermanentPrivilege 1328 msiexec.exe Token: SeBackupPrivilege 1328 msiexec.exe Token: SeRestorePrivilege 1328 msiexec.exe Token: SeShutdownPrivilege 1328 msiexec.exe Token: SeDebugPrivilege 1328 msiexec.exe Token: SeAuditPrivilege 1328 msiexec.exe Token: SeSystemEnvironmentPrivilege 1328 msiexec.exe Token: SeChangeNotifyPrivilege 1328 msiexec.exe Token: SeRemoteShutdownPrivilege 1328 msiexec.exe Token: SeUndockPrivilege 1328 msiexec.exe Token: SeSyncAgentPrivilege 1328 msiexec.exe Token: SeEnableDelegationPrivilege 1328 msiexec.exe -
Suspicious use of FindShellTrayWindow 10 IoCs
Processes:
AcroRd32.exefirefox.exemsiexec.exeautopsy64.exepid process 1440 AcroRd32.exe 3292 firefox.exe 3292 firefox.exe 3292 firefox.exe 3292 firefox.exe 1328 msiexec.exe 1328 msiexec.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe -
Suspicious use of SendNotifyMessage 5 IoCs
Processes:
firefox.exeautopsy64.exepid process 3292 firefox.exe 3292 firefox.exe 3292 firefox.exe 2224 autopsy64.exe 2224 autopsy64.exe -
Suspicious use of SetWindowsHookEx 39 IoCs
Processes:
AcroRd32.exefirefox.exeautopsy64.exeAcroRd32.exepid process 1440 AcroRd32.exe 1440 AcroRd32.exe 1440 AcroRd32.exe 1440 AcroRd32.exe 1440 AcroRd32.exe 3292 firefox.exe 3292 firefox.exe 3292 firefox.exe 3292 firefox.exe 3292 firefox.exe 3292 firefox.exe 3292 firefox.exe 1440 AcroRd32.exe 1440 AcroRd32.exe 1440 AcroRd32.exe 1440 AcroRd32.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 4520 AcroRd32.exe 1440 AcroRd32.exe 1440 AcroRd32.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe 2224 autopsy64.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
AcroRd32.exeRdrCEF.exedescription pid process target process PID 1440 wrote to memory of 3060 1440 AcroRd32.exe RdrCEF.exe PID 1440 wrote to memory of 3060 1440 AcroRd32.exe RdrCEF.exe PID 1440 wrote to memory of 3060 1440 AcroRd32.exe RdrCEF.exe PID 3060 wrote to memory of 4832 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 4832 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 4832 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 4832 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 4832 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 4832 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 4832 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 4832 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 4832 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 4832 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 4832 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 4832 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 4832 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 4832 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 4832 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 4832 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 4832 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 4832 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 4832 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 4832 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 4832 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 4832 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 4832 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 4832 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 4832 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 4832 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 4832 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 4832 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 4832 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 4832 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 4832 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 4832 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 4832 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 4832 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 4832 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 4832 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 4832 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 4832 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 4832 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 4832 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 4832 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 2624 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 2624 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 2624 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 2624 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 2624 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 2624 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 2624 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 2624 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 2624 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 2624 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 2624 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 2624 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 2624 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 2624 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 2624 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 2624 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 2624 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 2624 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 2624 3060 RdrCEF.exe RdrCEF.exe PID 3060 wrote to memory of 2624 3060 RdrCEF.exe RdrCEF.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Рахунок-Акт_№_5748259_від_01.06.2024_по_договору_№_Х2_1-2448,_ТОВАР.pdf"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2351D21228181DCDA8C9BA61D85E8B46 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:4832
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=2EF37671CB5286130E8B99806574D796 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=2EF37671CB5286130E8B99806574D796 --renderer-client-id=2 --mojo-platform-channel-handle=1732 --allow-no-sandbox-job /prefetch:13⤵PID:2624
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=44BA52CF10DC1B26D8CCC05E704BF4E0 --mojo-platform-channel-handle=2280 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:2848
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2120F4C1AE18D441AD61C14320DAB279 --mojo-platform-channel-handle=2496 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:4280
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A8E8F8646A058DF774D643A97BBF86A7 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A8E8F8646A058DF774D643A97BBF86A7 --renderer-client-id=6 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job /prefetch:13⤵PID:4416
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=AA5779713AF8B580730362FD0C7D45B3 --mojo-platform-channel-handle=2692 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:3252
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=12D718B7F757DB2BDA4D954258ABC2D8 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=12D718B7F757DB2BDA4D954258ABC2D8 --renderer-client-id=10 --mojo-platform-channel-handle=1652 --allow-no-sandbox-job /prefetch:13⤵PID:5332
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=568174B1698F85DB324761CFEE460F54 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=568174B1698F85DB324761CFEE460F54 --renderer-client-id=12 --mojo-platform-channel-handle=1944 --allow-no-sandbox-job /prefetch:13⤵PID:5936
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1236
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4124,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=4120 /prefetch:81⤵PID:924
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵PID:1352
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3292 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3292.0.205603629\1364296261" -parentBuildID 20230214051806 -prefsHandle 1816 -prefMapHandle 1808 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {20d71b38-d242-4aab-903a-d93d0dcf7e3c} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" 1896 2411c1f0358 gpu3⤵PID:2852
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3292.1.320852209\390918207" -parentBuildID 20230214051806 -prefsHandle 2452 -prefMapHandle 2448 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {11fd6fad-002c-430e-9a5b-32a0f356f5a4} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" 2464 2411048a258 socket3⤵PID:3660
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3292.2.59490874\1677719749" -childID 1 -isForBrowser -prefsHandle 2916 -prefMapHandle 2912 -prefsLen 22215 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0bf9f676-91c4-41cc-b50e-3132ad55d9a8} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" 3132 2411f9efd58 tab3⤵PID:1620
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3292.3.1053473547\1056583224" -childID 2 -isForBrowser -prefsHandle 4208 -prefMapHandle 4204 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e19b9a8-06fd-4580-9b3d-305bffb57c6c} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" 4220 241225bcb58 tab3⤵PID:1352
