Malware Analysis Report

2024-11-15 07:50

Sample ID 240606-q783wafa4s
Target Рахунок-Акт_№_5748259_від_01.06.2024_по_договору_№_Х2_1-2448,_ТОВАРИСТВО_З_ОБМЕЖЕНОЮ_ВІДПОВІДАЛЬНІСТЮ__ПЛАРІУМ_ЮКРЄЙН_.pdf
SHA256 44351a40b74e96ac46873045badd2debe01b281bc3686375320c9daed1c768af
Tags
pyinstaller
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

44351a40b74e96ac46873045badd2debe01b281bc3686375320c9daed1c768af

Threat Level: Shows suspicious behavior

The file Рахунок-Акт_№_5748259_від_01.06.2024_по_договору_№_Х2_1-2448,_ТОВАРИСТВО_З_ОБМЕЖЕНОЮ_ВІДПОВІДАЛЬНІСТЮ__ПЛАРІУМ_ЮКРЄЙН_.pdf was found to be: Shows suspicious behavior.

Malicious Activity Summary

pyinstaller

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

Detects Pyinstaller

Enumerates physical storage devices

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Suspicious use of FindShellTrayWindow

NTFS ADS

Suspicious use of SetWindowsHookEx

Gathers network information

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Delays execution with timeout.exe

Uses Task Scheduler COM API

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious behavior: GetForegroundWindowSpam

Checks SCSI registry key(s)

Modifies data under HKEY_USERS

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-06 13:55

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 13:55

Reported

2024-06-06 14:12

Platform

win10v2004-20240508-en

Max time kernel

932s

Max time network

853s

Command Line

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Рахунок-Акт_№_5748259_від_01.06.2024_по_договору_№_Х2_1-2448,_ТОВАР.pdf"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\F: C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
File opened (read-only) \??\V: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\tcl\tzdata\Asia\Samarkand C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\tcl\tzdata\Pacific\Chuuk C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\platform\config\Modules\org-netbeans-modules-favorites.xml C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\pytz\zoneinfo\America\Eirunepe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\pytz\zoneinfo\Antarctica\Macquarie C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\pytz\zoneinfo\Asia\Omsk C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\docs\pgAdmin.PNG C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\platform\update_tracking\org-netbeans-modules-editor-mimelookup-impl.xml C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\autopsy\gstreamer\1.0\x86_64\share\locale\pl\LC_MESSAGES\glib20.mo C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\autopsy\gstreamer\1.0\x86_64\share\locale\ro\LC_MESSAGES\gst-plugins-bad-1.0.mo C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\tcl\tzdata\Europe\Athens C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\docs\if_export.png C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\jre\bin\api-ms-win-core-processthreads-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\jre\lib\ct.sym C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\platform\config\Modules\org-netbeans-modules-uihandler.xml C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\pytz\zoneinfo\America\Indiana\Knox C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\tcl\msgs\mk.msg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\tcl\tzdata\Etc\GMT+9 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\autopsy\rr-full\plugins\direct.pl C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\autopsy\solr\server\solr-webapp\webapp\WEB-INF\lib\jackson-dataformat-smile-2.12.3.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\docs\fd_dataSourceFilter.png C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\plaso\parsers\chrome_cache.yaml C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\pytz\zoneinfo\America\Moncton C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\tcl\tzdata\America\Rosario C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\tcl\tzdata\Pacific\Fakaofo C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\zmq.backend.cython.context.pyd C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\pytz\zoneinfo\Etc\Universal C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\autopsy\rr\plugins\autopsyntusernetwork.pl C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\docs\data_source_integrity_add_ds.png C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\linux_macos_install_scripts\add_macos_jna.sh C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\autopsy\gstreamer\1.0\x86_64\bin\gst-typefind-1.0.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\autopsy\gstreamer\1.0\x86_64\lib\gstreamer-1.0\gstdecklink.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\autopsy\gstreamer\1.0\x86_64\share\locale\id\LC_MESSAGES\gst-plugins-ugly-1.0.mo C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\plaso\parsers\winreg_plugins\mru.yaml C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\docs\content_viewer_context.png C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\platform\modules\ext\batik-xml-1.14.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\autopsy\gstreamer\1.0\x86_64\share\locale\ja\LC_MESSAGES\gstreamer-1.0.mo C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\autopsy\modules\ext\commons-math3-3.6.1.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\pytz\zoneinfo\Europe\Bratislava C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\tcl\tzdata\Etc\GMT-12 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\autopsy\solr\lib\jetty-security-11.0.15.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\autopsy\solr\server\solr-webapp\webapp\img\ico\block.png C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\docs\portable_case_unpackage.png C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\platform\config\Modules\org-netbeans-modules-masterfs-windows.xml C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\CoreTestLibs\modules\ext\junit-4.13.2.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\autopsy\modules\ext\pdfbox-tools-2.0.25.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\pytz\zoneinfo\America\St_Johns C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\pytz\zoneinfo\Egypt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\pytz\zoneinfo\Mexico\General C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\tcl\tzdata\Africa\Porto-Novo C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\tcl\tzdata\Pacific\Easter C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\autopsy\solr\server\solr-webapp\webapp\img\ico\slash.png C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\docs\personas_cvt_accounts.png C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\docs\reports_case.png C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\jre\legal\jdk.internal.vm.compiler\LICENSE C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\autopsy\gstreamer\1.0\x86_64\share\locale\nl\LC_MESSAGES\gst-plugins-base-1.0.mo C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\pytz\zoneinfo\Europe\Kaliningrad C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\autopsy\solr\server\etc\security.properties C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\docs\tagging_image_one_tag.png C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\jre\bin\api-ms-win-crt-private-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\pytz\zoneinfo\America\Goose_Bay C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\tcl\msgs\en_bw.msg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Autopsy-4.21.0\autopsy\rr-full\plugins\null.pl C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\e5d58b2.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5E12.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5E61.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI71CB.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5d58b4.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e5d58b2.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5D74.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{2A4C0A28-0E75-421F-AB76-B872FCCBEB4C}\autopsy.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{2A4C0A28-0E75-421F-AB76-B872FCCBEB4C} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{2A4C0A28-0E75-421F-AB76-B872FCCBEB4C}\autopsy.exe C:\Windows\system32\msiexec.exe N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000b7d72a8ac39dc2e30000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000b7d72a8a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900b7d72a8a000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1db7d72a8a000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b7d72a8a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\D1A1DAA61C0451544B6DAEA561F7AF77\82A0C4A257E0F124BA678B27CFBCBEC4 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000adbc178a40a1da01d53ca08c40a1da016197d78d40a1da0114000000 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\82A0C4A257E0F124BA678B27CFBCBEC4\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\82A0C4A257E0F124BA678B27CFBCBEC4\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\82A0C4A257E0F124BA678B27CFBCBEC4\SourceList\Media\DiskPrompt = "[1]" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\82A0C4A257E0F124BA678B27CFBCBEC4\MainFeature C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\82A0C4A257E0F124BA678B27CFBCBEC4\Version = "68485120" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\82A0C4A257E0F124BA678B27CFBCBEC4\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\82A0C4A257E0F124BA678B27CFBCBEC4\PackageCode = "A4E9A51DEB6C1974A8803DC304706DD0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\82A0C4A257E0F124BA678B27CFBCBEC4\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\82A0C4A257E0F124BA678B27CFBCBEC4 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\82A0C4A257E0F124BA678B27CFBCBEC4 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\82A0C4A257E0F124BA678B27CFBCBEC4\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\82A0C4A257E0F124BA678B27CFBCBEC4\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\82A0C4A257E0F124BA678B27CFBCBEC4\ProductIcon = "C:\\Windows\\Installer\\{2A4C0A28-0E75-421F-AB76-B872FCCBEB4C}\\autopsy.exe" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\82A0C4A257E0F124BA678B27CFBCBEC4\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\82A0C4A257E0F124BA678B27CFBCBEC4\ProductName = "Autopsy" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\82A0C4A257E0F124BA678B27CFBCBEC4\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\82A0C4A257E0F124BA678B27CFBCBEC4\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\82A0C4A257E0F124BA678B27CFBCBEC4\SourceList\PackageName = "autopsy-4.21.0-64bit.msi" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\82A0C4A257E0F124BA678B27CFBCBEC4\SourceList\Net\1 = "C:\\Users\\Admin\\Downloads\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\82A0C4A257E0F124BA678B27CFBCBEC4\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\D1A1DAA61C0451544B6DAEA561F7AF77 C:\Windows\system32\msiexec.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\Downloads\autopsy-4.21.0-64bit.msi:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Runs net.exe

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\System32\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A
N/A N/A C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1440 wrote to memory of 3060 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1440 wrote to memory of 3060 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1440 wrote to memory of 3060 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 4832 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 4832 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 4832 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 4832 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 4832 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 4832 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 4832 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 4832 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 4832 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 4832 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 4832 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 4832 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 4832 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 4832 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 4832 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 4832 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 4832 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 4832 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 4832 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 4832 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 4832 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 4832 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 4832 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 4832 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 4832 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 4832 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 4832 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 4832 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 4832 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 4832 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 4832 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 4832 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 4832 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 4832 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 4832 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 4832 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 4832 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 4832 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 4832 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 4832 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 4832 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 2624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 2624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 2624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 2624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 2624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 2624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 2624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 2624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 2624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 2624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 2624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 2624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 2624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 2624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 2624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 2624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 2624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 2624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 2624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3060 wrote to memory of 2624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Рахунок-Акт_№_5748259_від_01.06.2024_по_договору_№_Х2_1-2448,_ТОВАР.pdf"

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2351D21228181DCDA8C9BA61D85E8B46 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=2EF37671CB5286130E8B99806574D796 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=2EF37671CB5286130E8B99806574D796 --renderer-client-id=2 --mojo-platform-channel-handle=1732 --allow-no-sandbox-job /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=44BA52CF10DC1B26D8CCC05E704BF4E0 --mojo-platform-channel-handle=2280 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2120F4C1AE18D441AD61C14320DAB279 --mojo-platform-channel-handle=2496 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A8E8F8646A058DF774D643A97BBF86A7 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A8E8F8646A058DF774D643A97BBF86A7 --renderer-client-id=6 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job /prefetch:1

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=AA5779713AF8B580730362FD0C7D45B3 --mojo-platform-channel-handle=2692 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4124,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=4120 /prefetch:8

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3292.0.205603629\1364296261" -parentBuildID 20230214051806 -prefsHandle 1816 -prefMapHandle 1808 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {20d71b38-d242-4aab-903a-d93d0dcf7e3c} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" 1896 2411c1f0358 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3292.1.320852209\390918207" -parentBuildID 20230214051806 -prefsHandle 2452 -prefMapHandle 2448 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {11fd6fad-002c-430e-9a5b-32a0f356f5a4} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" 2464 2411048a258 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3292.2.59490874\1677719749" -childID 1 -isForBrowser -prefsHandle 2916 -prefMapHandle 2912 -prefsLen 22215 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0bf9f676-91c4-41cc-b50e-3132ad55d9a8} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" 3132 2411f9efd58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3292.3.1053473547\1056583224" -childID 2 -isForBrowser -prefsHandle 4208 -prefMapHandle 4204 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e19b9a8-06fd-4580-9b3d-305bffb57c6c} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" 4220 241225bcb58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3292.4.417421345\1985183238" -childID 3 -isForBrowser -prefsHandle 5040 -prefMapHandle 4976 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a0fa4fe1-e85f-4886-a051-4ce6ad55d24a} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" 5060 24124976258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3292.5.1029535936\1769094673" -childID 4 -isForBrowser -prefsHandle 5132 -prefMapHandle 5136 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca00a459-fc78-4375-8d2f-4d3622a72a0d} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" 5080 24124976558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3292.6.2081543461\1830468605" -childID 5 -isForBrowser -prefsHandle 5416 -prefMapHandle 5412 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {92d9f361-3c34-4bfc-a5ef-9b269a64c62c} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" 5424 24124977458 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3292.7.401932288\1271512811" -parentBuildID 20230214051806 -prefsHandle 5764 -prefMapHandle 5812 -prefsLen 27697 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb41265e-ec8c-4560-8fef-dd709ed04999} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" 5860 24125acc558 rdd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3292.8.417756331\486453977" -parentBuildID 20230214051806 -sandboxingKind 1 -prefsHandle 5856 -prefMapHandle 5852 -prefsLen 27697 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {149865ab-51ff-4e07-86ac-525593bc38f7} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" 5884 24125acc858 utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3292.9.1337186209\1435053468" -parentBuildID 20230214051806 -sandboxingKind 0 -prefsHandle 6136 -prefMapHandle 6132 -prefsLen 27697 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b57e9781-d3f5-49fa-8b71-1736cb0ab033} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" 5764 24125acfb58 utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3292.10.1641794278\2136795190" -childID 6 -isForBrowser -prefsHandle 6160 -prefMapHandle 6156 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {330452bd-71ec-4e48-9830-4c21c465eaaa} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" 6264 24125d95058 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3292.11.1261101082\179117454" -childID 7 -isForBrowser -prefsHandle 6652 -prefMapHandle 6648 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {35853b29-bd20-4621-9ff7-5e660bf3ed9e} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" 6660 24126bcc258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3292.12.687922059\1048541887" -childID 8 -isForBrowser -prefsHandle 9832 -prefMapHandle 9836 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {adf8544f-82da-4dcd-bedb-45b32c8be40a} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" 9824 24126836558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3292.13.690392161\962143559" -childID 9 -isForBrowser -prefsHandle 10716 -prefMapHandle 10712 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f50bfd19-ef42-459d-a1df-170ca714faff} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" 6792 24126b06658 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3292.14.1427824552\249568070" -childID 10 -isForBrowser -prefsHandle 10524 -prefMapHandle 10516 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc1b1969-23ff-4d7a-a9ea-a75c8cb7697e} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" 10532 24127170558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3292.15.1449905771\128334592" -childID 11 -isForBrowser -prefsHandle 6260 -prefMapHandle 10468 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {df73b15a-bec4-4a1c-bcbc-77f378801259} 3292 "\\.\pipe\gecko-crash-server-pipe.3292" 10292 24126d71758 tab

C:\Windows\System32\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\autopsy-4.21.0-64bit.msi"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding A063015C05DCAEF2825D55F2DC14ED84 C

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 94C9A71E4A8A42206ADD3A33A1E8644D

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=12D718B7F757DB2BDA4D954258ABC2D8 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=12D718B7F757DB2BDA4D954258ABC2D8 --renderer-client-id=10 --mojo-platform-channel-handle=1652 --allow-no-sandbox-job /prefetch:1

C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe

"C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1704,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=3168 /prefetch:8

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Program Files\Autopsy-4.21.0\autopsy\solr\bin\autopsy-solr.cmd" start -p 23232"

C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe

"C:\Program Files\Autopsy-4.21.0\jre\bin\java" -version

C:\Windows\system32\findstr.exe

findstr /i "IBM J9"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Program Files\Autopsy-4.21.0\jre\bin\java" -version 2>&1 | findstr "version""

C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe

"C:\Program Files\Autopsy-4.21.0\jre\bin\java" -version

C:\Windows\system32\findstr.exe

findstr "version"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c netstat -aon | find "TCP " | find ":0 " | find ":23232 "

C:\Windows\system32\NETSTAT.EXE

netstat -aon

C:\Windows\system32\find.exe

find "TCP "

C:\Windows\system32\find.exe

find ":0 "

C:\Windows\system32\find.exe

find ":23232 "

C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe

"C:\Program Files\Autopsy-4.21.0\jre\bin\java" -server -version

C:\Windows\system32\findstr.exe

findstr /i /C:" C:\Users\Admin\AppData\Roaming\autopsy\var\log\solr " "C:\Users\Admin\AppData\Local\Temp\solr-pattern.txt"

C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe

"C:\Program Files\Autopsy-4.21.0\jre\bin\java" -server -Xmx2048m -Duser.timezone=UTC -XX:+UseG1GC -XX:+PerfDisableSharedMem -XX:+ParallelRefProcEnabled -XX:MaxGCPauseMillis=250 -XX:+UseLargePages -XX:+AlwaysPreTouch "-Xlog:gc*:file=\"C:\Users\Admin\AppData\Roaming\autopsy\var\log\solr\solr_gc.log\":time,uptime:filecount=9,filesize=20M" -Xss256k -Dbootstrap_confdir=../solr/configsets/AutopsyConfig/conf -Dcollection.configName=AutopsyConfig -Dsolr.default.confdir=../solr/configsets/AutopsyConfig/conf -Dsolr.log.dir="C:\Users\Admin\AppData\Roaming\autopsy\var\log\solr" -Dlog4j.configurationFile="file:///C:\Program Files\Autopsy-4.21.0\autopsy\solr\server\resources\log4j2.xml" -DSTOP.PORT=8079 -DSTOP.KEY=jjk#09s -Dsolr.log.muteconsole -Dsolr.solr.home="C:\Users\Admin\AppData\Roaming\autopsy\solr" -Dsolr.install.dir="C:\Program Files\Autopsy-4.21.0\autopsy\solr" -Dsolr.default.confdir="C:\Program Files\Autopsy-4.21.0\autopsy\solr\server\solr\configsets\_default\conf" -Djetty.host=0.0.0.0 -Djetty.port=23232 -Djetty.home="C:\Program Files\Autopsy-4.21.0\autopsy\solr\server" -Djava.io.tmpdir="C:\Users\Admin\AppData\Roaming\autopsy\var\log\solr\tmp" -jar start.jar --module=http ""

C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe

"C:\Program Files\Autopsy-4.21.0\jre\bin\java" -Dsolr.install.dir="C:\Program Files\Autopsy-4.21.0\autopsy\solr" -Dsolr.default.confdir="C:\Program Files\Autopsy-4.21.0\autopsy\solr\server\solr\configsets\_default\conf" -Dlog4j.configurationFile="file:///C:\Program Files\Autopsy-4.21.0\autopsy\solr\server\resources\log4j2-console.xml" -classpath "C:\Program Files\Autopsy-4.21.0\autopsy\solr\server\solr-webapp\webapp\WEB-INF\lib\*;C:\Program Files\Autopsy-4.21.0\autopsy\solr\server\lib\ext\*" org.apache.solr.util.SolrCLI status -maxWaitSecs 30 -solr http://localhost:23232/solr

C:\Windows\SYSTEM32\cmd.exe

"cmd" /c chcp

C:\Windows\system32\chcp.com

chcp

C:\Windows\System32\Wbem\wmic.exe

"wmic" process where "name='java.exe' AND commandline LIKE '%-DSTOP.KEY=jjk#09s%start.jar%'" get ProcessID

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ver

C:\Windows\SYSTEM32\cmd.exe

"cmd" /c net use C:

C:\Windows\system32\net.exe

net use C:

C:\Windows\SYSTEM32\cmd.exe

"cmd" /c net use D:

C:\Windows\system32\net.exe

net use D:

C:\Windows\SYSTEM32\cmd.exe

"cmd" /c net use F:

C:\Windows\system32\net.exe

net use F:

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Autopsy\test_20240606_140511\Temp\Рахунок-Акт_№_5748259_від_01.06.2024_по_договору_№_Х2_1-2448,_ТОВАР.pdf"