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3292.4.417421345\1985183238" -childID 3 -isForBrowser -prefsHandle 5040 -prefMapHandle 4976 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a0fa4fe1-e85f-4886-a051-4ce6ad55d24a} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" 5060 24124976258 tab3⤵PID:5288
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3292.5.1029535936\1769094673" -childID 4 -isForBrowser -prefsHandle 5132 -prefMapHandle 5136 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca00a459-fc78-4375-8d2f-4d3622a72a0d} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" 5080 24124976558 tab3⤵PID:5296
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3292.6.2081543461\1830468605" -childID 5 -isForBrowser -prefsHandle 5416 -prefMapHandle 5412 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {92d9f361-3c34-4bfc-a5ef-9b269a64c62c} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" 5424 24124977458 tab3⤵PID:5304
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3292.7.401932288\1271512811" -parentBuildID 20230214051806 -prefsHandle 5764 -prefMapHandle 5812 -prefsLen 27697 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb41265e-ec8c-4560-8fef-dd709ed04999} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" 5860 24125acc558 rdd3⤵PID:5852
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3292.8.417756331\486453977" -parentBuildID 20230214051806 -sandboxingKind 1 -prefsHandle 5856 -prefMapHandle 5852 -prefsLen 27697 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {149865ab-51ff-4e07-86ac-525593bc38f7} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" 5884 24125acc858 utility3⤵PID:5860
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3292.9.1337186209\1435053468" -parentBuildID 20230214051806 -sandboxingKind 0 -prefsHandle 6136 -prefMapHandle 6132 -prefsLen 27697 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b57e9781-d3f5-49fa-8b71-1736cb0ab033} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" 5764 24125acfb58 utility3⤵PID:5928
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3292.10.1641794278\2136795190" -childID 6 -isForBrowser -prefsHandle 6160 -prefMapHandle 6156 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {330452bd-71ec-4e48-9830-4c21c465eaaa} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" 6264 24125d95058 tab3⤵PID:5936
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3292.11.1261101082\179117454" -childID 7 -isForBrowser -prefsHandle 6652 -prefMapHandle 6648 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {35853b29-bd20-4621-9ff7-5e660bf3ed9e} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" 6660 24126bcc258 tab3⤵PID:5700
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3292.12.687922059\1048541887" -childID 8 -isForBrowser -prefsHandle 9832 -prefMapHandle 9836 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {adf8544f-82da-4dcd-bedb-45b32c8be40a} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" 9824 24126836558 tab3⤵PID:3780
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3292.13.690392161\962143559" -childID 9 -isForBrowser -prefsHandle 10716 -prefMapHandle 10712 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f50bfd19-ef42-459d-a1df-170ca714faff} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" 6792 24126b06658 tab3⤵PID:4568
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3292.14.1427824552\249568070" -childID 10 -isForBrowser -prefsHandle 10524 -prefMapHandle 10516 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc1b1969-23ff-4d7a-a9ea-a75c8cb7697e} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" 10532 24127170558 tab3⤵PID:6000
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3292.15.1449905771\128334592" -childID 11 -isForBrowser -prefsHandle 6260 -prefMapHandle 10468 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {df73b15a-bec4-4a1c-bcbc-77f378801259} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" 10292 24126d71758 tab3⤵PID:5296
-
-
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\autopsy-4.21.0-64bit.msi"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1328
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3284 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A063015C05DCAEF2825D55F2DC14ED84 C2⤵
- Loads dropped DLL
PID:5272
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:6096
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 94C9A71E4A8A42206ADD3A33A1E8644D2⤵
- Loads dropped DLL
PID:556
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:1600
-
C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe"C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2224 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files\Autopsy-4.21.0\autopsy\solr\bin\autopsy-solr.cmd" start -p 23232"2⤵PID:5692
-
C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe"C:\Program Files\Autopsy-4.21.0\jre\bin\java" -version3⤵
- Executes dropped EXE
- Checks processor information in registry
PID:4452
-
-
C:\Windows\system32\findstr.exefindstr /i "IBM J9"3⤵PID:2880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files\Autopsy-4.21.0\jre\bin\java" -version 2>&1 | findstr "version""3⤵PID:6300
-
C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe"C:\Program Files\Autopsy-4.21.0\jre\bin\java" -version4⤵
- Executes dropped EXE
- Checks processor information in registry
PID:6296
-
-
C:\Windows\system32\findstr.exefindstr "version"4⤵PID:6292
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netstat -aon | find "TCP " | find ":0 " | find ":23232 "3⤵PID:6408
-
C:\Windows\system32\NETSTAT.EXEnetstat -aon4⤵
- Gathers network information
PID:6424
-
-
C:\Windows\system32\find.exefind "TCP "4⤵PID:6436
-
-
C:\Windows\system32\find.exefind ":0 "4⤵PID:6404
-
-
C:\Windows\system32\find.exefind ":23232 "4⤵PID:6452
-
-
-
C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe"C:\Program Files\Autopsy-4.21.0\jre\bin\java" -server -version3⤵
- Executes dropped EXE
- Checks processor information in registry
PID:6504
-
-
C:\Windows\system32\findstr.exefindstr /i /C:" C:\Users\Admin\AppData\Roaming\autopsy\var\log\solr " "C:\Users\Admin\AppData\Local\Temp\solr-pattern.txt"3⤵PID:6684
-
-
C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe"C:\Program Files\Autopsy-4.21.0\jre\bin\java" -server -Xmx2048m -Duser.timezone=UTC -XX:+UseG1GC -XX:+PerfDisableSharedMem -XX:+ParallelRefProcEnabled -XX:MaxGCPauseMillis=250 -XX:+UseLargePages -XX:+AlwaysPreTouch "-Xlog:gc*:file=\"C:\Users\Admin\AppData\Roaming\autopsy\var\log\solr\solr_gc.log\":time,uptime:filecount=9,filesize=20M" -Xss256k -Dbootstrap_confdir=../solr/configsets/AutopsyConfig/conf -Dcollection.configName=AutopsyConfig -Dsolr.default.confdir=../solr/configsets/AutopsyConfig/conf -Dsolr.log.dir="C:\Users\Admin\AppData\Roaming\autopsy\var\log\solr" -Dlog4j.configurationFile="file:///C:\Program Files\Autopsy-4.21.0\autopsy\solr\server\resources\log4j2.xml" -DSTOP.PORT=8079 -DSTOP.KEY=jjk#09s -Dsolr.log.muteconsole -Dsolr.solr.home="C:\Users\Admin\AppData\Roaming\autopsy\solr" -Dsolr.install.dir="C:\Program Files\Autopsy-4.21.0\autopsy\solr" -Dsolr.default.confdir="C:\Program Files\Autopsy-4.21.0\autopsy\solr\server\solr\configsets\_default\conf" -Djetty.host=0.0.0.0 -Djetty.port=23232 -Djetty.home="C:\Program Files\Autopsy-4.21.0\autopsy\solr\server" -Djava.io.tmpdir="C:\Users\Admin\AppData\Roaming\autopsy\var\log\solr\tmp" -jar start.jar --module=http ""3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:6704
-
-
C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe"C:\Program Files\Autopsy-4.21.0\jre\bin\java" -Dsolr.install.dir="C:\Program Files\Autopsy-4.21.0\autopsy\solr" -Dsolr.default.confdir="C:\Program Files\Autopsy-4.21.0\autopsy\solr\server\solr\configsets\_default\conf" -Dlog4j.configurationFile="file:///C:\Program Files\Autopsy-4.21.0\autopsy\solr\server\resources\log4j2-console.xml" -classpath "C:\Program Files\Autopsy-4.21.0\autopsy\solr\server\solr-webapp\webapp\WEB-INF\lib\*;C:\Program Files\Autopsy-4.21.0\autopsy\solr\server\lib\ext\*" org.apache.solr.util.SolrCLI status -maxWaitSecs 30 -solr http://localhost:23232/solr3⤵
- Checks computer location settings
- Executes dropped EXE
- Checks processor information in registry
PID:6728
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c chcp2⤵PID:1860
-
C:\Windows\system32\chcp.comchcp3⤵PID:3812
-
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" process where "name='java.exe' AND commandline LIKE '%-DSTOP.KEY=jjk#09s%start.jar%'" get ProcessID2⤵PID:6404
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:6452
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ver2⤵PID:6988
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c net use C:2⤵PID:6224
-
C:\Windows\system32\net.exenet use C:3⤵PID:6332
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c net use D:2⤵PID:3840
-
C:\Windows\system32\net.exenet use D:3⤵PID:8272
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c net use F:2⤵PID:8292
-
C:\Windows\system32\net.exenet use F:3⤵PID:8340
-