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=568174B1698F85DB324761CFEE460F54 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=568174B1698F85DB324761CFEE460F54 --renderer-client-id=12 --mojo-platform-channel-handle=1944 --allow-no-sandbox-job /prefetch:1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Program Files\Autopsy-4.21.0\autopsy\solr\bin\autopsy-solr.cmd" stop -k jjk#09s -p 23232"

C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe

"C:\Program Files\Autopsy-4.21.0\jre\bin\java" -version

C:\Windows\system32\findstr.exe

findstr /i "IBM J9"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Program Files\Autopsy-4.21.0\jre\bin\java" -version 2>&1 | findstr "version""

C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe

"C:\Program Files\Autopsy-4.21.0\jre\bin\java" -version

C:\Windows\system32\findstr.exe

findstr "version"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c netstat -nao | find "TCP " | find ":0 " | find ":23232 "

C:\Windows\system32\NETSTAT.EXE

netstat -nao

C:\Windows\system32\find.exe

find "TCP "

C:\Windows\system32\find.exe

find ":0 "

C:\Windows\system32\find.exe

find ":23232 "

C:\Program Files\Autopsy-4.21.0\jre\bin\java.exe

"C:\Program Files\Autopsy-4.21.0\jre\bin\java" -Djetty.home="C:\Program Files\Autopsy-4.21.0\autopsy\solr\server" -jar "C:\Program Files\Autopsy-4.21.0\autopsy\solr\server\start.jar" --module=http STOP.PORT=8079 STOP.KEY=jjk#09s --stop

C:\Windows\system32\timeout.exe

timeout /T 5

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c netstat -nao | find "TCP " | find ":0 " | find ":23232 "

C:\Windows\system32\NETSTAT.EXE

netstat -nao

C:\Windows\system32\find.exe

find "TCP "

C:\Windows\system32\find.exe

find ":0 "

C:\Windows\system32\find.exe

find ":23232 "

C:\Windows\System32\Wbem\wmic.exe

"wmic" process where "name='java.exe' AND commandline LIKE '%-DSTOP.KEY=jjk#09s%start.jar%'" get ProcessID

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
NL 23.62.61.147:443 www.bing.com tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 147.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 136.24.90.104.in-addr.arpa udp
US 8.8.8.8:53 18.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 203.197.79.204.in-addr.arpa udp
N/A 127.0.0.1:49986 tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 34.117.188.166:443 spocs.getpocket.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 44.237.65.238:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 238.65.237.44.in-addr.arpa udp
N/A 127.0.0.1:49992 tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 ssl.gstatic.com udp
GB 172.217.169.3:443 ssl.gstatic.com tcp
US 8.8.8.8:53 ssl.gstatic.com udp
US 8.8.8.8:53 ssl.gstatic.com udp
GB 172.217.169.3:443 ssl.gstatic.com udp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 195.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 i.ytimg.com udp
GB 172.217.169.54:443 i.ytimg.com tcp
GB 172.217.169.54:443 i.ytimg.com tcp
US 8.8.8.8:53 i.ytimg.com udp
US 8.8.8.8:53 i.ytimg.com udp
GB 172.217.169.54:443 i.ytimg.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 54.169.217.172.in-addr.arpa udp
GB 172.217.169.46:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 encrypted-tbn0.gstatic.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.178.14:443 encrypted-tbn0.gstatic.com tcp
GB 142.250.178.14:443 encrypted-tbn0.gstatic.com tcp
US 8.8.8.8:53 encrypted-tbn0.gstatic.com udp
US 8.8.8.8:53 encrypted-tbn0.gstatic.com udp
GB 142.250.178.14:443 encrypted-tbn0.gstatic.com udp
GB 172.217.169.46:443 play.google.com udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
GB 216.58.201.110:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
GB 216.58.201.110:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 46.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 226.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 static.doubleclick.net udp
GB 172.217.169.6:443 static.doubleclick.net tcp
US 8.8.8.8:53 static.doubleclick.net udp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
US 8.8.8.8:53 static.doubleclick.net udp
GB 142.250.178.10:443 jnn-pa.googleapis.com tcp
GB 142.250.178.10:443 jnn-pa.googleapis.com tcp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
GB 172.217.169.6:443 static.doubleclick.net udp
GB 142.250.178.10:443 jnn-pa.googleapis.com udp
GB 142.250.178.10:443 jnn-pa.googleapis.com udp
US 8.8.8.8:53 6.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 10.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.autopsy.com udp
US 141.193.213.10:443 www.autopsy.com tcp
US 8.8.8.8:53 wp.wpenginepowered.com udp
US 8.8.8.8:53 wp.wpenginepowered.com udp
US 8.8.8.8:53 10.213.193.141.in-addr.arpa udp
US 141.193.213.10:443 wp.wpenginepowered.com udp
US 8.8.8.8:53 static.addtoany.com udp
US 8.8.8.8:53 js.hs-scripts.com udp
US 104.22.70.197:443 static.addtoany.com tcp
US 8.8.8.8:53 static.addtoany.com udp
US 104.16.137.209:443 js.hs-scripts.com tcp
US 104.16.137.209:443 js.hs-scripts.com tcp
US 8.8.8.8:53 js.hs-scripts.com udp
US 8.8.8.8:53 static.addtoany.com udp
US 8.8.8.8:53 js.hs-scripts.com udp
US 8.8.8.8:53 ajax.googleapis.com udp
GB 216.58.201.110:443 youtube-ui.l.google.com tcp
US 8.8.8.8:53 snap.licdn.com udp
GB 142.250.180.10:443 ajax.googleapis.com tcp
US 8.8.8.8:53 ajax.googleapis.com udp
US 104.22.70.197:443 static.addtoany.com udp
US 8.8.8.8:53 a1916.dscg2.akamai.net udp
US 8.8.8.8:53 ajax.googleapis.com udp
US 8.8.8.8:53 a1916.dscg2.akamai.net udp
US 8.8.8.8:53 js.hsadspixel.net udp
GB 142.250.180.10:443 ajax.googleapis.com udp
US 8.8.8.8:53 js.hubspot.com udp
US 8.8.8.8:53 js.hs-banner.com udp
US 104.17.223.152:443 js.hsadspixel.net tcp
US 8.8.8.8:53 js.hsadspixel.net udp
US 8.8.8.8:53 js.hubspot.com udp
US 8.8.8.8:53 js.hs-analytics.net udp
US 8.8.8.8:53 js.hscollectedforms.net udp
US 104.17.223.152:443 js.hsadspixel.net tcp
GB 216.58.201.110:443 youtube-ui.l.google.com udp
US 104.16.111.254:443 js.hscollectedforms.net tcp
US 8.8.8.8:53 js.hsadspixel.net udp
US 172.64.153.27:443 js.hs-banner.com tcp
US 8.8.8.8:53 js.hubspot.com udp
US 8.8.8.8:53 js.hscollectedforms.net udp
US 8.8.8.8:53 js.hs-analytics.net udp
US 8.8.8.8:53 js.usemessages.com udp
US 8.8.8.8:53 js.hs-banner.com udp
US 172.64.153.27:443 js.hs-banner.com tcp
US 104.16.111.254:443 js.hscollectedforms.net tcp
US 104.16.77.142:443 js.usemessages.com tcp
US 8.8.8.8:53 js.hscollectedforms.net udp
US 8.8.8.8:53 js.hs-analytics.net udp
US 8.8.8.8:53 js.hs-banner.com udp
US 8.8.8.8:53 js.usemessages.com udp
US 8.8.8.8:53 js.usemessages.com udp
US 8.8.8.8:53 api.hubspot.com udp
US 104.16.118.116:443 api.hubspot.com tcp
US 8.8.8.8:53 api.hubspot.com udp
US 8.8.8.8:53 api.hubspot.com udp
US 8.8.8.8:53 104.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 197.70.22.104.in-addr.arpa udp
US 8.8.8.8:53 209.137.16.104.in-addr.arpa udp
US 8.8.8.8:53 10.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 152.223.17.104.in-addr.arpa udp
US 8.8.8.8:53 254.111.16.104.in-addr.arpa udp
US 8.8.8.8:53 27.153.64.172.in-addr.arpa udp
US 8.8.8.8:53 142.77.16.104.in-addr.arpa udp
US 8.8.8.8:53 202.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 116.118.16.104.in-addr.arpa udp
US 2.17.251.40:443 a1916.dscg2.akamai.net tcp
US 104.16.117.116:443 api.hubspot.com tcp
US 104.16.160.168:443 js.hs-analytics.net tcp
US 8.8.8.8:53 forms.hscollectedforms.net udp
US 8.8.8.8:53 api.hubapi.com udp
US 8.8.8.8:53 px.ads.linkedin.com udp
US 104.16.108.254:443 forms.hscollectedforms.net tcp
US 104.16.108.254:443 forms.hscollectedforms.net tcp
US 8.8.8.8:53 forms.hscollectedforms.net udp
US 8.8.8.8:53 l-0005.l-msedge.net udp
US 104.18.241.108:443 api.hubapi.com tcp
US 8.8.8.8:53 api.hubapi.com udp
US 8.8.8.8:53 forms.hscollectedforms.net udp
US 8.8.8.8:53 l-0005.l-msedge.net udp
US 8.8.8.8:53 api.hubapi.com udp
GB 142.250.178.10:443 jnn-pa.googleapis.com tcp
GB 142.250.178.10:443 jnn-pa.googleapis.com tcp
GB 142.250.187.196:443 www.google.com tcp
GB 172.217.169.54:443 i.ytimg.com tcp
GB 142.250.178.10:443 jnn-pa.googleapis.com udp
US 8.8.8.8:53 yt3.ggpht.com udp
US 13.107.42.14:443 l-0005.l-msedge.net tcp
US 8.8.8.8:53 cta-service-cms2.hubspot.com udp
GB 142.250.180.1:443 yt3.ggpht.com tcp
GB 142.250.187.196:443 www.google.com udp
GB 172.217.169.54:443 i.ytimg.com udp
US 104.16.117.116:443 cta-service-cms2.hubspot.com tcp
US 8.8.8.8:53 cta-service-cms2.hubspot.com udp
US 8.8.8.8:53 photos-ugc.l.googleusercontent.com udp
US 8.8.8.8:53 cta-service-cms2.hubspot.com udp
GB 142.250.180.1:443 yt3.ggpht.com udp
GB 172.217.169.6:443 static.doubleclick.net tcp
GB 172.217.169.6:443 static.doubleclick.net udp
US 8.8.8.8:53 116.117.16.104.in-addr.arpa udp
US 8.8.8.8:53 168.160.16.104.in-addr.arpa udp
US 8.8.8.8:53 40.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 254.108.16.104.in-addr.arpa udp
US 8.8.8.8:53 108.241.18.104.in-addr.arpa udp
US 8.8.8.8:53 14.42.107.13.in-addr.arpa udp
US 8.8.8.8:53 analytics.google.com udp
US 8.8.8.8:53 stats.g.doubleclick.net udp
GB 142.250.187.206:443 analytics.google.com tcp
US 8.8.8.8:53 analytics.google.com udp
US 8.8.8.8:53 stats.g.doubleclick.net udp
GB 172.217.169.46:443 youtube-ui.l.google.com tcp
GB 142.250.178.10:443 jnn-pa.googleapis.com udp
US 8.8.8.8:53 perf-na1.hsforms.com udp
US 8.8.8.8:53 analytics.google.com udp
GB 142.250.187.206:443 analytics.google.com udp
US 8.8.8.8:53 stats.g.doubleclick.net udp
US 104.18.80.204:443 perf-na1.hsforms.com tcp
US 8.8.8.8:53 perf-na1.hsforms.com udp
GB 172.217.169.46:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 perf-na1.hsforms.com udp
US 104.18.80.204:443 perf-na1.hsforms.com udp
US 8.8.8.8:53 track.hubspot.com udp
US 8.8.8.8:53 connect.facebook.net udp
US 8.8.8.8:53 track.hubspot.com udp
US 8.8.8.8:53 scontent.xx.fbcdn.net udp
US 8.8.8.8:53 track.hubspot.com udp
US 8.8.8.8:53 scontent.xx.fbcdn.net udp
BE 64.233.167.156:443 stats.g.doubleclick.net tcp
US 8.8.8.8:53 sleuthkit.org udp
US 8.8.8.8:53 js.hsforms.net udp
BE 64.233.167.156:443 stats.g.doubleclick.net udp
US 104.18.141.119:443 js.hsforms.net tcp
US 8.8.8.8:53 js.hsforms.net udp
US 8.8.8.8:53 js.hsforms.net udp
US 75.119.201.247:443 sleuthkit.org tcp
US 8.8.8.8:53 sleuthkit.org udp
US 8.8.8.8:53 sleuthkit.org udp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 204.80.18.104.in-addr.arpa udp
US 8.8.8.8:53 156.167.233.64.in-addr.arpa udp
US 8.8.8.8:53 119.141.18.104.in-addr.arpa udp
US 104.18.141.119:443 js.hsforms.net udp
US 8.8.8.8:53 forms.hsforms.com udp
US 104.18.80.204:443 forms.hsforms.com tcp
US 8.8.8.8:53 forms.hsforms.com udp
US 8.8.8.8:53 forms.hsforms.com udp
US 75.119.201.247:443 sleuthkit.org tcp
US 104.18.80.204:443 forms.hsforms.com udp
US 8.8.8.8:53 forms-na1.hsforms.com udp
US 8.8.8.8:53 forms-na1.hsforms.com udp
US 104.18.80.204:443 forms-na1.hsforms.com tcp
US 8.8.8.8:53 forms-na1.hsforms.com udp
US 104.18.80.204:443 forms-na1.hsforms.com udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
FR 23.200.86.251:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigl6ney.gvt1.com udp
GB 173.194.183.166:443 r1---sn-aigl6ney.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigl6ney.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigl6ney.gvt1.com udp
GB 173.194.183.166:443 r1.sn-aigl6ney.gvt1.com udp
US 8.8.8.8:53 251.86.200.23.in-addr.arpa udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 166.183.194.173.in-addr.arpa udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 53.121.117.34.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 files.acrobat.com udp
US 44.198.86.118:443 files.acrobat.com tcp
US 8.8.8.8:53 cloud.acrobat.com udp
US 3.233.142.19:443 cloud.acrobat.com tcp
US 8.8.8.8:53 118.86.198.44.in-addr.arpa udp
US 8.8.8.8:53 19.142.233.3.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 metadata.google.internal udp
US 75.119.201.247:80 sleuthkit.org tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
N/A 127.0.0.1:23232 tcp
N/A 127.0.0.1:23232 tcp
N/A 127.0.0.1:23232 tcp
N/A 127.0.0.1:23232 tcp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 35.244.181.201:443 prod.balrog.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
N/A 127.0.0.1:23232 tcp
N/A 127.0.0.1:23232 tcp
N/A 127.0.0.1:8079 tcp