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Autopsy\test_20240606_140511\Temp\Рахунок-Акт_№_5748259_від_01.06.2024_по_договору_№_Х2_1-2448,_ТОВАР.pdf"2⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:4520
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files\Autopsy-4.21.0\autopsy\solr\bin\autopsy-solr.cmd" stop -k jjk#09s -p 23232"2⤵PID:1972
-
C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe"C:\Program Files\Autopsy-4.21.0\jre\bin\java" -version3⤵
- Executes dropped EXE
- Checks processor information in registry
PID:6216
-
-
C:\Windows\system32\findstr.exefindstr /i "IBM J9"3⤵PID:6380
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files\Autopsy-4.21.0\jre\bin\java" -version 2>&1 | findstr "version""3⤵PID:376
-
C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe"C:\Program Files\Autopsy-4.21.0\jre\bin\java" -version4⤵
- Executes dropped EXE
- Checks processor information in registry
PID:4988
-
-
C:\Windows\system32\findstr.exefindstr "version"4⤵PID:7308
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netstat -nao | find "TCP " | find ":0 " | find ":23232 "3⤵PID:6548
-
C:\Windows\system32\NETSTAT.EXEnetstat -nao4⤵
- Gathers network information
PID:4956
-
-
C:\Windows\system32\find.exefind "TCP "4⤵PID:1860
-
-
C:\Windows\system32\find.exefind ":0 "4⤵PID:6840
-
-
C:\Windows\system32\find.exefind ":23232 "4⤵PID:4592
-
-
-
C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe"C:\Program Files\Autopsy-4.21.0\jre\bin\java" -Djetty.home="C:\Program Files\Autopsy-4.21.0\autopsy\solr\server" -jar "C:\Program Files\Autopsy-4.21.0\autopsy\solr\server\start.jar" --module=http STOP.PORT=8079 STOP.KEY=jjk#09s --stop3⤵
- Executes dropped EXE
- Checks processor information in registry
PID:8084
-
-
C:\Windows\system32\timeout.exetimeout /T 53⤵
- Delays execution with timeout.exe
PID:6108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netstat -nao | find "TCP " | find ":0 " | find ":23232 "3⤵PID:1632
-
C:\Windows\system32\NETSTAT.EXEnetstat -nao4⤵
- Gathers network information
PID:5436
-
-
C:\Windows\system32\find.exefind "TCP "4⤵PID:8228
-
-
C:\Windows\system32\find.exefind ":0 "4⤵PID:184
-
-
C:\Windows\system32\find.exefind ":23232 "4⤵PID:6568
-
-
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" process where "name='java.exe' AND commandline LIKE '%-DSTOP.KEY=jjk#09s%start.jar%'" get ProcessID2⤵PID:6116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1704,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=3168 /prefetch:81⤵PID:2312
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
647KB
MD578f705e2b473abde0eb0eab5875f4cc5
SHA1fb3a8d6fab6bad11191f8a38fb1abb2b83744821
SHA256fc45aa2d807a5247ee76da29123ded50c28b4e1d6eb7eee0274138abd157c9c2
SHA512ab037c081b227c59195fd067da5dd6be4394cc01a673592a495c68ffc8eccda16861dafc2ebb28ab076ecdb0011068b197a2e11fa5a58407ba55104d64da5096
-
Filesize
2B
MD581051bcc2cf1bedf378224b0a93e2877
SHA1ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA2567eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA5121b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d
-
Filesize
31KB
MD5207a56c785e5bb8b7ba08919e3ae43f3
SHA19fe9eddcdab3f7bade7e43882226add1046e0601
SHA2566dd6aebefac0177cf90b4c2d8b7e7ca9847c5b97c5b486b37e67582400b683a9
SHA5126b630daba8ebd14e097147677b1c8a7558a0b8ae1aa10ffe0fc731e1b2c398905623ea6a92eb31811a53ba53a553a68c2d4060899724826f4edec185c5786c88
-
Filesize
136KB
MD5914d78ee22c22e53676f05c25ef1fc5b
SHA1b7111482400b411bf3268b29773bb81c16f6701e
SHA256fa69c478cceff65b3728d4e33bddd0e1cdecb5c8643115ab75e69364d9919d0b
SHA5127b1a017e99f807af0bb4e90eb3a2145cbb83c508ec7f5d2a8d164b95ca1d3f028234d9ab2b366b93e6f03f23ea93ddb19569d5d3c41fc1f505a9f44e8c61a4c5
-
Filesize
123KB
MD5d004f45d7002fc19fa7c041fd3715380
SHA198dbb3dbfbcd030774424c132d5dca6d253647a8
SHA2561cfa8c942a4964e1ffc73058b58e8937675e1eecef22f53478b1fee428b30d47
SHA5127e0ebc08cd861886d059300f602ef3f3cb3a62371ec8e34417e453ace965a5de57a949d157120cea3f4695373f85be8189af1e29c174b49a0eb87ce1e7b6ed04
-
Filesize
157KB
MD53c26bf67c50b0fb701b2f9fd4d932706
SHA1b93b0cf8031e07ec41886fe8d4f0bd54d83810a9
SHA256292ad95287dc58eb45ab381b6b5a54a5ee864f4177b16721428e05a95dc9224e
SHA512f6527c66917fbc33e644539fe641c8e343c1875a2f494fdba62a77cc651faf6b16caa594d4dfe0324094dfdc0ebd7d6dff7cbf3395f460d7a30ccb0296b7593b
-
Filesize
11KB
MD53b83ef96387f14655fc854ddc3c6bd57
SHA12b8b815229aa8a61e483fb4ba0588b8b6c491890
SHA256cfc7749b96f63bd31c3c42b5c471bf756814053e847c10f3eb003417bc523d30
SHA51298f6b79b778f7b0a15415bd750c3a8a097d650511cb4ec8115188e115c47053fe700f578895c097051c9bc3dfb6197c2b13a15de203273e1a3218884f86e90e8
-
Filesize
7KB
MD5d3aa5e7e614a71f77168ef2d78dee29c
SHA1313f0f1bc7b06919fd30e711c7994bd4e83dd30e
SHA256ff9ed2eae018d242c1f222c2a22c1dfb936ba053d92e11c3f6f88a4df025fced
SHA5129dccf8f5d375b2efb87dc40086a1704625ec362cdec5d85b131ad4e7cb1a76803987a65ebf3c10ad99899d30b308165c7af4a25616e8359401f267ad6b148c32
-
Filesize
5.0MB
MD5b7e726274c6f354149782937146e2836
SHA1c14227e94e83f5b85aff1fb45c2715b1e5f596ad
SHA256da0f5167c6a21d704623c7fcc2e2a5d6afb9c368ba47e9457af09240fc3b17b1
SHA5124e44f51b00664e925cf15d23ce4bbb7acaa8626a75d96b75f95cf596c25d07a16476e1350252d9e4a5f91dcfa9a3ce48a780af69bb33295d91c3be071bdfa458
-
Filesize
170B
MD5ea536f3401f1154cd0fbe55d60fb1919
SHA12761dd20ffe255714f9005b59407db9bc75b5f08
SHA256d5ded126df8f693ce1ff83e85aa4d44185c2bdef7da1f915b214f53deffdee47
SHA51257a60cbbf067bc6d41c359a0ea23aaad3325652a7fefb33dbf015de41d851afc182c1472f651b4f562fe8b42c74e6aabb45f2f8d3fc8d496a9c6b2050cbb7ca5
-
Filesize
285B
MD525b7a0eb842dcbbbcb5144542d3263bb
SHA1f4c36cebb3a7e69dde1a4af0775a40b0f1e0397f
SHA256f143bcb83b80bc1ad0bbb8ad736c852e62bbeb6b3134412bfa77684663ed222a
SHA5123faf66286b864dfaecac12319802acb3a23e2de64ad71d91d53ec933ad80c21cd14070df2d098b28d4604280898836d6e890caa8b6a23bf532c0d36d6724c6d6
-
Filesize
171B
MD56b109e5e08cf0d1f15c2809afe1da830
SHA12f6afbdba37f364f0eca9ffe905d0abbcde401d3
SHA2563d7e6d17cabdaa1814a56dddec02687e1087bc3334fe920ad268a892bf080511
SHA512f53d5fbba83c57e35976b14cf072b0257d22b155161f9592a64f1bd5fb0492dfbc26f665c0c544a469728573602ed13111a1d99caae311af29b68e1d051a7a6c
-
Filesize
171B
MD5f880fe97beb11acafcf088263b83d1df
SHA16fa3682d860ca2a88e2ef1fd01e081138b945221
SHA256e40c3386f3a5cd88a03c811fa30ecac34f31368f960ae79e4a90de295c5b1938
SHA512d10fde671f390c57a0caac342c26ab9e3506367bd358337cce8c4d89decd8d120da2c95d74ca0766f5851bbae5b2b8e5c648185e9e417aabc3eecc7bce279414
-
Filesize
170B
MD56a95f4e0602e0869a03a18a7501c6675
SHA10fa20e8413a337c1d603389fb46484f1cfa5d71e
SHA256b2659c267f7555c0640505660234cbe0d7feead3a5e29f41272e28a1d7d18962
SHA51201e5216822bc00070c7728249ed4443b070f901f6337de4ee72b7f4b6623b2638be69f72e5eb0838ad3c78e70618f1c839e681928316305f9b0ab9922c039f51
-
Filesize
127B
MD5ad900f33830dc2a74a8f627fc0857683
SHA10e94823baf3e5865c79f728bf51191bab399070c
SHA256d7b39879094135d13efd282937690b43f48bb53597ce3e78697f48dcceaeb3ec
SHA512819a2e25d2fe633867989127fa374ad3efc733af375b9db669a3372e7883a2ee5965d557b852a09a71762562cb38947405891f2176d97e3fb45eaea9224761d3
-
Filesize
3KB
MD50893552f7fa23c170ff0c8ce50280840
SHA1ebbbd8852b59532ffdb5c32b1623afdfa8231780
SHA256b14c486019e3cb259cf8235a0d6a4bc3ff6cfa726a165f1ea2df403c8ae31b86
SHA512461f6c4a14a723d7cde06235ec067899800db3f3729a9d7327fe2f75da8e9c9e2897f0eeaff3a732dd8aa078f34a798065628319ba25c15daef25f2ada29e1e1
-
Filesize
1KB
MD55c54d192481fed74b0cc90352ed5de3d
SHA144797e1d8343743f9f77ee24527db98491c1609e
SHA256e957543623baaba84999b40188e7e0948471b75a8ff4f88abb267e773feb8e5c
SHA512ad52f04fadebbc8a44a5c16dbbb8b049420853e451538b61a8556b0b2c47937c3e11738852d9c71cb0eee1431bc9110f10a6d8b5cd8b6d3ebd46b45967c90c7f
-
Filesize
414B
MD5c2b2749e486441161bf61d6fec4c97e5
SHA1db79f6be81fab3de51442b36cc3cbf1b627385df
SHA256953622bbd7eb9eba8c3b9e8cd5d5ec98cea6a085a9deb1c43e49e889a154d344
SHA51205d0bd34a102a3029f5e2a1e2e90ace79ce2af87e51f36962c89d662e2d495233b5d37abe857dfb7b3e1a85e69fb3c7e36f7b08225e55e7b95973e3f2d5a31d0
-
Filesize
127B
MD5fe9ad2d5c4c79122a99b4d5ed44fda0e
SHA1d7948ef155843e0c7d055bdc3632877b49873864
SHA2563c71b358be81e13b1c24e199a119fd001dbcdb90edc7d44c2c7ae175321a0215
SHA512793bb4d4603a238b5f1c3dcb07e5f42179d40e8df775831cd466bff699444788894fa3e916e5da9de62502218df027b6f1b95ced8c2b05b96a07ea50f4c71cc9
-
Filesize
40KB
MD5872da51f5de7f3923da4de871d57fd85
SHA16c62681a2f655b49963a5983b8b0950a6120ae14
SHA256d3ef575e3e4979678dc01bf1dcce51021493b4d11fb7f1be8ad982877c16a1c0
SHA512f9b033fc019a44f98b16048da7e2b59edd4a6a527ba60e358f65ab88e0afae03a9340f1b3e8a543d49fa542290f499c5594259affa1ff3e6e7bf3b428d4c610b
-
Filesize
206KB
MD5206bab4cfa6d4360c50ad996f0a1555f
SHA16ac8ce495b870fa8341ec39a84df838b33822460
SHA256ee790adfcf8436d7b128ddb43d6f6df1a8404df7612972b2bef7022b4f27bf69
SHA5125e38f57055aab79130a4cd4c141d28d9c59862fd6b6e238bd2b2569d23296cf2012a0b6a714c0ede6fc108daac927e5ea4bc50c5499c65992e7f739502fb05d3
-
Filesize
34B
MD5a63b7001c60b705015b077af7ae08510
SHA1bac71127e5398d33104679658269a57c6843effb
SHA256b3136437c638226bd2f0412ebade4618b3cee5a6df3af298f57c54aa9de2edc7