Files

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 b30d3becc8731792523d599d949e63f5
SHA1 19350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256 b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512 523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 752a1f26b18748311b691c7d8fc20633
SHA1 c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256 111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512 a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 1580aec1d0f66829dce6ccef68934695
SHA1 9d89dfa872528cc580f96c58a015a0af2bc3434d
SHA256 ba365e77c092e3a229ad0b6da6614d7aca96a1a5efa3db4a82ffccdd0101c4a5
SHA512 dff76812bfae945749809158c1c9e4a5421c6a71fc428d6f69044bbfeebba2492a9a2dc4bdb397662fb2f7bee7135547ad89da162e7ac319c3f7d67932d5f881

memory/1440-123-0x000000000BDD0000-0x000000000C07B000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\activity-stream.discovery_stream.json.tmp

MD5 728cb206b90ede8d1cddc0f955d5f385
SHA1 8a2b7622e1efd815463ea09741c1e5056d424de4
SHA256 f9202df4376322c2840d1ffaf051ba56086232d3c835e4e6bccfcbc64ca28cdb
SHA512 bc7102735b7faaeb1b41288292df1145b27eb58269646eb78f74debe5b53673ffdefa79d366a706ce0273da9e0fdeeb2fc08cb805a3ea3af4a3c12492932413d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\prefs.js

MD5 b412e8e0338b9a474d0561a269b7f469
SHA1 91f21cbed0907e70e69032e443a601c3a1ddf69d
SHA256 623ab19cbe1ae914d9d8a6df1948cb6dfe02cdb44db2f03899bd13376843188f
SHA512 883191a9075bd2f77ea964c2f675d60a60f8c15126cd0d75003d5ee49d20590ef21d83d447861500fb001058fc8c306da9460b13d4a92626b82063971e5d6fee

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionstore-backups\recovery.jsonlz4

MD5 52f7e941d6e29d232fc5c9335dcbe0e5
SHA1 e953cffd3592fa4566c60ad2ae9b647ccebf5c43
SHA256 7924414403c470f74038d475c3734f8471743d8636bf84ab6f88e51b7ffed4cd
SHA512 4ef420d3b18fafc328b6307b380feeec333bccb6257b57beb3ccc0fd8b53b4dbd917eb9040f81197688b8d86b787483c2366d779c58a9ac1f6ad875d15f41d41

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cautopsy.com%29\idb\358272571LCo7g%sCD7a%t2a4bda5s.sqlite

MD5 9725f8756993cf6298159a80d7899ff4
SHA1 0431e762d6e7e291079e8d777da36313afb879d4
SHA256 baf0ee04b03b6ba66536aa44dc62d5d81a7740ff893bd988955a71a604083627
SHA512 7d12e487e24f9735c109fa121b386563f41fb4b031db7cea8a89b8b876352eee5b3c5f8e849bb47cf7d2602296eb25806d5b0477a15d515bff08fa2e31e811c3

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\cache2\doomed\2070

MD5 53599ed7d2c8f74c733f4ffd2242686c
SHA1 dfb5d5a2a903bba772f7e2f70e3ea0bc957ac1e7
SHA256 631f5254cf72fb50843ec994d4c075e384cd25195e8bb7e9ce397f23aadb7b55
SHA512 edda9c4346df6227782983e0a892224d615905ff553802864800c08c2ac66d0c934ba0cda5123a37332ae35f40b18a6eb4a16ff69e95f713810a0c7e867fe380

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\cache2\entries\1DCD060D91A612651706AE8FC96D842D60460D22

MD5 abf2119ffcc478db0dbca9fdf8e76790
SHA1 76baeec7e7239960da03189c58eb09f65a09ce9b
SHA256 79eed2f8de914a7fbfeff133fa7a97c16ac393c287bf8b5437985f7f34228975
SHA512 9a23547a479a83c232365fcf5017b7ea261134439d588255318ec76c6121e4f52834499b1c3037cce5e6106aedc42b9b513f73609da14d4cb328dd7d9d7aa49d

C:\Users\Admin\Downloads\autopsy-4.iKPAMCo9.21.0-64bit.msi.part

MD5 3e7f51febfd9a2e34fbb3db4dd539d4b
SHA1 2c778faecedf04a16515656d05d7bdc96fe8f30e
SHA256 3f2fba48e03b4c947bc14d12d8b9f65c7a8eedd61737aec803945b65e92a2838
SHA512 2680ee49d63f63fff169fe2554c700916cc1a3225d72eae5b290f08a266ef31145415a7414dbc2a826a60e7130a5ab1e54f1ffea2021f6b09a5c338f8040d64e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionstore-backups\recovery.jsonlz4