SHA51230f69e0736bfcfdf417c65604c3dbc81af22f56dfeae72d357ea2d410c79573eed236aa989756d2a4719bcfb04aafaf320d05c7fff2ef7f3ea529adb5f01072e
-
Filesize
3KB
MD59fb4c436b9dcdca7bd051b146ae0f614
SHA1445bae7190be56387a97777fae9297545732ec71
SHA2565882413a1da59f3d8050c009362793c96a2cc707d903b3e794e176dc271e0698
SHA512decbc620247f77c3631f762c2a520ce0a2d35d06050798d4b4c96b18dbbe0aff745fe1107bea2adef05daf836d579d931c4381c5f0f6abbdf126879501f013b4
-
Filesize
1.4MB
MD5fd9d949fe0a3375be676f828b6d39bd2
SHA1f9993e0472ea62753de9ea875b4123f623c79455
SHA25694d8438345a09adac1c4a43b0e86149480ab7dc49051f94c7e796446de8ddb87
SHA512481fe5b9a27a2a9c6584f45f6639f294a2a02a1c402190f50338163327ae5589c2d7f413ca603473403020cf14df026bdab87b31b6c02a25d27f185bd2d44c65
-
Filesize
143KB
MD5bd19a3738fcacd1e97d10c476a5ebc02
SHA1e9379582f779ca7ee0c9f845adf1dc3fbe85498e
SHA25662ffc7a48edadac928386008627586a6393a207d3a60a3b6b7cb371132d24ecc
SHA512662130b2967a4b4e4f0b0ff89461ad57b7d2254da9fd07f91445d5aee4b913fd993cb1d87c87c064f5ff6efc95a04e950eab1f8fa232700eb4341b35f7f0b39f
-
Filesize
32KB
MD591078808871648430ba05cd1bebeab23
SHA1c340dad3402c20f9cf74bc7a1f5fc81f1008879b
SHA256669647452299085cf1d4c6a6aaf4e792792e0eefe034a98d44be6d4f0f765886
SHA5125e4dcf962428e7e72f7d1f3ff77e62aa4dcd624e412691cae21704c313c3024f726e54ea9b4022e19a2046c6df7d6545ae85bb00a51eeb67f0b9749a595ef721
-
Filesize
849KB
MD52f8c3114677807c37c8c3b1b26ed9234
SHA1716652c6943bbb4751b870cda2009edf3fa52b6e
SHA256c460d645282990af9b0aa3f33d8a397dc0f895646fca3a37329ea648cbba6f3f
SHA51268cc05f61192ce80d2c77fe70f84379f2620fedd54d164854e4eb62cb6f686651eef4ac77597ba0e91f6f59260f9dfeb27eb8ba298d13cb9ef49d216a166de6d
-
Filesize
558KB
MD5bf78c15068d6671693dfcdfa5770d705
SHA14418c03c3161706a4349dfe3f97278e7a5d8962a
SHA256a88b8c1c8f27bf90fe960e0e8bd56984ad48167071af92d96ec1051f89f827fb
SHA5125b6b0ab4e82cc979eaa619d387c6995198fd19aa0c455bef44bd37a765685575d57448b3b4accd70d3bd20a6cd408b1f518eda0f6dae5aa106f225bee8291372
-
Filesize
94KB
MD52f8b82a62e9f8d81ab75cd5486c741eb
SHA13887a5286bb80ee65d2372ca3c153e6dc7388a19
SHA256c3a54b42b1c119222f3d8d9dbef473a6287399c1266caf8ce8fa673366b9b88a
SHA512071f582668bcaff4421fece9d5056f011d6c4dba0d47ac014e0de8315ffc58e09a5ddb51581df18b291b7f60bf1f3cab497117ae4badf97c24fe81074153e861
-
Filesize
78KB
MD5a56d9921fa5aa0c75652ff41f98c9311
SHA1317e30b7a3646f4a9b16177b3a66eb7d49dc2d34
SHA256cdf0e159dc013b7ef799924a7107f96896fbd2efe0b0e6e6ed4a6032a5f2f77f
SHA512eb3d4d43930bb716792513c61a98dfa4a57206f4978d49c7026c38ab46cd99418144d85fde21632a6603c311c4e2907e6b66bbbb94d8ee1f84a9261575a3e6f1
-
Filesize
11.5MB
MD5ea66102d0854d2c2478a005048340b74
SHA16b2075c1c6389999fd7d30ffe1bf65892db93a75
SHA25610b75c4bc3d9b733652f9b761d950d184b2a0bb4ffd5350b5b47236b44be08db
SHA512713b988c274dee776455425061d6de9c85ac9e74fb2cc34849a4396972a31e02294a9c7edee1313c4c2a31ce1cbf308a0f42dba9243befba8596f7eea2474ffd
-
Filesize
53KB
MD5bfd8b59f2c168920cf00fe1c326f7d4d
SHA169b09cc0fbc8f231fe389b337e0a72a53b44fd89
SHA2563f368d429a48c254bbfc9223de4d66d2f3cdf7f7f5714e95cfc52f2f876dea06
SHA51241e868504601ba914ab1abdae91b08c4138015c27dcfeef07369c08ffb0350f4d6ed6171dd4ae1daecc6706746efc04ee5e6a97540a5ccf9810b16d52097ed84
-
Filesize
87KB
MD5f16c5a2fe5b01acf8309bdc916bcdf90
SHA1e9edd1583c845bcd2d92017da9fecbe2cf8a0f5d
SHA256d57d9204e1e5973b92708288f161307b82c12b373aa894f33bace9f42cb6c0d0
SHA51217360e28b5f390516bd5006070d512bbd67ced8725f11023f16ff4f50b807b9b40226ddc444a1083e319880041662d954c470dab0d164faf343444ef369f5592
-
Filesize
2KB
MD50f00ec3e7a7767a4efeae1875fb5f3d4
SHA1167808418571e9209b952188ddab2f4e62920e68
SHA256b62d2733ab99556b108a1951d894c5a8d76b1ac7a00c02c388f9eb9be046c56f
SHA512e869f4a3b821a9933796dc9a56ee00483493369dfbfe07b3b1d895cb8318c6821cd44134eb37513f15b830c25861b596646824ed56672d08b678fefe6a4c7504
-
Filesize
6KB
MD5385443b7e4a37bc277c018cd1d336d49
SHA1b2c0dfb00bf699e817bdd49b14bc24b8d3282c65
SHA2565bc726671936e0af4fdf6bed67d9e3a20a92c30b0ba23673d0314baa5e3ffb08
SHA512260afc7671a1dc0c443564f1d10386f0b241bb53c76df68d8d03f1d0b1ceaf3f68847ab3477732c876c2b01c812ef7521744befe88e312f3aa63164b608b67a1
-
Filesize
57KB
MD59de4139494e2c62f18b76e5df12e2dff
SHA19f3b4e00dc585f09b098247463f0165ee3f34740
SHA256d3869371d15a199e17e227a45b95e6b78b69fce329dba03c4a2a42cd3efff20b
SHA512d4d150b28a2154c5c4474cf0289b66cd0dcdeccbc0cb943b98411efefb76af61211dc528820b753ffefe3a6d5a7272dd6f27e78e93bce776d258a571c0e7a90c
-
Filesize
35B
MD54586c3797f538d41b7b2e30e8afebbc9
SHA13419ebac878fa53a9f0ff1617045ddaafb43dce0
SHA2567afb3a2dc57cb16223dddc970e0b464311e5311484c793abf9327a19ef629018
SHA512f2c722ae80d2c0dcdb30a6993864eb90b85be5311261012d4585c6595579582d1b37323613f5417d189adcd096fa948e0378c1e6c59761bf94d65c0a5c2f2fd3
-
Filesize
33B
MD516989bab922811e28b64ac30449a5d05
SHA151ab20e8c19ee570bf6c496ec7346b7cf17bd04a
SHA25686e0516b888276a492b19f9a84f5a866ed36925fae1510b3a94a0b6213e69192
SHA51286571f127a6755a7339a9ed06e458c8dc5898e528de89e369a13c183711831af0646474986bae6573bc5155058d5f38348d6bfdeb3fd9318e98e0bf7916e6608
-
Filesize
21KB
MD5b02ee240a8db902961fe886a19beba16
SHA1c52c42d591f4c650b629e6b374e967e211fb5aeb
SHA25636dc51c4bf787f640a4b45cbb84ab6954f6e595cbd3617c2f5a4e1e607b38bff
SHA512024811961511b7182860ed03a5670f82412a45d005a1db0876f6b0c9af7e96c104566abff0ebbded11a780349444214291f439039d20fb92071c7dd24bda0e23
-
Filesize
119KB
MD5e1c3b96035117ab516ffe0de9bd696e0
SHA18e6300ef51c1d801a7ed62d07cd221aca3a90640
SHA2561263369b59e29c943918de11d6d6152e2ec6085ce63e5710516f8c67d368e4bc
SHA51204362f50a2b66934c2635196bf8e6bd2adbe4435f312d1d97f4733c911e070f5693941a70f586928437043d01d58994325e63744e71886ae53a62c824927a4d4
-
Filesize
71KB
MD516e6ac17d33ad97baa415c42e9d93d38
SHA11f2a432d1212f5c352ae607d7b61dcae20c20af5
SHA256a347c24732db2aead106b6e5996a015b06a3ef86e790a4f75b61761f0d2f7f39
SHA5120bd9c61553808b8a12822f009ea5622918033a9fa8cb6e3ef319bbff08dda00cf439b5653f25d8f3362f02166530a0eabe2664f1169bcd63e2ed93a603c13874
-
Filesize
51KB
MD5f087bfb911ff93957e44860de3e73c46
SHA178d2ecd61318b5a58cd04fb237636c0e86b77d97
SHA256ae629c2609f39681ef8d140a42a23800464a94f2d23e36d8f25cd10d5e4caff4
SHA512666318e09f4ae02652a64ce2ddd4dd51275a1917108061155aa8d1d9956e9d54bc259d0586ed7cd745c6ac00ab54fbfdd577f6ce915a158fc2eef373d65d445c
-
Filesize
168KB
MD50720eb4b155fa978809090cc9b539e96
SHA1303673e949eabaa19ae20e8cca14a94a99287ee4
SHA2566356989c0aab619c9f0db38dbcbc5f3a1071b4606c0be8c9c9a2b4b1b50b77ea
SHA512f73139e7c48150c4bb2b648c258df9aa8751d149cb40539c10931339d4ee6d2819a80abe9ffe5f65b3bfa9c30aa4900068b2c8cb9c138ffc3ef8bb9f60539c39
-
Filesize
842KB
MD52594e6c00fa8f3884fe64d2184fe2ee3
SHA15fbb1f6b3268c2d0a4debc20c8906fb0b20fe013
SHA2569d9091bb7977771bfadf92fee7cdf7d5dbdae76225f396dbddeccaac07164169
SHA5129f38a3d053a056f32ce79679b16e569f713ae0b1aed275da80cc89cd4e26cbfeff9785a9fc821db82287dbfabb5409c7220cb7af84e672f6a2de16926c4cbe47
-
Filesize
57KB
MD5099510686a56eaeccaee49cd8e75053f
SHA1c2ef76b5b00f577d2814fe8d2a704717564bfd93
SHA256dbe5f377bdc7d089bf32bf540eb5c6b3ca2fada8fe17f9943bb6819bbc7202b2
SHA51247a57c55ca4f0b1003ae1a429ad45055c71a7a6e977ca26dbb0c3aee27595fb9dd5ae312aaead409455d837fece4f969b3dd416b63f64a33a15af15259b598f5
-
Filesize
102KB
MD52102805eb3f24e5c73492856c199dbc1
SHA1401ef08fbd7a23b037758ce6e2cc1e2204cf017d
SHA256868e3f1c002ab8b1e6b8522bb3a35fad019baedb660c253e24cc2b3c8bcaf4a6
SHA512cb56c921a0b4fb5a59921a38607fdad373c88973fc8a73d1fd8068666bfe44c2f6fd8b1cc92a4571042d2654de5f5f0480727a0f6a776977d1e76d149b5237dd
-
Filesize
965KB
MD5cfafdefef7180cfd2aefd1c15b3a9f64
SHA13a9a4981531246ada42802672584229e87f19f07
SHA25604d3f807a597533d24ae55b3f5646357c6247f5bfc2f324332135fcadd75cf9c
SHA51297bdd073449e5265c7389c78dd686a5502ae88c4801a6ac74e2235d31defde3bfb0b230fc12890dfdbb2d9310ff9f1e5835305e32fbe624674e776c03cde8cbf
-
Filesize
560KB
MD51fee4c2909f547300f0e0cca400e3358
SHA14664ed505a45b098ed9a596ed359cfdf9642547a
SHA256d667d5c0d16c13d0f99332d0ed4eef88d7c470754d2646177c46a810003b32f5
SHA51241c4ea8ca678fc0b7f109fcbe52bc097ba10ce63272275c95b3c5201702b7e7d2c2d0ba4ff1537251150a90950c96f7ed64b953924711e1b0e51732763b343a9
-
Filesize
224KB
MD557a6761d19c0abce284606533305ef84
SHA1030e2a78e3536965325764fda0e3ccf456877b61
SHA2564f2bd7ff4e40fb18dccef4a5d21d217e23af4a9db2d079f36c2bcca61535a2a4
SHA512f395b3cc61717b5ffec08ab0bac59466f8efc6048774f4f8d36323e04ac86d7a7bf6e180fc8c24446decfb2fb78e036b0e19d3b24311da5a2109e2bdc119e46e
-
Filesize
100KB
MD5e4e8f595806e4724e807dc24126f84a4
SHA126cfdcf3483979dc532e50f85aff88ea4861f606
SHA2564ee260355ddc1aa93de34cf9ff6c2a2329085790e2126ac892d30d5b93f0f002
SHA5121a0560fd0b76ab4a0f1d47818875c04228984925bb4312d877f6dba44035e00fcf04f233caa1db8911d832d60f515b5965dda70d19c12e8c6ef9271cdf4c355c
-
Filesize
409KB
MD52fe9008bd835b2f5f303bbd854a12814
SHA146431c7467f39bc8239930f68ce47787f76939ae
SHA2567f555c62404f0f841394fd60c88d25578061a17f31cbf1f0145e129051325096
SHA512bc08745b72d3fbaa829c461586785b5604b400c35c785badc46c9d1a26598ad090fd6cf4691b14a61619b02daa1a7fc312db9c17457c381370a5fb5d7d981e83
-
Filesize
347KB
MD51c3ffc9de77cd29763c2394ba30e9489
SHA13dc781ddc17794328222cfd6d3405864e5671fbb
SHA256f7bee77e33be8a6916bbbfe2b94bdc832b110da982f88449aa88baefdddc61c7