MD5 8a7dbf69bfb7a7994f2674065c27fec6
SHA1 5ecefe1c80c30c47f8a6fecc026b4f37dd551b1c
SHA256 2c0a5fca69f38286432599d45b2929c15f952fece28df10ff21f348b16d80c47
SHA512 d912f58b4ef20955ad5d48968c7b9b29312f7bf6a4a005a60e73e1c246ecd79955165bae9ae9574dd3167506f7b3a8bf00a0dfd11d564fcddca7d6f6f42bef3b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\prefs-1.js

MD5 8378998365cc21f95d0a69d239eb9377
SHA1 744e2d21ca058d0bf4742f3b8460922a001413db
SHA256 b3d9e9d974cf3b2589b837b5a314b639efeb57173044b31815c7c1acbf908d7e
SHA512 c22985390609884eeb111f7337f2547a082e5dd77babfd886b8ac4d4655451f278fc9e8723b34a29323a771251497376016d2aa2403f668adfe08e9763c266ea

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionstore-backups\recovery.jsonlz4

MD5 f3b6101b75d4bd0c34d2924716d2faec
SHA1 e583e10fae31eddf04bb4823ce22d60f6cf75d03
SHA256 af366c42c994437c91a84b6811c9b1e17cfd1559086da357483dc02364165c28
SHA512 c8d835b51e001243be93c01a8d578953659f6c71a7f2e499c3a66e8c6cfbcfc7c17c912e8af3a1a91af82259deb943f85868891e04f73263e92bf466cf63358b

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\cache2\entries\383A97A57B113BD106DE6984E6DBA5F537327263

MD5 376bf9b483a04aaceed9bb28b6ba9333
SHA1 d2fcbc5a38f6b191af9232de36cb29d18194216a
SHA256 eade26f0ed5ab972acfe773567afff7365c94c9cb030acac15a81bb963b668a5
SHA512 4f2dd373a692042e037462991f58e99ae038088452b94b5233ec7b861f3d8490f7d49ba0e5e667cb0dfbd3fa61227f65b547a8fe8cad6dcbb897cea94d093ec9

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\prefs-1.js

MD5 708f5ce7543f4bb913fc3824353bb5ce
SHA1 facd9c290d1910474c095f893690a8b9c1a9c7f4
SHA256 0a2972510c8ba4ac914ae9924e70bad9dcc8c48c9b47f0ffab33eb6ec383e12a
SHA512 b4b759fca0cc2d28cf18e51cd8ae6ed73a3303843d54c32d0e8b815d7b2690c0884040e97a34da6ed5a8c1f2c642ac3bcb4d9d92e9961ecb8f6c44414d3ccd13

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Local\Temp\MSI2C33.tmp

MD5 317d2dfc6244a981ef100b8312f579a9
SHA1 e35dc1a7316c8bcba4cea481daf27b36ea3cc383
SHA256 dc3516c65036e305964105e11f6865e1d5a3b171d8d2f765fde18c8f36bf727c
SHA512 d2e4182c88aebfc98b653edb902c74beac38694b7cb9fad13f78a814ffe2f8babd7c5244f59b865a2116dec8d58466a367199ad99f1bbc836210fa63f3d59c96

\??\Volume{8a2ad7b7-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{fc5513df-694e-4758-aa80-b32c651ad9f9}_OnDiskSnapshotProp

MD5 134bc6573cd6f7ee9cb1503ff42d232d
SHA1 be00f755d0fae2e79e038342778d340657d50b60
SHA256 108fa00f3b9a1eca86f446fc324c9773aaa7fa75f599df42e2495b2f1de64327
SHA512 a647c449493c2d0a7cfc258e3534009124b8ed4043248915781989f77e4963f3e0f3be2be2e0315b2ab591e0c2c8fad614b9c1781b77230e58617ee28cee425f

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 c97d0f08482899c118c17425202b9766
SHA1 dd2562a891c0eb911c4de62c02a8472c71d72efe
SHA256 9b494c22d83328ee03efc4d039a8b9f8ae2f067d18d9415ff56dd242343eb573
SHA512 9965926fc59b4a9b7dd47f0e1b88fcf4cce3982df01ac4d7795bd58120b6744bc92dd467e86ea83daf584c09a1ee7b749e3e19eb4cbb53346fe57fdf08832d40

memory/1440-3222-0x000000000B900000-0x000000000BA4D000-memory.dmp

C:\Program Files\Autopsy-4.21.0\autopsy\gstreamer\1.0\x86_64\share\locale\fr\LC_MESSAGES\glib20.mo

MD5 914d78ee22c22e53676f05c25ef1fc5b
SHA1 b7111482400b411bf3268b29773bb81c16f6701e
SHA256 fa69c478cceff65b3728d4e33bddd0e1cdecb5c8643115ab75e69364d9919d0b
SHA512 7b1a017e99f807af0bb4e90eb3a2145cbb83c508ec7f5d2a8d164b95ca1d3f028234d9ab2b366b93e6f03f23ea93ddb19569d5d3c41fc1f505a9f44e8c61a4c5

C:\Program Files\Autopsy-4.21.0\autopsy\gstreamer\1.0\x86_64\share\locale\id\LC_MESSAGES\glib20.mo

MD5 d004f45d7002fc19fa7c041fd3715380
SHA1 98dbb3dbfbcd030774424c132d5dca6d253647a8
SHA256 1cfa8c942a4964e1ffc73058b58e8937675e1eecef22f53478b1fee428b30d47
SHA512 7e0ebc08cd861886d059300f602ef3f3cb3a62371ec8e34417e453ace965a5de57a949d157120cea3f4695373f85be8189af1e29c174b49a0eb87ce1e7b6ed04

C:\Program Files\Autopsy-4.21.0\autopsy\gstreamer\1.0\x86_64\share\locale\ta\LC_MESSAGES\glib20.mo

MD5 3c26bf67c50b0fb701b2f9fd4d932706
SHA1 b93b0cf8031e07ec41886fe8d4f0bd54d83810a9
SHA256 292ad95287dc58eb45ab381b6b5a54a5ee864f4177b16721428e05a95dc9224e
SHA512 f6527c66917fbc33e644539fe641c8e343c1875a2f494fdba62a77cc651faf6b16caa594d4dfe0324094dfdc0ebd7d6dff7cbf3395f460d7a30ccb0296b7593b

C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\licenses\LICENSE.dfdatetime

MD5 3b83ef96387f14655fc854ddc3c6bd57
SHA1 2b8b815229aa8a61e483fb4ba0588b8b6c491890
SHA256 cfc7749b96f63bd31c3c42b5c471bf756814053e847c10f3eb003417bc523d30
SHA512 98f6b79b778f7b0a15415bd750c3a8a097d650511cb4ec8115188e115c47053fe700f578895c097051c9bc3dfb6197c2b13a15de203273e1a3218884f86e90e8

C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\licenses\LICENSE.libewf

MD5 d3aa5e7e614a71f77168ef2d78dee29c
SHA1 313f0f1bc7b06919fd30e711c7994bd4e83dd30e
SHA256 ff9ed2eae018d242c1f222c2a22c1dfb936ba053d92e11c3f6f88a4df025fced
SHA512 9dccf8f5d375b2efb87dc40086a1704625ec362cdec5d85b131ad4e7cb1a76803987a65ebf3c10ad99899d30b308165c7af4a25616e8359401f267ad6b148c32

C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\psteal.exe

MD5 b7e726274c6f354149782937146e2836
SHA1 c14227e94e83f5b85aff1fb45c2715b1e5f596ad
SHA256 da0f5167c6a21d704623c7fcc2e2a5d6afb9c368ba47e9457af09240fc3b17b1
SHA512 4e44f51b00664e925cf15d23ce4bbb7acaa8626a75d96b75f95cf596c25d07a16476e1350252d9e4a5f91dcfa9a3ce48a780af69bb33295d91c3be071bdfa458

C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\pytz\zoneinfo\Africa\Dakar

MD5 ea536f3401f1154cd0fbe55d60fb1919
SHA1 2761dd20ffe255714f9005b59407db9bc75b5f08
SHA256 d5ded126df8f693ce1ff83e85aa4d44185c2bdef7da1f915b214f53deffdee47
SHA512 57a60cbbf067bc6d41c359a0ea23aaad3325652a7fefb33dbf015de41d851afc182c1472f651b4f562fe8b42c74e6aabb45f2f8d3fc8d496a9c6b2050cbb7ca5

C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\pytz\zoneinfo\Africa\Djibouti

MD5 25b7a0eb842dcbbbcb5144542d3263bb
SHA1 f4c36cebb3a7e69dde1a4af0775a40b0f1e0397f
SHA256 f143bcb83b80bc1ad0bbb8ad736c852e62bbeb6b3134412bfa77684663ed222a
SHA512 3faf66286b864dfaecac12319802acb3a23e2de64ad71d91d53ec933ad80c21cd14070df2d098b28d4604280898836d6e890caa8b6a23bf532c0d36d6724c6d6

C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\pytz\zoneinfo\Africa\Kigali

MD5 6b109e5e08cf0d1f15c2809afe1da830
SHA1 2f6afbdba37f364f0eca9ffe905d0abbcde401d3
SHA256 3d7e6d17cabdaa1814a56dddec02687e1087bc3334fe920ad268a892bf080511
SHA512 f53d5fbba83c57e35976b14cf072b0257d22b155161f9592a64f1bd5fb0492dfbc26f665c0c544a469728573602ed13111a1d99caae311af29b68e1d051a7a6c

C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\pytz\zoneinfo\Africa\Lagos