SHA512e1bb0fd6362389f4039d210ff7f516f7d405e509bc585d43e51b2763b3906a3c94b1251c826538505478b53853e61757457c0b231b0fc60c14b95248ecc6dea5
-
Filesize
570KB
MD51e748c74679dc24e68bd70622808366f
SHA1145ebe3523b0d7c976b7d1e447f60a0f9b75b6f6
SHA256f4f605bd9785f7ec8d6d8dd54c91104fab31b1118ca8cef89ddf85ceafc6eba0
SHA512c83932d88c4f23b748bea4fafc526664e9e5d47cda25af5598289e057c6930f4573b7a4e2e9fc76bf29172e71275e673d479c9284db2f506e8b5f7516b09c7fa
-
Filesize
36KB
MD5fcda37abd3d9e9d8170cd1cd15bf9d3f
SHA1b23ff3e9aa2287b9c1249a008c0ae06dc8b6fdf2
SHA2560579d460ea1f7e8a815fa55a8821a5ff489c8097f051765e9beaf25d8d0f27d6
SHA512de8be61499aaa1504dde8c19666844550c2ea7ef774ecbe26900834b252887da31d4cf4fb51338b16b6a4416de733e519ebf8c375eb03eb425232a6349da2257
-
Filesize
64KB
MD51580aec1d0f66829dce6ccef68934695
SHA19d89dfa872528cc580f96c58a015a0af2bc3434d
SHA256ba365e77c092e3a229ad0b6da6614d7aca96a1a5efa3db4a82ffccdd0101c4a5
SHA512dff76812bfae945749809158c1c9e4a5421c6a71fc428d6f69044bbfeebba2492a9a2dc4bdb397662fb2f7bee7135547ad89da162e7ac319c3f7d67932d5f881
-
Filesize
36KB
MD5b30d3becc8731792523d599d949e63f5
SHA119350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e
-
Filesize
56KB
MD5752a1f26b18748311b691c7d8fc20633
SHA1c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\activity-stream.discovery_stream.json.tmp
Filesize24KB
MD5728cb206b90ede8d1cddc0f955d5f385
SHA18a2b7622e1efd815463ea09741c1e5056d424de4
SHA256f9202df4376322c2840d1ffaf051ba56086232d3c835e4e6bccfcbc64ca28cdb
SHA512bc7102735b7faaeb1b41288292df1145b27eb58269646eb78f74debe5b53673ffdefa79d366a706ce0273da9e0fdeeb2fc08cb805a3ea3af4a3c12492932413d
-
Filesize
7KB
MD553599ed7d2c8f74c733f4ffd2242686c
SHA1dfb5d5a2a903bba772f7e2f70e3ea0bc957ac1e7
SHA256631f5254cf72fb50843ec994d4c075e384cd25195e8bb7e9ce397f23aadb7b55
SHA512edda9c4346df6227782983e0a892224d615905ff553802864800c08c2ac66d0c934ba0cda5123a37332ae35f40b18a6eb4a16ff69e95f713810a0c7e867fe380
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\cache2\entries\1DCD060D91A612651706AE8FC96D842D60460D22
Filesize219KB
MD5abf2119ffcc478db0dbca9fdf8e76790
SHA176baeec7e7239960da03189c58eb09f65a09ce9b
SHA25679eed2f8de914a7fbfeff133fa7a97c16ac393c287bf8b5437985f7f34228975
SHA5129a23547a479a83c232365fcf5017b7ea261134439d588255318ec76c6121e4f52834499b1c3037cce5e6106aedc42b9b513f73609da14d4cb328dd7d9d7aa49d
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\cache2\entries\383A97A57B113BD106DE6984E6DBA5F537327263
Filesize13KB
MD5376bf9b483a04aaceed9bb28b6ba9333
SHA1d2fcbc5a38f6b191af9232de36cb29d18194216a
SHA256eade26f0ed5ab972acfe773567afff7365c94c9cb030acac15a81bb963b668a5
SHA5124f2dd373a692042e037462991f58e99ae038088452b94b5233ec7b861f3d8490f7d49ba0e5e667cb0dfbd3fa61227f65b547a8fe8cad6dcbb897cea94d093ec9
-
Filesize
77KB
MD5317d2dfc6244a981ef100b8312f579a9
SHA1e35dc1a7316c8bcba4cea481daf27b36ea3cc383
SHA256dc3516c65036e305964105e11f6865e1d5a3b171d8d2f765fde18c8f36bf727c
SHA512d2e4182c88aebfc98b653edb902c74beac38694b7cb9fad13f78a814ffe2f8babd7c5244f59b865a2116dec8d58466a367199ad99f1bbc836210fa63f3d59c96
-
Filesize
137KB
MD55d80b61c1f9e31860c17b3a410948e7e
SHA15ca292116336ee4ceed00d10e756afea580e62cf
SHA25658398ba5cda1b7cb89ad4e03dd4a658006956f81acfef4efb4e7dd934e2733ef
SHA512bd97f9b96c3d831bb6988878408dd6a26e4a64791b540766fe578e4c79fee54bca9af87447ac4c3392c1f0c4cf4f14278ba102fe9bf9cf8f96b545e2908f7346
-
Filesize
229KB
MD5cfebe457d00a97c2c5f8930bdbaae1f0
SHA1526e95d2afde5ef07dd0aca671261dfbc7fcfa17
SHA256cf8e552ee05cb0e872797ecffe0f9d3dc67e513748f3cd957f79e0f2f3d66ac2
SHA512fbded4dc03011e58219f622e724c0737475ce95a1a3619ca5e68babe5b734afc664523e93f96047e20d4d82411ccace0bac42f1dc77a2da2f94886ba04fab8a0
-
Filesize
248KB
MD534d12b1e2af72d9bb267bbc8c0d53e4a
SHA1d9ed8776645f6b4f52df16132450863c47ea92d7
SHA25613b2cac3f50368ab97fa2e3b0d0d2cb612f68449d5bbd6de187fc85ee4469d03
SHA512c0a063477cf63a8b647ea721842968b506d70ea22c586a412707d7293b46c218b6a510f34b7dbedd3ed29a9d4b5dc5c6a1995403d65884b17348a9545e580a10
-
C:\Users\Admin\AppData\Local\Temp\sqlite-3.42.0.0-8630f1ed-be1c-45d3-a2d7-25e47bdefccc-sqlitejdbc.dll
Filesize913KB
MD516d165c26c43d841b5ec73d8e0d6fc9d
SHA12673a2ed3c7e269abf2b3203cc5bcbb52031f93e
SHA256451e319b14cf9b35b99cca2d245e50e97205b7dcabeeccd8fec6bb54c8a2e84c
SHA512694d5261d09a03e1967d41cba5f36a855a0fb9e4684b918ee35d62af9ff671635590f07f1a709de17b7672f2939cdd78f0c0e6c683e90762dbf9e12283c45686
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize14KB
MD525a694739f3d2805dff65edc3a627403
SHA1d990a8a86ed8d4b914fe6e7696835f37f55b96d7
SHA256860c2af48f9e017b9682ab4f34f32f8c2af201bd12e07c561ae0cff5a4241680
SHA51262bcafc023fbc09d63be5e8ab52d40a25adc933a16febc57dce55815e8ac7eb52559cea181b9fc0a9824830b66cb7277eb3da54233dcf12a0ef065349971dce4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize13KB
MD50df45895eabfa9829a0c692812bf919b
SHA1fb18db968eda09bb1c18913ab45800fd691b2838
SHA256632c65b12f29dbe905bc7a779d7a1bc1bfc8b80f7da1effaa011842e08e9a66b
SHA512ddfc68b6eea77403b979209d422d5c1906abd2834937d0a773cde14bcc2820bc1d2a1db7966cd11a00d8e291bbbedf9517cd8fdc4d46beb6deed2c017d8969d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\datareporting\glean\db\data.safe.bin
Filesize182B
MD57d3d11283370585b060d50a12715851a
SHA13a05d9b7daa2d377d95e7a5f3e8e7a8f705938e3
SHA25686bff840e1bec67b7c91f97f4d37e3a638c5fdc7b56aae210b01745f292347b9
SHA512a185a956e7105ad5a903d5d0e780df9421cf7b84ef1f83f7e9f3ab81bf683b440f23e55df4bbd52d60e89af467b5fc949bf1faa7810c523b98c7c2361fde010e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
9KB
MD5708f5ce7543f4bb913fc3824353bb5ce
SHA1facd9c290d1910474c095f893690a8b9c1a9c7f4
SHA2560a2972510c8ba4ac914ae9924e70bad9dcc8c48c9b47f0ffab33eb6ec383e12a
SHA512b4b759fca0cc2d28cf18e51cd8ae6ed73a3303843d54c32d0e8b815d7b2690c0884040e97a34da6ed5a8c1f2c642ac3bcb4d9d92e9961ecb8f6c44414d3ccd13
-
Filesize
7KB
MD58378998365cc21f95d0a69d239eb9377
SHA1744e2d21ca058d0bf4742f3b8460922a001413db
SHA256b3d9e9d974cf3b2589b837b5a314b639efeb57173044b31815c7c1acbf908d7e
SHA512c22985390609884eeb111f7337f2547a082e5dd77babfd886b8ac4d4655451f278fc9e8723b34a29323a771251497376016d2aa2403f668adfe08e9763c266ea
-
Filesize
6KB
MD5b412e8e0338b9a474d0561a269b7f469
SHA191f21cbed0907e70e69032e443a601c3a1ddf69d
SHA256623ab19cbe1ae914d9d8a6df1948cb6dfe02cdb44db2f03899bd13376843188f
SHA512883191a9075bd2f77ea964c2f675d60a60f8c15126cd0d75003d5ee49d20590ef21d83d447861500fb001058fc8c306da9460b13d4a92626b82063971e5d6fee
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD552f7e941d6e29d232fc5c9335dcbe0e5
SHA1e953cffd3592fa4566c60ad2ae9b647ccebf5c43
SHA2567924414403c470f74038d475c3734f8471743d8636bf84ab6f88e51b7ffed4cd
SHA5124ef420d3b18fafc328b6307b380feeec333bccb6257b57beb3ccc0fd8b53b4dbd917eb9040f81197688b8d86b787483c2366d779c58a9ac1f6ad875d15f41d41
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5f3b6101b75d4bd0c34d2924716d2faec
SHA1e583e10fae31eddf04bb4823ce22d60f6cf75d03
SHA256af366c42c994437c91a84b6811c9b1e17cfd1559086da357483dc02364165c28
SHA512c8d835b51e001243be93c01a8d578953659f6c71a7f2e499c3a66e8c6cfbcfc7c17c912e8af3a1a91af82259deb943f85868891e04f73263e92bf466cf63358b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD58a7dbf69bfb7a7994f2674065c27fec6
SHA15ecefe1c80c30c47f8a6fecc026b4f37dd551b1c
SHA2562c0a5fca69f38286432599d45b2929c15f952fece28df10ff21f348b16d80c47
SHA512d912f58b4ef20955ad5d48968c7b9b29312f7bf6a4a005a60e73e1c246ecd79955165bae9ae9574dd3167506f7b3a8bf00a0dfd11d564fcddca7d6f6f42bef3b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cautopsy.com%29\idb\358272571LCo7g%sCD7a%t2a4bda5s.sqlite
Filesize48KB
MD59725f8756993cf6298159a80d7899ff4
SHA10431e762d6e7e291079e8d777da36313afb879d4
SHA256baf0ee04b03b6ba66536aa44dc62d5d81a7740ff893bd988955a71a604083627
SHA5127d12e487e24f9735c109fa121b386563f41fb4b031db7cea8a89b8b876352eee5b3c5f8e849bb47cf7d2602296eb25806d5b0477a15d515bff08fa2e31e811c3
-
Filesize
18KB
MD5eff6d99c94baec8a7a069a2726a732e6
SHA141696c191223aea7ea13fe150ad8b95cd4f6b761
SHA2566e2c7ff6f4b1e0fa848ba80c4b131eedd2d7f5f80be61dd953b402a0d7d2d14a
SHA512de0a2e317ec46b6668be068bc1ddc1f2ece641349b1940273e33daf787652388e99a4e3851842cd6eff941b2ecd5ed3f717807a9becb4d9be5cbea6710a6b165
-
Filesize
10KB
MD57c90d60374097f9bd2801a37d5fbd14d
SHA1bcccf7ebb6637318321c13f1a87430fe01016890
SHA2566695ba8e7e2868641a129f21f024a20d8985376b378c4fa679a85fbfa3b022d4
SHA512c59edfec60744b4797cb034173a98fbc5c82d93e25b7775e2c94df9b4f92918a64ecdb5bac263598cb24e971c03761252ef5a0be6e6cac96ffc879f4781af9ea
-
Filesize
1KB
MD5b2d2e38af79ca877e6bd003963662727
SHA1130115f16c07ef22a093563ca7834e4850d843a1
SHA256da30a7c5154d216632bdfdf03c4c8cca4c0cc16306b6d1f1ccedbe318c2be306
SHA512ad67d8dcb42b399b565745fe8fdd961f95eb4430d6ec5138ba62f230f8efead400c744c8df99164326ae460aab189bdec7b5c198cc178b0195637f19a0735cab
-
Filesize
12KB
MD55f4ed131e7231711f695140073a5bb08
SHA1db5efd64e6b1d1eb60a0c49d4a7d3d4d0def1a93
SHA2566898bd52e7907c092074d849c24e495c57c71dace5a487c7316db162f7b17edc
SHA51270f15e69f83d38f0966c8f4491b6330eb4df12b879d0069d8250ed14ff07fd0fb8bed53285b3bffd8a0b6baa1ddca9ad6f10cdfaac6c356b55bd98fa2085ccd6
-
Filesize
96KB
MD51432bb1761139cfbc5811c3f010d2173
SHA1540b057e89f7c2a0d03cfd3ba54a3124df411a0f
SHA256937bf05e2d658910bed5508c555d644c6d214c235bc97d24484b5e185e2d1dbd
SHA5127836ac6f1100ec282cd8f46cb360d36e68743600979ffcef23449af925ba00cd6a5e644e8cbc0398192656b4ec48b4c571319576a410160796ef745264809ebe
-
Filesize
21KB
MD5844fd2971daf80cfdf57a7eb3ed33bc6
SHA1bef7b3a766263b86ef972e0ea4fc0098a9315ab7
SHA25658dc89237a356188da245fd89ad6c7babd5706475f2f5814e57e76b5dee3eb79
SHA5126d7b3004f3b342657e77c4ff5c595e293a39cf73eb4d4fd33c7539fbe0bfc2d1231df5bd289aaa9ea5cc695aa1b0ecd04b24db91829698c4a1c7fabd24273768
-
Filesize
5KB
MD58bca17474edbd8759ea21fcf43c8591d
SHA16ed9d2e98a4a383de85cc42642f1c52502d525c5
SHA2569d8585ed0678a559aadcea47677e38065f0529c6ff91e5434651b39bebcab04a
SHA512b8a0af5d45ad4bb89f0179b55576313242aeae3bd863f9af0de307e402839bf8877b1222d632dad6c1301b74c1db31b248e1bb97a019aa2d9c1b14a80261d76d
-
Filesize
2KB
MD5a7b1fecdaa340809739c32de1d4f39c8
SHA1a32e62d54fd014bb3d656523b7dd43ba46600fad
SHA2561ff182e74ea15a56db16661b497abdbd00283c4ff6c0ba5c5afbcb4976cb5e56
SHA512c8453cbd52e25a755b9e849db9e7b1f12c2be6f68002c606319c5d64a820ca537a8ac23e7a64e2dfc48085a0c0bb9e783f698fbbe2a51a15ff67a98499b196d3
-
Filesize
1KB
MD5e9fab5b58a16ec08cac39ba6bb9e5fae
SHA137e6bd7f527eca52c5f8968e7981d2a0f6248945
SHA2565c38f9d48898e8466f1119841147a6a9d0dec4094634665b21144e7560f59b71
SHA5127b7307a5f83badf5dce8eb71d52c158260bbab953b2bddfc6af3d501f1ced6900e615799a70ee9a52823371eb1ed9007354dfdb06364a13bc02a2deb64c065c0
-
Filesize
2KB
MD5662f4dfdcc0ab9d7390b770409f5b4d3
SHA11508c98ee89ae99faa5869d9ed46ac558080ceeb
SHA2561d705909890c90d9a0db8ab355c0a22fbddd0cb72b37b6f02c3c794580c28334
SHA51214d58e10aec8137c1327f604d71db46a1b53c3b95be6eef752c1fa7823f0730adb0050081e7036da3f0b7d33e9d99f192b2c2b8526ced3f093a3f9b50291fa9d
-
Filesize
1KB
MD54f4414b8e86c0a9464aa6728a7c0f26f
SHA10d36d7d0dd4c3c5b4710d94b71b20871787caccd
SHA256c8c9f749467dc5341ea64b1afb1f6f82fb01d94d2294db04850d408142d64e32
SHA51211d09b770a9099f9dae2f919ca7998ef41328be7c3669b5b71f86cba981ecb596b87b85b6d454507a601b42bfc2b0d7649cd918f53410d3cb9b15cd3f36e3870
-
Filesize
2KB
MD55ca1c1b3199925e2f32c712336a68456
SHA1905a739c25ca1e6e8bb35fce6ea714466b032edf
SHA2562c40f107ba1d6cbe3a03beca817fb71b625646c57445146a2d88db6aa1335bb1
SHA51221b3096338a0041ba45b5235981319a893ba04d02efe074b3bc0e71165a6be44f24670a6653fd292c30467d3580c75ef7bef00e8ff13f10879c4fd9fd711a8e8
-
Filesize
5KB
MD553d0b8c9012a5342e3728bf1fe29e67e
SHA152c82e14e0905e16848201d60b363870f08a8222
SHA256b9a163cc5b64c902e5918babd3fe771697396ce9c15341cf0e1c5a057b6234e3
SHA5123b2d7baf00dcc0075ec7625bccc84a34e7a489db1c1b38adb45ad8746d1ac065b236c89e12682c7338402265c0f0d58131875a3c4ec911bcbb75a4a28d1df05c
-
Filesize
6KB
MD5cd7b1b22cac623b5175e9df233463388
SHA155139ee91feb3ce1b3d516873a3233e1bb97535f
SHA256cd7e9530545bbfa0ce9c364a84cbac5e5fcc749909366a69494300071cbb0ffd
SHA5126fa2a4fa7bde1d50107141ab895aec764ec2bf80fc7a0cef3e24fd30abe26b932ee783a11b2da59788accf27ede74b2f1f31e21795592bde7ff864fcf1790cc0
-
Filesize
8KB
MD51e06326bdfbc8756357ad368aabd9240
SHA12f69b99cb57b82e4c4e6d2a1aa77b522d98731df
SHA256b105491c2a9974d89a0a24924151e443a725ee5aaa7256290178ded4e6bc7549
SHA512ae8643d67c65bb024df39b301ced00fda60faaac63a679de49405606b8998aa1ae3912296b1239ea1f3121c571fda058373c4ec39ef638adee9562129edf5faa
-
Filesize
8KB
MD51a1d1f5f9d7475d41a4143375d9fc81b
SHA19bd07410233877c13a230a4696fba57a3673fce0
SHA256c00e5f04595d2cc3ccf770dd09d2b3773015c120e092d9843b4c34b538d07826
SHA512780c107f40c0a2f328d6d73dd58b4ea3cb7b1304517220f307a6d7558119674b5a9257d77182b69de85cc42f118e8464caf189a314ec4e8965e171941435983e
-
Filesize
28KB
MD56f0a4a1b55a66fec1ff8794c4cdccfba
SHA15fb32b814ba1103fd862c38d8ba6a30589b2e5c7
SHA2564d8b6918bfd8824bc99d0622e0e630bffff05fce95af686118928ab7b6089cac
SHA51218d7703f8af698e731b75a4f493e973de08d32317fd69bac4c24446f1511ef5a8e22f89f0084c40b2e3cd75a88eb9d611dca33fd1f2a4a294414707e95a2af52
-
Filesize
1KB
MD5f8389eb3cef9caddc7bcea4c5e945bbc
SHA1a7565c771d0a819f338acdbeaa73a6b17b0f55a2
SHA25668607d0ca511723467dc373a26a09003a55a68d4080cf4a24c329bbf755b3b75
SHA512b699ffd38391cdb62914b87e847727d7e5e6c4e182ba29eadae75ae970f8bf882c500b3b13138e5f78c237bfeef83b5c2fc5d40362aeca61efc11dedf567426f
-
Filesize
6KB
MD5a5689637997de73dc7715297af864281
SHA1fd04ec9f0ac25a40b8b215b9cc97c240565ea5a4
SHA256ca86f3e77fed97f9b185626a564a0bb49dd70073c9dd0a1a96e31f57e4bc3f7d
SHA5120cd527e970ef4c8c1a60020986c34d8cb32a0d2d0bc7efb034b13faa5b8fc68a632cfd059f6233c5314b1809df75288fe476e441d3d0ba4811e33af8dbac28bf
-
Filesize
11KB
MD5930a24460a6a0526d4f08533f4d82be6
SHA1466feaefbde181a7fea4387a00956d9f79dfd878
SHA25617e9bf7577bcf4c20a1498e05f4c9594379f970f89c6d7fab2ab9779611a6096
SHA512546aad83fb37343ea016c1f9b6082495f2e28b7072b15da318e13fce204471973c87c7dd6413bd40fd259fdb17b4ab6a1d91aedf24dc4cbcc6fa3057754e84d5
-
Filesize
4KB
MD56315a70ce306a32a661d7335da6b1273
SHA148227a85e4bc038b790edb9f00aa47e7be5e86a4
SHA256425a30a56d837944432604ac3fc8736824e6c521d3b1a3d687f14764ee414f1d
SHA512e96ae8a17cfd22930b4e5abd74e285c487c66727e305dd73873102f14ca69fa1f427d2e706d9970244ffdf0bb108a7001ad7d162afc70af2fb6c8e4ef844936f
-
Filesize
20KB
MD5d90d30c1f503f4f216753180e9503748
SHA195d77013523c3cf2d96175c39174869594773b4f
SHA256b08d2407d67958ea6938146d51c0171a46292e4d5a56d2cf0191644fdbaaa776
SHA5123eb76a2c9e88c95575316bbd37a09c00d011a777c73d13e0768d24885c3cb5420030a4db6b9c0c429ada727ee6d002b542791034be2fe6e6aa3da0e779dcd40c
-
Filesize
13KB
MD5600c1c57bcbb5b3c197d0e4f7cca34d2
SHA193d98a828e706d72379f1f709237382119a67f11
SHA256b6c41368db9831102d9b806bb64deee81a46ef3434f3ed0446e9f7b90ac403ed
SHA512870f0a4d54d7633dee9bbe90951daf3d4211fced0f9415283ec3393bb46345742526cf77ef56202bec53dece5eab967d9f8d1421005d0ef23df314b283ac1414
-
Filesize
5KB
MD5f80d8b3600222ac492ca79a5232f52d0
SHA1c2c935da1bdf84dd72b3150c10cbe52d078573e5
SHA2561e15ce3674294db9066d3affdbb27f156bcfca8749c8a6acb7c82fb41b7f6c57
SHA512c8d36143bff162368c6e6ee1eab840df260b1418e012a3fbaea644d8010bf5235a90814840f59081d5f4adc4a19d363caf34e651699332b853b8b8e3e512039b
-
Filesize
15KB
MD59ffa79e5abce57a56a8d2bfe66bcf65c
SHA10a8148a709011c3c27f0c1d2b6f5e98440a079f2
SHA2561bcc418e40b32c8713d62db6035271349aa598a1733b4f09144619bc1e8423cc
SHA5121b4b7610a384c9e58daa72f82e309b841e5a7104ddbf0e116c3bf163142da9c0ca86396c4537204437ab1c192003276b24a58f9152d45e8272aac97ae271524a
-
Filesize
10KB
MD55558c71f9c800f09a23582b26142ba2e
SHA1a904fa0b5ff1f00c16b39402cb1a0ea14734e143
SHA25674a8daebf7a37a05f4e6b3cd242061fab5c0551973566651baa62b77183d0fc9
SHA51269d7ce4f28e41e2aefb620b959d360d0b9e3595599a3900428cfa55f0886c99ac56a701bde9dee7a454fc663fb595d04cc45eeb4cc78ff6392644042b86d5199
-
Filesize
17KB
MD5b702b3532ae502f8e5a43d01005f5d66
SHA18be77d1816c8a421082d435655b877fd38629c42
SHA256bcee36034f79774500e10d69df0c856db5de5354ff0fced42410425047a57e82
SHA512209cd787fa33dc2958078900246eb7ad0292404f625a8a3da5f195c0a3d85e2ee31a38debff6fd9f12b6ffc3117e793e99debac2262897191582cae837dae063
-
Filesize
6KB
MD537bbc0a170d7e791f47c3ce5a8995602
SHA13e39f39a8e2d34a6901a27d0a13a647f706231a7
SHA2566bd5e5a56a6238ac4a908cf233ab65ad343506b4b2ac88dccbd3ac7de1cea71a
SHA5121071f5b58b44de52cc3a37fc7a2a7406ad9d5472135151e612f0b3ec25de253a6b6226160b4bfaea98a6e8c8c1a00a66ee7f4f24704233ca1986298a0750fcdc
-
Filesize
20KB
MD5d2b230e8745f16cab316245cf0d567dd
SHA1e2a9f2fae2c13551d1c673664eccd98ebdd04312
SHA256f781581675e790663bc00d90c39cdb9678f3890e9dafa0c18cb7a0fd744040ed
SHA5125fec922ed852269cc1447fc34449ab043d5fdd6336dd41f45931dca734ec44e0fcd700e9b05f265429c3d0339d87fb14069bc55a5313bc653eafc2627cfaee1e
-
Filesize
6KB
MD50d8359d6755ed436abafacac8dd660aa
SHA1f8b39bc1d28365e051d9ca01a3df11ff53bc4690
SHA256b83f97e56bf2f30c1424e132a941f8a3f0cfc44bd751fd97b898fb4c1485a3a6
SHA512068c8265eff7fa9b4e5ad7211392956e8632c7ba58432cfba86e0cb7e72e81a14d6ccd921b9fff4577babc7f3e9bbeee8b7ef2df539c5497e0cafcfd3be7ca4d
-
Filesize
7KB
MD5f7342a3ad91623a1f4880d986088ae25
SHA19d1c6b741e362607b08e01e172613cd24a27a315
SHA256bb0b5fe1a70c1cc871ea28eb615af416c604366abfbd9e91770d3f777035bd7f
SHA512400ff7fae35de41d4f9657781605bce22b94928acad2ab7f2d74f1a3eb83fbec035770e9f5bdee8b106f28a0c47e444ea3b50539b615d5d68f60147cc74b55e3
-
Filesize
18KB
MD5fb995feb37df4e43a6179c59f2b69ec3
SHA14c86e2fd34cb3b440e5bef0b0b0f800fee795510
SHA256829229ca1124f3b70e1078f08bb9223601812212b94ea13e363e00f8f97c33e5
SHA512dbf113c3143a48e3721209fa60e3a892243e97ba0c980be616b1884e7da309f82f6d0748d99a176e4d052f4b3be79a4148690a3091e7238a9820ccbddf3577a3
-
Filesize
18KB
MD5a2a729ebce7b3bc16bf64af450f06cca
SHA19af2631882dc43765ba9906113e7a9b14e763f43
SHA256f9c1b7b799419dc53c9666d54a9553ff7a4eebb296f60e36d48f68d339e69ef0
SHA512f6c01623d194a90275de60fcf33fc1502069ba37dc699e7fa5613d09b50aac46aa7fff7d3aeeef561c90a44562a5fcbf15c61e264824c6f762663dfc3c475dec
-
Filesize
25KB
MD5a0340169ede0b157b3291c252be36e79
SHA1080826820a0a7a52223c9be79778b4d492a9db42
SHA25607fde65c010b6b1787090544f1a50999d8c4b2e15a8a6c288cd21ba137d93667
SHA512e86c3a874a350b78083736f78c287d6a0b73d027b6ab720b9abb51766213285b510c4c3a8823688db094c73034eb2c7fe81558cda7f8ab72d0f29500cad841ec