MD5 f880fe97beb11acafcf088263b83d1df
SHA1 6fa3682d860ca2a88e2ef1fd01e081138b945221
SHA256 e40c3386f3a5cd88a03c811fa30ecac34f31368f960ae79e4a90de295c5b1938
SHA512 d10fde671f390c57a0caac342c26ab9e3506367bd358337cce8c4d89decd8d120da2c95d74ca0766f5851bbae5b2b8e5c648185e9e417aabc3eecc7bce279414

C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\pytz\zoneinfo\America\Guadeloupe

MD5 6a95f4e0602e0869a03a18a7501c6675
SHA1 0fa20e8413a337c1d603389fb46484f1cfa5d71e
SHA256 b2659c267f7555c0640505660234cbe0d7feead3a5e29f41272e28a1d7d18962
SHA512 01e5216822bc00070c7728249ed4443b070f901f6337de4ee72b7f4b6623b2638be69f72e5eb0838ad3c78e70618f1c839e681928316305f9b0ab9922c039f51

C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\pytz\zoneinfo\Etc\Greenwich

MD5 ad900f33830dc2a74a8f627fc0857683
SHA1 0e94823baf3e5865c79f728bf51191bab399070c
SHA256 d7b39879094135d13efd282937690b43f48bb53597ce3e78697f48dcceaeb3ec
SHA512 819a2e25d2fe633867989127fa374ad3efc733af375b9db669a3372e7883a2ee5965d557b852a09a71762562cb38947405891f2176d97e3fb45eaea9224761d3

C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\pytz\zoneinfo\Europe\London

MD5 0893552f7fa23c170ff0c8ce50280840
SHA1 ebbbd8852b59532ffdb5c32b1623afdfa8231780
SHA256 b14c486019e3cb259cf8235a0d6a4bc3ff6cfa726a165f1ea2df403c8ae31b86
SHA512 461f6c4a14a723d7cde06235ec067899800db3f3729a9d7327fe2f75da8e9c9e2897f0eeaff3a732dd8aa078f34a798065628319ba25c15daef25f2ada29e1e1

C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\pytz\zoneinfo\Europe\Skopje

MD5 5c54d192481fed74b0cc90352ed5de3d
SHA1 44797e1d8343743f9f77ee24527db98491c1609e
SHA256 e957543623baaba84999b40188e7e0948471b75a8ff4f88abb267e773feb8e5c
SHA512 ad52f04fadebbc8a44a5c16dbbb8b049420853e451538b61a8556b0b2c47937c3e11738852d9c71cb0eee1431bc9110f10a6d8b5cd8b6d3ebd46b45967c90c7f

C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\pytz\zoneinfo\PRC

MD5 c2b2749e486441161bf61d6fec4c97e5
SHA1 db79f6be81fab3de51442b36cc3cbf1b627385df
SHA256 953622bbd7eb9eba8c3b9e8cd5d5ec98cea6a085a9deb1c43e49e889a154d344
SHA512 05d0bd34a102a3029f5e2a1e2e90ace79ce2af87e51f36962c89d662e2d495233b5d37abe857dfb7b3e1a85e69fb3c7e36f7b08225e55e7b95973e3f2d5a31d0

C:\Program Files\Autopsy-4.21.0\autopsy\plaso\plaso-20180818-amd64\pytz\zoneinfo\UTC

MD5 fe9ad2d5c4c79122a99b4d5ed44fda0e
SHA1 d7948ef155843e0c7d055bdc3632877b49873864
SHA256 3c71b358be81e13b1c24e199a119fd001dbcdb90edc7d44c2c7ae175321a0215
SHA512 793bb4d4603a238b5f1c3dcb07e5f42179d40e8df775831cd466bff699444788894fa3e916e5da9de62502218df027b6f1b95ced8c2b05b96a07ea50f4c71cc9

C:\Program Files\Autopsy-4.21.0\autopsy\solr4\lib\ext\slf4j-api-1.7.36.jar

MD5 872da51f5de7f3923da4de871d57fd85
SHA1 6c62681a2f655b49963a5983b8b0950a6120ae14
SHA256 d3ef575e3e4979678dc01bf1dcce51021493b4d11fb7f1be8ad982877c16a1c0
SHA512 f9b033fc019a44f98b16048da7e2b59edd4a6a527ba60e358f65ab88e0afae03a9340f1b3e8a543d49fa542290f499c5594259affa1ff3e6e7bf3b428d4c610b

C:\Program Files\Autopsy-4.21.0\jre\legal\java.logging\COPYRIGHT

MD5 4586c3797f538d41b7b2e30e8afebbc9
SHA1 3419ebac878fa53a9f0ff1617045ddaafb43dce0
SHA256 7afb3a2dc57cb16223dddc970e0b464311e5311484c793abf9327a19ef629018
SHA512 f2c722ae80d2c0dcdb30a6993864eb90b85be5311261012d4585c6595579582d1b37323613f5417d189adcd096fa948e0378c1e6c59761bf94d65c0a5c2f2fd3

C:\Program Files\Autopsy-4.21.0\jre\legal\java.logging\LICENSE

MD5 16989bab922811e28b64ac30449a5d05
SHA1 51ab20e8c19ee570bf6c496ec7346b7cf17bd04a
SHA256 86e0516b888276a492b19f9a84f5a866ed36925fae1510b3a94a0b6213e69192
SHA512 86571f127a6755a7339a9ed06e458c8dc5898e528de89e369a13c183711831af0646474986bae6573bc5155058d5f38348d6bfdeb3fd9318e98e0bf7916e6608

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Program Files\Autopsy-4.21.0\bin\autopsy64.exe

MD5 206bab4cfa6d4360c50ad996f0a1555f
SHA1 6ac8ce495b870fa8341ec39a84df838b33822460
SHA256 ee790adfcf8436d7b128ddb43d6f6df1a8404df7612972b2bef7022b4f27bf69
SHA512 5e38f57055aab79130a4cd4c141d28d9c59862fd6b6e238bd2b2569d23296cf2012a0b6a714c0ede6fc108daac927e5ea4bc50c5499c65992e7f739502fb05d3

C:\Config.Msi\e5d58b3.rbs

MD5 78f705e2b473abde0eb0eab5875f4cc5
SHA1 fb3a8d6fab6bad11191f8a38fb1abb2b83744821
SHA256 fc45aa2d807a5247ee76da29123ded50c28b4e1d6eb7eee0274138abd157c9c2
SHA512 ab037c081b227c59195fd067da5dd6be4394cc01a673592a495c68ffc8eccda16861dafc2ebb28ab076ecdb0011068b197a2e11fa5a58407ba55104d64da5096

memory/1440-8583-0x0000000008DE0000-0x0000000008E4F000-memory.dmp

C:\Program Files\Autopsy-4.21.0\etc\autopsy.conf

MD5 9fb4c436b9dcdca7bd051b146ae0f614
SHA1 445bae7190be56387a97777fae9297545732ec71
SHA256 5882413a1da59f3d8050c009362793c96a2cc707d903b3e794e176dc271e0698
SHA512 decbc620247f77c3631f762c2a520ce0a2d35d06050798d4b4c96b18dbbe0aff745fe1107bea2adef05daf836d579d931c4381c5f0f6abbdf126879501f013b4

C:\Program Files\Autopsy-4.21.0\etc\autopsy.clusters

MD5 a63b7001c60b705015b077af7ae08510
SHA1 bac71127e5398d33104679658269a57c6843effb
SHA256 b3136437c638226bd2f0412ebade4618b3cee5a6df3af298f57c54aa9de2edc7
SHA512 30f69e0736bfcfdf417c65604c3dbc81af22f56dfeae72d357ea2d410c79573eed236aa989756d2a4719bcfb04aafaf320d05c7fff2ef7f3ea529adb5f01072e

C:\Users\Admin\AppData\Roaming\autopsy\etc\autopsy.conf

MD5 c2cb8ae924838df41784e20d738d66ee
SHA1 b2614c80f2eb0b3b960854f8d4c8be02891b6ba6
SHA256 912b04fdb630f5f62167b136f397da17adc63914e45f5d07d44c63d54d394a9d
SHA512 bc83e67259f7f98287223565a685e2e745d85364231cb12bbdfc8f74949dfb4a479755adecfd8d15e4b32fefd660b45b0b766f5265a14a4c5a17df2c821610b4

C:\Program Files\Autopsy-4.21.0\platform\lib\nbexec64.dll

MD5 57a6761d19c0abce284606533305ef84
SHA1 030e2a78e3536965325764fda0e3ccf456877b61
SHA256 4f2bd7ff4e40fb18dccef4a5d21d217e23af4a9db2d079f36c2bcca61535a2a4
SHA512 f395b3cc61717b5ffec08ab0bac59466f8efc6048774f4f8d36323e04ac86d7a7bf6e180fc8c24446decfb2fb78e036b0e19d3b24311da5a2109e2bdc119e46e

C:\Program Files\Autopsy-4.21.0\jre\bin\server\jvm.dll

MD5 ea66102d0854d2c2478a005048340b74
SHA1 6b2075c1c6389999fd7d30ffe1bf65892db93a75
SHA256 10b75c4bc3d9b733652f9b761d950d184b2a0bb4ffd5350b5b47236b44be08db
SHA512 713b988c274dee776455425061d6de9c85ac9e74fb2cc34849a4396972a31e02294a9c7edee1313c4c2a31ce1cbf308a0f42dba9243befba8596f7eea2474ffd

C:\Program Files\Autopsy-4.21.0\jre\bin\jimage.dll

MD5 91078808871648430ba05cd1bebeab23
SHA1 c340dad3402c20f9cf74bc7a1f5fc81f1008879b
SHA256 669647452299085cf1d4c6a6aaf4e792792e0eefe034a98d44be6d4f0f765886
SHA512 5e4dcf962428e7e72f7d1f3ff77e62aa4dcd624e412691cae21704c313c3024f726e54ea9b4022e19a2046c6df7d6545ae85bb00a51eeb67f0b9749a595ef721