-
Filesize
6KB
MD5259b21c2c3e39fed2a483d55e97376dc
SHA13e167546556903aa14baf39d252ce350b05216fe
SHA256d597e40df83b90e96869ae3bf20793433b81c0588b1bc38958b133caac3a391c
SHA5123a988e03289a8995c612d730d45314f9aafa86b51f1699d269ca29c83bf10ca8584006d79c7d30379020be396bff2d60342225af04913cb32ad4d054537e8e19
-
Filesize
7KB
MD5df01f913e248faf83394a9e29af59484
SHA14a81ca4b518c950b063dbce9ed6f7e8956677ac6
SHA256f73e98dd9c603df7995c493586ffdc12ccce765ae7566fb57044bb51be584368
SHA5124cbfa094fcd5a39a0fba11d40c48397949c115b04c482718292b5fd7ad145786eeb5767061b58594d42ee5c65f1e11cfd4548a32fb0483e3747ea29a660c1ca1
-
Filesize
6KB
MD5b2e213a1d642d0d1ca65b46e416a6d94
SHA174cb946057f21bf590af77052c6c9ad65463952a
SHA256a6b9a31b5f8654853d2efae5f95e87932278e56823311bf54a6a461f8b7f6f9a
SHA51250cc6101dc160bd31a0ab351e4026cb3c7943adcfa01b7e84cd8843950b6df9ddf65d1e3a1de2803127c8df0d91282800277f931f508fbda744d360151d9b6a9
-
Filesize
62B
MD52035c4f46cae8a8f99397d7e50cae88b
SHA13a8af80574ab1725bec787e75a7e4ff769e47c8b
SHA256a6c03fee5791105f115090162004c582cbdac37703a3336590f2a74f62ba4a05
SHA5123c64387bcfb3575e0ab7859331630b728fef87d7229331f9740bed6377099a4f615320bc5c9d09c478e6f15d62283b04e69ceef5dbff5c7d9b7180082118aeb4
-
Filesize
62B
MD5db2546ba2737ef6d3c5c34abba8e5906
SHA14f9f9c22abc1cfdc30c04bac6fbed0b8c6e65f44
SHA256985c9e9654e83bf1b399c76eb4355ea1aa0456b6ec3396422f4af4c16e46b72a
SHA512704f6f84f68226e39f7eec487d875d3904b433759bb4b22d120a0891deae304f4c8279248e8c0963e5ce4e2277d834d0cbbc2f34656f3ff492170340a3840b47
-
Filesize
415B
MD55047357ce4ec64c59abcfa130fbfb769
SHA18af174cbb9e4ed0222473eda4d54350bbb23790a
SHA256b13252ea531eba9b10c492e67f46dbac33422f8f39a5166db23929135076c662
SHA5123f0bd736e638be6f5df230eddef1e3a802450c8cf2a4dbec3a03189b9470977bab36104e2ce521e61c69be62b19afbc29b4ef15349bc0540fc65be14ffe127ab
-
Filesize
523B
MD59128f3bc1bca26de4878ecc796de2f00
SHA1b65750c3e8783f50a34ee8d88b9e95581dd5ff91
SHA25684580546c58758896cabd060eb015c4cb2cabc7657c43e9944ff0bc02054792f
SHA51264916b44a3deba230469d5a9cca8690d9b477131928ae01da8863ed9f37700e0bf1015ff037b4c3e727ce8d5227eeaf7284884876367bace8c689059389607ac
-
Filesize
568B
MD5eeb009f5a97bee06167f8eef8e3c111c
SHA140b833d504e655433e55ecd0988d0c53f3983ce3
SHA2568d0e0dfe62ef4a5f04650bee22334c43af239c64cb8c393dbf7946e8dd780e27
SHA5126d1cce6c728d08b233aeb35f63d9c083f205a6df5b7ef0a5c047827b9c7559997fbbd5c08254fe3ea477c757b9690823e2f330c5a4c790eeb9cd7f878441e231
-
Filesize
600B
MD5309cd7414b9a366a1e5bcf0bbaa6fed7
SHA1bf0d2472dfcbb254b629e6d4f41063c8bdba8755
SHA25628e70c2a59583e4418459095871b408c052985f0717eca64bb453626706e4563
SHA51297b879366e3efc1d3a8b2a2862fe47729458ab808beb09203ae71ccd4ba24f84524fd3a7ad1d046fe2807eba17aefa9cefd1508131da717429cbca89c1dd38dc
-
Filesize
334B
MD55ed4faa6cb56ff5e91e1253b75908dac
SHA19acaa62eb16ffa03aff7c409ab3dd219359b3ecd
SHA2562f50a52d7df8608bd3a0a11afbc90f423a264bf8f5d3a6efcbaff239a7faaf77
SHA5122f3ea5a66d809b6efcfc97403b80d624b8950664b47af595559b98dd4f5181f385abbb9a51d4993de567602b9108d554c3e2b49dc2f21642b094647df5acbe66
-
Filesize
62B
MD5cab9fa41df154b5723aaee387b3889c6
SHA18ddc072b71fd92d3a8a5af599157e0061020a7d5
SHA25641b70e837b1cfb690b6ee4cd2681044c9158c3820732271cfd4957fc365bca88
SHA5122550704df60c5d86c92656662e64d7af9ca8fbf960f6e5ad339818984d701be14c17ee26c92b5d710f4fb66aea6f8d0e34e6745cc3f3e0981434d0899cc5a922
-
Filesize
62B
MD5796ede5a792bdd5b925df9945e6bbfe0
SHA1af84f5ed19a1f69c431b4888efb7ea0fb22aee18
SHA256de249227b10d550f3524cf0dfcc1d527b5c6ae14ebe2651259f3d9c00ed39ff5
SHA512cade536048b48258787525d3fff3d6e13249b751d76037f375c49bce55d75ae14abec4afe149cb35b0885b5fc56cc5f96bffba5d89fcfa9d1ad5c93e5a8291d4
-
Filesize
116B
MD5bea6984c3c14a39793124d911daec82e
SHA1f5d8e9ffb4a476479b48dd4c0843508b829bc37e
SHA256d2cf2f3eb78bcd3b1a93b1404d60cdf7531033bf54d03b402004d59702888234
SHA51210a01c5ead19ac6e493435adf10c321603c91b62eefb6f17b21890c8804216265c56460a061e1e76961b7d8bd30207a2ea1cd2f825f24dbdba6c0b84acc64130
-
Filesize
63B
MD5c831aa1538d4f8cf06fd981cda840b81
SHA1a2ea85c9c2c140443b97be5b780884044714ff29
SHA256a9d7cd3ff1206a5ba285c5f4b742f51746edea4b4a6aa17f605d8d460b3a6e42
SHA5120fa10552586e292e374cb76a5216b6f29a8ae91c76f7020cfa735fe48251d64118c6262591f63c20923b1331cc34c694b9802499eef43a52e3c1ea0c76f40681
-
Filesize
90B
MD59c453010ccf01552f94869ef0b9696fc
SHA117931039d8722270b64d3c9888a7362fe03b0ec1
SHA256816faf29477c0c1686f8be082a822bd1a980a4c4a12f63eb0002a3ed19c50b2f
SHA5124648aeeb89fd8238d1119d8a957d1f61b3c45acd2712431a4606a1dc4370b25bb94b9fd201eb9d08f0d2c3b4ef3986c6d6789a1e8647a24ec1061121fdbe594d
-
Filesize
59B
MD58545f9dccba284848ecbb7e44deef51d
SHA10f717bd9929a28e23578c07d1849c7fb302cd6c7
SHA2564d03bcd7b41640c95d8b7bc276b48ded613314d14ef3a9257fac2918d8fad0e6
SHA5123407f099b6fceb160922bb190750a5bca8aeeea05f939e4fc8ef8758597d83ebf2cb4feeff2c22bae26db3a72d797aea8d2e82a0cc5127458918f268b5ba2d06
-
Filesize
77B
MD520fa96137a21fc40c4d07e6c2287ed9e
SHA1f346e80e3ddc7dc71fb7e5c309475ebf560df746
SHA25696993bbfdf5de8b0aeb564bd7db85deea8060b834d926659d66eb872ca24793f
SHA512d584b199d81ad4b5ec33e7f1adc1aa55be0ac7ac99a82a6de823002d751cdfb8826c57eb7a4cbe998e6eaeca64b01e29fe78e5aed44e13bf2b260da31a9d9bdc
-
C:\Users\Admin\AppData\Roaming\autopsy\config\ModuleConfig\CentralRepository\CentralRepository.properties
Filesize62B
MD5548e14025bb99c176001f6835baf7615
SHA13fd5840f6704836e7a4b9a15f2b3e2fc94df16b7
SHA25647cbf4001e025ebbfaac6160fb1b8bae590fe0d724f5b899a2f3e15dbb282839
SHA5124dec5b75bd2502dfb82e544c97d8210fef74243417784c216766d4962074490c0ebfb1d7405dd635de656d1a099f4efaea35394a30042570d3e0c973ba5e4790
-
C:\Users\Admin\AppData\Roaming\autopsy\config\ModuleConfig\CentralRepository\CentralRepository.properties
Filesize295B
MD55a1d7b06cdb02765f77290967ae810cb
SHA1accea9423d89a5b84d456ffa3234d9dcb68bf426
SHA25650195062488bea2bef1a614a767cbeae180b2c4c665a9fb6136adfd34ad0b732
SHA512165ea5f7b4a5aac1ae73edc1b598394f0ab3236b333f95d2ff935ba7295fbfb78644c8c4cc829c3e9163033be9ba38b7439a8193a948de74e47be76c98b4754c
-
C:\Users\Admin\AppData\Roaming\autopsy\config\ModuleConfig\CentralRepository\LocalDatabase\central_repository.db
Filesize1024KB
MD5105c7427f543efde37dbc07e9cb6d5fd
SHA112d407ed2c2e5e980d2a2440c9d5f1e96b7f1f73
SHA256278e3e639af0ed304b8ab868919e772618e52254ad96b2c295881ecc83aaa00b
SHA51245901d194186971f950356240550916a194ad5568e543294d8bb9996b8181acb7c75a7e7d0ddfbe7e4a74c2a6fe05a5ce13e72ce623cc9f55976dee70b8a02f9
-
C:\Users\Admin\AppData\Roaming\autopsy\config\ModuleConfig\IngestSettings\org.sleuthkit.autopsy.casemodule.AddImageWizardIngestConfigPanel.properties
Filesize628B
MD54b14e3a4f0eedf87ffd61dec23a3b32f
SHA1554064b7be846e1879faa8065d71dfc57ecd5073
SHA25628ef6a3c40be40f637da441487c3f56a938af4eaa6f70c3fe6580989a741f350
SHA5128c1b8a8e72e94297516fb68526a254789274670e8a4f9af026ab2aac5e8a6bb33bd34525f4f843d2e7108420c166ec7b7cb3cf56f8e3f5a631f363742a0ba030
-
C:\Users\Admin\AppData\Roaming\autopsy\config\ModuleConfig\IngestSettings\org.sleuthkit.autopsy.casemodule.AddImageWizardIngestConfigPanel.properties
Filesize628B
MD52ba8f443e9e1fce46c5acd9fd6076e24
SHA1b6b22f167d07c0d000f3335320f7dd3e7b9d6c02
SHA256f36666fdc7b68dc31bba7d1afd7958d9ba1d9b18bdf7338f29ec8cbb0b1469c7
SHA512862b444b803a1c6816628ab143ca2f7922ebf0b058d8b9fe48415d81bfeed5cfc298f3a2252bde6e6ad42868fe36206303b7dc9169541fdf88c0a5e2310053b5
-
C:\Users\Admin\AppData\Roaming\autopsy\config\ModuleConfig\IngestSettings\org.sleuthkit.autopsy.casemodule.AddImageWizardIngestConfigPanel\org.sleuthkit.autopsy.thunderbirdparser.EmailParserModuleFactory.settings
Filesize119B
MD5aa1d37a17cc12951c63cc2360fa05dd2
SHA1100bbd96e6fcde264e2aed3ab22782f3092a13a8
SHA256b0ae6221d2cd68232c3235b9e2828d578e021fb33da7e9727d68728e2c4ad1b2
SHA512c4474e763fca79aec2cd314b9294c290e99f686fd8b47ee71de2896a0802be1464f27d7f28c5e35b22a165d0806839ca2c8b96f171dfcc9f87cd80f725be31e3
-
C:\Users\Admin\AppData\Roaming\autopsy\config\Preferences\org\netbeans\core\windows\tctracker.properties
Filesize46B
MD52ec3a5827457296e781e1c8e87dfde22
SHA12323b7d54b1126c403c3da50c7a43a8d1e1e3ee7
SHA2562b58f998de3752aff5d49245ec0e743106e626c85d082dd0a46cad826c37cd37
SHA5122b14f5e2ada80fa74a89da804f93592d944abb9b4f0a4e706e3df5e759f22f61a60acbb1e0f5851ff0c8910be6dec8ba9a5afdde04ef23de636a1d1001d6779e
-
C:\Users\Admin\AppData\Roaming\autopsy\config\Preferences\org\netbeans\modules\autoupdate.properties
Filesize205B
MD5e3016d31f61b449b75cbb16a941423a4
SHA1b9a15fef2d57f2509eb5d8d5982c8c84cdc4f261
SHA256b17044a68044fd08e4d19813e04d70217c630473855f2d41644f1c9840dd004e
SHA512d92eb76b098dca2b4c4077c098a83c97f29a717f25524754ffead917e5ef68fe56416513a023505de8564f6bbdcfba09b44d6bdc7edad3fd913843fd975ae526
-
C:\Users\Admin\AppData\Roaming\autopsy\config\Preferences\org\netbeans\modules\autoupdate\org_sleuthkit_autopsy_core_update_center.properties
Filesize260B
MD51223c8960937979bba282ea787f3f695
SHA1fb303d6de1b2821f35e9ea648f862ac31367a61b
SHA25682012f0cbfb8e635cd954eb9eae1e8c73aec5499ccfba85df71b257476dcc237
SHA512a2969fc4a9414a9f58982375fc884eedd83bedab04f62a3e40f473acb831701accb7d3f39b1803e3fb9dfb33c1d9290926ca29bc1384eba25262ab51ca411936
-
C:\Users\Admin\AppData\Roaming\autopsy\config\Preferences\org\netbeans\modules\autoupdate\ui.properties
Filesize35B
MD5251ed043c60887a99c5b59eedb6cf5b9
SHA1c064894a2545d3aad93763726cec82124dc1e267
SHA2563295d0c7ae26b614f021b45bd716bda88609e925e7968ad20b5a69e25a5c4fd0
SHA512c7eab2b51c68bde687b092d50063b60fc25eb30d4a277816349a116d640d0e8b789f65ef053795c7884e846ed0883748e56e7bdb7aab8f14c2a1f38a1eeec55a
-
C:\Users\Admin\AppData\Roaming\autopsy\config\Preferences\org\netbeans\modules\autoupdate\ui.properties
Filesize73B
MD5f83e4541a9e2f388fa76f6434cae0ea5
SHA10293d88c37bf78631c052e40c2fa26a77a4c2c54
SHA25627f9bdc102b59b7e86a87018868a4fa9398a1b40f5af6ecccf966a57b380b206
SHA5124c02a6c8a516ce5a2712aba8d6fa70f73112780a1cb396cfa57a0008f386d76d37749184f2774c018bf8ea2a96b152cce929ef4d4b7f88abc42017bee1ea30e5
-
Filesize
83B
MD50738988fc539c97e30ea4403b5539de2
SHA1a4cd19edec86139b2ac302212b987957bf53a07d
SHA2561e8b1d300bdb5e482c620521fa64c51f492e87ce1067436d553b754106b48bb9
SHA5122bf04e3e47ff85c7f06fbad1b7a6dda9b492dc959f609ba167a43e8c77157366cfee622f8836809df4d4e034a0da32c44b9129a57d85853dcd4b65e4dc428bb5
-
Filesize
82B
MD5352d21f9ae4fbdd67d20124473154edc
SHA186e3cf9ca4dd48019d522ae79f6ad95892fd4422
SHA256aaef350dbc60ec3c05645ed4637107b8274938cdf3cf2fb953d2289cad8c1c72
SHA5121ccb8c1481596b18060da199fa5450c4e490391c73dfd42c5b2f2efeddcd11102ead323ac3003ac7d62451291b949563f6fd9e0a092e90073de6d70938701909
-
Filesize
276B
MD51d44d20f8f7d4f67ad6a434da764c892
SHA171914cdc74e778c1524a2ecaee77af7977dc290d
SHA2569b0fbae077aa7c625684b7495d72f11e4d50d86b71ce45dd3f61b677e7ce4fdb
SHA5120ab6bbfe055d3e8d999983e87754b8cffe5ab92a6cac371932c087c84c963cfa5cc7faa492e47809390486e3146ce4a0ba635469d66f4ae8fa93a14e15cf8fa0
-
C:\Users\Admin\AppData\Roaming\autopsy\config\Windows2Local\Components\DataContentTopComponent.settings
Filesize1KB
MD5e35469e5e2eebb4dffad1aac622b5dbd
SHA13cb914557930edd79cffe477fc298aadff6e7019
SHA256553c4e746b1f228368541c1c685b44a8bdff2aa243bebf32a307d96cced4728b
SHA5128fba413361fe345af0f7348bfbe6a32cc783b960e8a86e1b4e1038a5dbe9ae7429aad2148e273c455903c16eec5c8b3f0e7316b21aa4fb9958e3337a4b328307
-
C:\Users\Admin\AppData\Roaming\autopsy\config\Windows2Local\Components\DirectoryTreeTopComponent.settings
Filesize1KB
MD59eb2b09f1127168d0aedacce5a1f4f10
SHA1aab38f8744ad764b381faa4bfd977a7da8a06adc
SHA256500052ea62dc66a8c4c83ca0a38bd5b58d9e19edaaf34f545b50977f64b0ec78
SHA5124348bb4d144d8bce399e6c6cd14aec25082fbb0c23ac56e01c40c96343a48c8e5f47934cf3cdfcbcfaff27760709b19f5d241ff015c6c0f6942f2cb92dc9970e
-
Filesize
280B
MD506fd7b34f1d5a826bb74be4ba530ae87
SHA194081aa8ba61bf783bf81a51f4131f7db2baf49b
SHA2564bae1e6a585b5d37f1c02eda6a01ecc16a52821ed38ae4dcee971a840abd99ed
SHA512c72732e6b56b010537c4d9e9e83138ab50ddaab71740574cb39588f6378aa8700ab56468c151d8521bdf79bc46ae3fe34bf0c4a5dae6e61cff3a94e23556bd2a
-
C:\Users\Admin\AppData\Roaming\autopsy\config\Windows2Local\Components\GeolocationTopComponent.settings
Filesize281B
MD5f43be684f79f7602b6fb2a8f56e60e10
SHA13aeffe0431a399c6da9d5fe24362641fedb6b597
SHA256e0810b6bb1c6b636e6d949c5c9fa93557f7ddace7ba6c9d6c503deec4d2e3cb7
SHA5124bad5e58e40b627085fd26ab2588e9ce7100ecdfd0abf5429be01979f4378d8e273b6af8fef8b1bc1a0b626ec71684cf15f6a4b51a9c6fafc876a23a53bc142f
-
C:\Users\Admin\AppData\Roaming\autopsy\config\Windows2Local\Components\ImageGalleryTopComponent.settings
Filesize283B
MD55ea7f55d3f8dba4cf1a210a7667c8ce6
SHA13adbc99ec7baa19db1518c2238a02085082230e2
SHA25601860aebc08557761cb0d4aa6ff034423acbc1caf24f216eb0d82085b8a37263
SHA5127a292a3d242e2d71a8293339bacf27e7303dfffbb30032ad894721c2d036834861abd5268ce9b10867038830396fa8b02fc041ce697f0e86db822e74791a6ce0
-
C:\Users\Admin\AppData\Roaming\autopsy\config\Windows2Local\Components\PersonasTopComponent.settings
Filesize292B
MD5d1e2734a763afd5f25105224cfde1979
SHA1bd7782a63b43d759ba1825bce3c60426e1ac67ce
SHA256340dc42fd08b6fd6409e6b6482daa9e9f40930fdfccefbd3b8b7c31b06d1ea8c
SHA512584a20369b27c93d40d782adc16e07f76959497a88daec44a75109fd6ce559c79fa4c9841e839629820161e85fb26fcd22c46d4d9eb8075313ed86e0fbae64fd
-
C:\Users\Admin\AppData\Roaming\autopsy\config\Windows2Local\Components\TimeLineTopComponent.settings
Filesize275B
MD529d8d01bd63c73e5967a8ff019411ced
SHA1bfdabe000e33c912ee52dd5b5bf08b716308cdb0
SHA256508c10bbb3f0e1dcf14e080ccf5dc55bdc1984641754ecb28dc6e59335ce1673
SHA512a7a42c6a4aeaddc81fa0024760f351dc9adcbb8be3b1a6fa5309f8fdf9f0ab8392ea630e9105490fe9225083ca2e9dbe2cf544272c55166195566d6f375a1ad8
-
Filesize
278B
MD5938befca94a2ab18d4432b06e199009a
SHA1a03c99c4e6c703819fefe4214c5d0d1409a29e01
SHA2564f6402043e73b3af9d41c8bd5dd42054d91b426943a1e26243ab92a98f02c83b
SHA512158e6d9b2f00279657e1a732226c0b6e0d2c9342640f10f3f016a2ea64a0c101ac7d24377a4b48c45319199ea93dc782cadb5204b0a36202706923031d567e5f
-
Filesize
1KB
MD55c7113fb3d125db5c225aaa90284d25f
SHA162cdb5b43add156e5527e886141baa5ab25ea729
SHA25692c78bd1969715e72d1de997cfe1a9573a973f815b27e85109ea0357f886f607
SHA512c25cf3927bd115ae107f947e0e75a560e4cb31a2decba02eab5a12da367bd0521c9fd5b34b6c0cbe2f1d65655efa63bf67697443a0078d6b102e443fff7f4fb6
-
Filesize
1KB
MD53b58e2b094fafa414edb6900cbe34a73
SHA1e93230a466bb8c1cf7b52f96bdcc643b4d4f2af6
SHA2563bab0e4e9e9ac332ee3e23758b135ee998f642fe9065f46b880a337d8caadf65
SHA512f709f18b159fd3ab0bee3931aa0cc39f1242f474e2dc53e8bba7b1b66b502ab31c3a1b1f1b3c11346696ad8b376322d101665730cd2644d6081d926cca89d1cb
-
Filesize
74B
MD568547416a0796740df3d9b90d987f2ff
SHA1430cca99b42fb4e44d9e372eb06e0d256bc26d2d
SHA2561a7e00b6b315a7b20f43bcb27708af9ea828c4a87db617977d3a3900ce3c38c2
SHA512f665f4485dd21a66486b353e12843bace95dd9593d28141dc08d50e488bff40c55f158407a04da8d8fa658938e9b1413049ded6fd683fdccd61889d2f46c57df
-
Filesize
10KB
MD55b735c6604ea1674e935a5165d393ac7
SHA1067c6744c5b7a1bebb7d3fc17e39db5bf11fbab2
SHA25654eb5a7e071bae32d3baf1fe95da81978354b3fa6ebfeead5d9e8ce3046f332c
SHA512dd81f6a9683436b4471a8562859a64803b055649f4db95b90fd1ee719228536d6a0171435c3f77617a325e9d45de74dc1962d114d97f6ed2fbc12a10d16f2900
-
C:\Users\Admin\AppData\Roaming\autopsy\config\org.sleuthkit.autopsy.casemodule.ImageDSProcessor.properties
Filesize62B
MD5c4c214a98a9e7c0980cae4a2e300c90d
SHA14d1fdec6a7e86b698a7dfe92d0b772829430fd36
SHA2566e4cf6f7debd7a5e701e22eb602142e481dc00ee8952656c408f6bd6f7d0f266
SHA512b74d735f7c0f5e85b311ba4f03c39c37298ed1dd41a8843f7e4a09cca42a5167ae32a57700d055668604b11ada726859f4f0028c59c7b7d037c8cf10805f914a
-
Filesize
62B
MD5a33d26fef34d633ca5176918768d9b2e
SHA1d877a90ed2347efa183169e4a071ce03161ced98
SHA256ad6a7818b007157327ea6c6abab85c41ce0b076356238d8d44bec5ab4a49f801
SHA5125693f4b5db4cd42c552c0e2e264ac8006b4b427f1d553c0db92037c7b2610fd515594188bae9a381bab66cfb17ec5f8d9684e69e7b6e61d5458817203f95bf18
-
Filesize
3KB
MD5c2cb8ae924838df41784e20d738d66ee
SHA1b2614c80f2eb0b3b960854f8d4c8be02891b6ba6
SHA256912b04fdb630f5f62167b136f397da17adc63914e45f5d07d44c63d54d394a9d
SHA512bc83e67259f7f98287223565a685e2e745d85364231cb12bbdfc8f74949dfb4a479755adecfd8d15e4b32fefd660b45b0b766f5265a14a4c5a17df2c821610b4
-
Filesize
36KB
MD5bbe118c74e1618d11340a5afc01309b5
SHA1963ab54defa022dae461dfb5f7e800e949444761
SHA25665b6e8d3fb3357587e71cb4e4daf4176d29af0aa55057943dec6d5a7ccb2b7c7
SHA5124d63cd5bfb4bcb9cdf93548893deba4600374dea7792bc58775d1734c1824cd1b8e8358e0b809a2d39af27781b45cc833e8956cd21c06c9c219c4e13900ce93d
-
Filesize
69B
MD53e0596f48a9db2571187f4a30cdb02c4
SHA17a32e09d896178f61187ba3edfd3ab09ebf5f7eb
SHA2563625561b5a815da940a6493b5c188fc7996ed08dd16600931c61b3c4b896e71d
SHA5123081815c97cca082494cac4e495af1557ab7167114c2188b975b4fd07a07c775ecc48430d8a3ffc98c61934e9978f6995de1450971598dd3309f64f55ab8a862
-
Filesize
40.3MB
MD5a46e15c8d9c3be9bfa5bf6a6c1767746
SHA1e28c77e466d19658c759cb7a5df3de821c9fbc08
SHA25664a53f62c164bc858be651a6fe8f8c8ec1155a606c41d11fd96fdb4693b2e82f
SHA512d4ae99543d5ede62b66178536d7677287de78d9128c488bd2187dc780fae9e3b4aea56d119ec6811aab1856bf3ede11b868a258df16d800a0681890e1cec8ff3
-
Filesize
37KB
MD53e7f51febfd9a2e34fbb3db4dd539d4b
SHA12c778faecedf04a16515656d05d7bdc96fe8f30e
SHA2563f2fba48e03b4c947bc14d12d8b9f65c7a8eedd61737aec803945b65e92a2838
SHA5122680ee49d63f63fff169fe2554c700916cc1a3225d72eae5b290f08a266ef31145415a7414dbc2a826a60e7130a5ab1e54f1ffea2021f6b09a5c338f8040d64e
-
Filesize
23.7MB
MD5c97d0f08482899c118c17425202b9766
SHA1dd2562a891c0eb911c4de62c02a8472c71d72efe
SHA2569b494c22d83328ee03efc4d039a8b9f8ae2f067d18d9415ff56dd242343eb573
SHA5129965926fc59b4a9b7dd47f0e1b88fcf4cce3982df01ac4d7795bd58120b6744bc92dd467e86ea83daf584c09a1ee7b749e3e19eb4cbb53346fe57fdf08832d40
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\Volume{8a2ad7b7-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{fc5513df-694e-4758-aa80-b32c651ad9f9}_OnDiskSnapshotProp
Filesize6KB
MD5134bc6573cd6f7ee9cb1503ff42d232d
SHA1be00f755d0fae2e79e038342778d340657d50b60
SHA256108fa00f3b9a1eca86f446fc324c9773aaa7fa75f599df42e2495b2f1de64327
SHA512a647c449493c2d0a7cfc258e3534009124b8ed4043248915781989f77e4963f3e0f3be2be2e0315b2ab591e0c2c8fad614b9c1781b77230e58617ee28cee425f