C:\Program Files\Autopsy-4.21.0\jre\bin\java.dll

MD5 bd19a3738fcacd1e97d10c476a5ebc02
SHA1 e9379582f779ca7ee0c9f845adf1dc3fbe85498e
SHA256 62ffc7a48edadac928386008627586a6393a207d3a60a3b6b7cb371132d24ecc
SHA512 662130b2967a4b4e4f0b0ff89461ad57b7d2254da9fd07f91445d5aee4b913fd993cb1d87c87c064f5ff6efc95a04e950eab1f8fa232700eb4341b35f7f0b39f

C:\Program Files\Autopsy-4.21.0\jre\bin\zip.dll

MD5 f16c5a2fe5b01acf8309bdc916bcdf90
SHA1 e9edd1583c845bcd2d92017da9fecbe2cf8a0f5d
SHA256 d57d9204e1e5973b92708288f161307b82c12b373aa894f33bace9f42cb6c0d0
SHA512 17360e28b5f390516bd5006070d512bbd67ced8725f11023f16ff4f50b807b9b40226ddc444a1083e319880041662d954c470dab0d164faf343444ef369f5592

C:\Program Files\Autopsy-4.21.0\jre\bin\jsvml.dll

MD5 2f8c3114677807c37c8c3b1b26ed9234
SHA1 716652c6943bbb4751b870cda2009edf3fa52b6e
SHA256 c460d645282990af9b0aa3f33d8a397dc0f895646fca3a37329ea648cbba6f3f
SHA512 68cc05f61192ce80d2c77fe70f84379f2620fedd54d164854e4eb62cb6f686651eef4ac77597ba0e91f6f59260f9dfeb27eb8ba298d13cb9ef49d216a166de6d

C:\Program Files\Autopsy-4.21.0\jre\bin\nio.dll

MD5 a56d9921fa5aa0c75652ff41f98c9311
SHA1 317e30b7a3646f4a9b16177b3a66eb7d49dc2d34
SHA256 cdf0e159dc013b7ef799924a7107f96896fbd2efe0b0e6e6ed4a6032a5f2f77f
SHA512 eb3d4d43930bb716792513c61a98dfa4a57206f4978d49c7026c38ab46cd99418144d85fde21632a6603c311c4e2907e6b66bbbb94d8ee1f84a9261575a3e6f1

C:\Program Files\Autopsy-4.21.0\platform\lib\boot.jar

MD5 1fee4c2909f547300f0e0cca400e3358
SHA1 4664ed505a45b098ed9a596ed359cfdf9642547a
SHA256 d667d5c0d16c13d0f99332d0ed4eef88d7c470754d2646177c46a810003b32f5
SHA512 41c4ea8ca678fc0b7f109fcbe52bc097ba10ce63272275c95b3c5201702b7e7d2c2d0ba4ff1537251150a90950c96f7ed64b953924711e1b0e51732763b343a9

C:\Program Files\Autopsy-4.21.0\jre\bin\net.dll

MD5 2f8b82a62e9f8d81ab75cd5486c741eb
SHA1 3887a5286bb80ee65d2372ca3c153e6dc7388a19
SHA256 c3a54b42b1c119222f3d8d9dbef473a6287399c1266caf8ce8fa673366b9b88a
SHA512 071f582668bcaff4421fece9d5056f011d6c4dba0d47ac014e0de8315ffc58e09a5ddb51581df18b291b7f60bf1f3cab497117ae4badf97c24fe81074153e861

C:\Program Files\Autopsy-4.21.0\jre\conf\logging.properties

MD5 0f00ec3e7a7767a4efeae1875fb5f3d4
SHA1 167808418571e9209b952188ddab2f4e62920e68
SHA256 b62d2733ab99556b108a1951d894c5a8d76b1ac7a00c02c388f9eb9be046c56f
SHA512 e869f4a3b821a9933796dc9a56ee00483493369dfbfe07b3b1d895cb8318c6821cd44134eb37513f15b830c25861b596646824ed56672d08b678fefe6a4c7504

C:\Program Files\Autopsy-4.21.0\platform\lib\org-openide-util-lookup.jar

MD5 2fe9008bd835b2f5f303bbd854a12814
SHA1 46431c7467f39bc8239930f68ce47787f76939ae
SHA256 7f555c62404f0f841394fd60c88d25578061a17f31cbf1f0145e129051325096
SHA512 bc08745b72d3fbaa829c461586785b5604b400c35c785badc46c9d1a26598ad090fd6cf4691b14a61619b02daa1a7fc312db9c17457c381370a5fb5d7d981e83

C:\Program Files\Autopsy-4.21.0\platform\lib\org-openide-util.jar

MD5 1e748c74679dc24e68bd70622808366f
SHA1 145ebe3523b0d7c976b7d1e447f60a0f9b75b6f6
SHA256 f4f605bd9785f7ec8d6d8dd54c91104fab31b1118ca8cef89ddf85ceafc6eba0
SHA512 c83932d88c4f23b748bea4fafc526664e9e5d47cda25af5598289e057c6930f4573b7a4e2e9fc76bf29172e71275e673d479c9284db2f506e8b5f7516b09c7fa

C:\Program Files\Autopsy-4.21.0\platform\core\core.jar

MD5 2594e6c00fa8f3884fe64d2184fe2ee3
SHA1 5fbb1f6b3268c2d0a4debc20c8906fb0b20fe013
SHA256 9d9091bb7977771bfadf92fee7cdf7d5dbdae76225f396dbddeccaac07164169
SHA512 9f38a3d053a056f32ce79679b16e569f713ae0b1aed275da80cc89cd4e26cbfeff9785a9fc821db82287dbfabb5409c7220cb7af84e672f6a2de16926c4cbe47

C:\Program Files\Autopsy-4.21.0\autopsy\core\locale\core_autopsy.jar

MD5 207a56c785e5bb8b7ba08919e3ae43f3
SHA1 9fe9eddcdab3f7bade7e43882226add1046e0601
SHA256 6dd6aebefac0177cf90b4c2d8b7e7ca9847c5b97c5b486b37e67582400b683a9
SHA512 6b630daba8ebd14e097147677b1c8a7558a0b8ae1aa10ffe0fc731e1b2c398905623ea6a92eb31811a53ba53a553a68c2d4060899724826f4edec185c5786c88

C:\Program Files\Autopsy-4.21.0\platform\core\org-openide-filesystems.jar

MD5 cfafdefef7180cfd2aefd1c15b3a9f64
SHA1 3a9a4981531246ada42802672584229e87f19f07
SHA256 04d3f807a597533d24ae55b3f5646357c6247f5bfc2f324332135fcadd75cf9c
SHA512 97bdd073449e5265c7389c78dd686a5502ae88c4801a6ac74e2235d31defde3bfb0b230fc12890dfdbb2d9310ff9f1e5835305e32fbe624674e776c03cde8cbf

C:\Program Files\Autopsy-4.21.0\platform\core\org-openide-filesystems-compat8.jar

MD5 2102805eb3f24e5c73492856c199dbc1
SHA1 401ef08fbd7a23b037758ce6e2cc1e2204cf017d
SHA256 868e3f1c002ab8b1e6b8522bb3a35fad019baedb660c253e24cc2b3c8bcaf4a6
SHA512 cb56c921a0b4fb5a59921a38607fdad373c88973fc8a73d1fd8068666bfe44c2f6fd8b1cc92a4571042d2654de5f5f0480727a0f6a776977d1e76d149b5237dd

C:\Program Files\Autopsy-4.21.0\jre\bin\verify.dll

MD5 bfd8b59f2c168920cf00fe1c326f7d4d
SHA1 69b09cc0fbc8f231fe389b337e0a72a53b44fd89
SHA256 3f368d429a48c254bbfc9223de4d66d2f3cdf7f7f5714e95cfc52f2f876dea06
SHA512 41e868504601ba914ab1abdae91b08c4138015c27dcfeef07369c08ffb0350f4d6ed6171dd4ae1daecc6706746efc04ee5e6a97540a5ccf9810b16d52097ed84

C:\Program Files\Autopsy-4.21.0\platform\core\org-netbeans-libs-asm.jar

MD5 099510686a56eaeccaee49cd8e75053f
SHA1 c2ef76b5b00f577d2814fe8d2a704717564bfd93
SHA256 dbe5f377bdc7d089bf32bf540eb5c6b3ca2fada8fe17f9943bb6819bbc7202b2
SHA512 47a57c55ca4f0b1003ae1a429ad45055c71a7a6e977ca26dbb0c3aee27595fb9dd5ae312aaead409455d837fece4f969b3dd416b63f64a33a15af15259b598f5

C:\Program Files\Autopsy-4.21.0\platform\core\core-base.jar

MD5 0720eb4b155fa978809090cc9b539e96
SHA1 303673e949eabaa19ae20e8cca14a94a99287ee4
SHA256 6356989c0aab619c9f0db38dbcbc5f3a1071b4606c0be8c9c9a2b4b1b50b77ea
SHA512 f73139e7c48150c4bb2b648c258df9aa8751d149cb40539c10931339d4ee6d2819a80abe9ffe5f65b3bfa9c30aa4900068b2c8cb9c138ffc3ef8bb9f60539c39

C:\Program Files\Autopsy-4.21.0\autopsy\.lastModified

MD5 81051bcc2cf1bedf378224b0a93e2877
SHA1 ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA256 7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA512 1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

C:\Program Files\Autopsy-4.21.0\platform\core\asm-tree-9.3.jar

MD5 f087bfb911ff93957e44860de3e73c46
SHA1 78d2ecd61318b5a58cd04fb237636c0e86b77d97
SHA256 ae629c2609f39681ef8d140a42a23800464a94f2d23e36d8f25cd10d5e4caff4
SHA512 666318e09f4ae02652a64ce2ddd4dd51275a1917108061155aa8d1d9956e9d54bc259d0586ed7cd745c6ac00ab54fbfdd577f6ce915a158fc2eef373d65d445c

C:\Program Files\Autopsy-4.21.0\platform\core\asm-commons-9.3.jar

MD5 16e6ac17d33ad97baa415c42e9d93d38
SHA1 1f2a432d1212f5c352ae607d7b61dcae20c20af5
SHA256 a347c24732db2aead106b6e5996a015b06a3ef86e790a4f75b61761f0d2f7f39
SHA512 0bd9c61553808b8a12822f009ea5622918033a9fa8cb6e3ef319bbff08dda00cf439b5653f25d8f3362f02166530a0eabe2664f1169bcd63e2ed93a603c13874

C:\Program Files\Autopsy-4.21.0\jre\conf\net.properties

MD5 385443b7e4a37bc277c018cd1d336d49
SHA1 b2c0dfb00bf699e817bdd49b14bc24b8d3282c65
SHA256 5bc726671936e0af4fdf6bed67d9e3a20a92c30b0ba23673d0314baa5e3ffb08
SHA512 260afc7671a1dc0c443564f1d10386f0b241bb53c76df68d8d03f1d0b1ceaf3f68847ab3477732c876c2b01c812ef7521744befe88e312f3aa63164b608b67a1

C:\Program Files\Autopsy-4.21.0\platform\core\asm-9.3.jar

MD5 e1c3b96035117ab516ffe0de9bd696e0
SHA1 8e6300ef51c1d801a7ed62d07cd221aca3a90640
SHA256 1263369b59e29c943918de11d6d6152e2ec6085ce63e5710516f8c67d368e4bc
SHA512 04362f50a2b66934c2635196bf8e6bd2adbe4435f312d1d97f4733c911e070f5693941a70f586928437043d01d58994325e63744e71886ae53a62c824927a4d4

C:\Program Files\Autopsy-4.21.0\jre\bin\awt.dll

MD5 fd9d949fe0a3375be676f828b6d39bd2
SHA1 f9993e0472ea62753de9ea875b4123f623c79455
SHA256 94d8438345a09adac1c4a43b0e86149480ab7dc49051f94c7e796446de8ddb87
SHA512 481fe5b9a27a2a9c6584f45f6639f294a2a02a1c402190f50338163327ae5589c2d7f413ca603473403020cf14df026bdab87b31b6c02a25d27f185bd2d44c65

C:\Program Files\Autopsy-4.21.0\jre\bin\msvcp140.dll

MD5 bf78c15068d6671693dfcdfa5770d705
SHA1 4418c03c3161706a4349dfe3f97278e7a5d8962a
SHA256 a88b8c1c8f27bf90fe960e0e8bd56984ad48167071af92d96ec1051f89f827fb
SHA512 5b6b0ab4e82cc979eaa619d387c6995198fd19aa0c455bef44bd37a765685575d57448b3b4accd70d3bd20a6cd408b1f518eda0f6dae5aa106f225bee8291372

C:\Program Files\Autopsy-4.21.0\platform\lib\org-openide-util-ui.jar

MD5 1c3ffc9de77cd29763c2394ba30e9489
SHA1 3dc781ddc17794328222cfd6d3405864e5671fbb
SHA256 f7bee77e33be8a6916bbbfe2b94bdc832b110da982f88449aa88baefdddc61c7
SHA512 e1bb0fd6362389f4039d210ff7f516f7d405e509bc585d43e51b2763b3906a3c94b1251c826538505478b53853e61757457c0b231b0fc60c14b95248ecc6dea5

C:\Program Files\Autopsy-4.21.0\platform\lib\org-openide-modules.jar

MD5 e4e8f595806e4724e807dc24126f84a4
SHA1 26cfdcf3483979dc532e50f85aff88ea4861f606
SHA256 4ee260355ddc1aa93de34cf9ff6c2a2329085790e2126ac892d30d5b93f0f002
SHA512 1a0560fd0b76ab4a0f1d47818875c04228984925bb4312d877f6dba44035e00fcf04f233caa1db8911d832d60f515b5965dda70d19c12e8c6ef9271cdf4c355c

C:\Program Files\Autopsy-4.21.0\jre\lib\tzmappings

MD5 b02ee240a8db902961fe886a19beba16
SHA1 c52c42d591f4c650b629e6b374e967e211fb5aeb
SHA256 36dc51c4bf787f640a4b45cbb84ab6954f6e595cbd3617c2f5a4e1e607b38bff
SHA512 024811961511b7182860ed03a5670f82412a45d005a1db0876f6b0c9af7e96c104566abff0ebbded11a780349444214291f439039d20fb92071c7dd24bda0e23

C:\Program Files\Autopsy-4.21.0\jre\conf\security\java.security

MD5 9de4139494e2c62f18b76e5df12e2dff
SHA1 9f3b4e00dc585f09b098247463f0165ee3f34740
SHA256 d3869371d15a199e17e227a45b95e6b78b69fce329dba03c4a2a42cd3efff20b
SHA512 d4d150b28a2154c5c4474cf0289b66cd0dcdeccbc0cb943b98411efefb76af61211dc528820b753ffefe3a6d5a7272dd6f27e78e93bce776d258a571c0e7a90c

C:\Users\Admin\AppData\Local\Temp\jna-63116079\jna5882915219919032381.dll

MD5 34d12b1e2af72d9bb267bbc8c0d53e4a
SHA1 d9ed8776645f6b4f52df16132450863c47ea92d7
SHA256 13b2cac3f50368ab97fa2e3b0d0d2cb612f68449d5bbd6de187fc85ee4469d03
SHA512 c0a063477cf63a8b647ea721842968b506d70ea22c586a412707d7293b46c218b6a510f34b7dbedd3ed29a9d4b5dc5c6a1995403d65884b17348a9545e580a10

C:\Users\Admin\AppData\Local\Temp\jna-63116079\jna17357335816786576145.dll

MD5 cfebe457d00a97c2c5f8930bdbaae1f0
SHA1 526e95d2afde5ef07dd0aca671261dfbc7fcfa17
SHA256 cf8e552ee05cb0e872797ecffe0f9d3dc67e513748f3cd957f79e0f2f3d66ac2
SHA512 fbded4dc03011e58219f622e724c0737475ce95a1a3619ca5e68babe5b734afc664523e93f96047e20d4d82411ccace0bac42f1dc77a2da2f94886ba04fab8a0

C:\Users\Admin\.openjfx\cache\17.0.7\vcruntime140_1.dll

MD5 fcda37abd3d9e9d8170cd1cd15bf9d3f
SHA1 b23ff3e9aa2287b9c1249a008c0ae06dc8b6fdf2
SHA256 0579d460ea1f7e8a815fa55a8821a5ff489c8097f051765e9beaf25d8d0f27d6
SHA512 de8be61499aaa1504dde8c19666844550c2ea7ef774ecbe26900834b252887da31d4cf4fb51338b16b6a4416de733e519ebf8c375eb03eb425232a6349da2257

memory/2224-9091-0x0000000000090000-0x00000000000CD000-memory.dmp

memory/2224-9092-0x0000000068DC0000-0x0000000068E00000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

MD5 25a694739f3d2805dff65edc3a627403
SHA1 d990a8a86ed8d4b914fe6e7696835f37f55b96d7
SHA256 860c2af48f9e017b9682ab4f34f32f8c2af201bd12e07c561ae0cff5a4241680
SHA512 62bcafc023fbc09d63be5e8ab52d40a25adc933a16febc57dce55815e8ac7eb52559cea181b9fc0a9824830b66cb7277eb3da54233dcf12a0ef065349971dce4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

MD5 0df45895eabfa9829a0c692812bf919b
SHA1 fb18db968eda09bb1c18913ab45800fd691b2838
SHA256 632c65b12f29dbe905bc7a779d7a1bc1bfc8b80f7da1effaa011842e08e9a66b
SHA512 ddfc68b6eea77403b979209d422d5c1906abd2834937d0a773cde14bcc2820bc1d2a1db7966cd11a00d8e291bbbedf9517cd8fdc4d46beb6deed2c017d8969d3

C:\Users\Admin\AppData\Roaming\autopsy\config\ModuleConfig\CentralRepository\CentralRepository.properties

MD5 548e14025bb99c176001f6835baf7615
SHA1 3fd5840f6704836e7a4b9a15f2b3e2fc94df16b7
SHA256 47cbf4001e025ebbfaac6160fb1b8bae590fe0d724f5b899a2f3e15dbb282839
SHA512 4dec5b75bd2502dfb82e544c97d8210fef74243417784c216766d4962074490c0ebfb1d7405dd635de656d1a099f4efaea35394a30042570d3e0c973ba5e4790

C:\Users\Admin\AppData\Local\Temp\sqlite-3.42.0.0-8630f1ed-be1c-45d3-a2d7-25e47bdefccc-sqlitejdbc.dll

MD5 16d165c26c43d841b5ec73d8e0d6fc9d
SHA1 2673a2ed3c7e269abf2b3203cc5bcbb52031f93e
SHA256 451e319b14cf9b35b99cca2d245e50e97205b7dcabeeccd8fec6bb54c8a2e84c
SHA512 694d5261d09a03e1967d41cba5f36a855a0fb9e4684b918ee35d62af9ff671635590f07f1a709de17b7672f2939cdd78f0c0e6c683e90762dbf9e12283c45686

C:\Users\Admin\AppData\Roaming\autopsy\config\AutoIngest.properties

MD5 2035c4f46cae8a8f99397d7e50cae88b
SHA1 3a8af80574ab1725bec787e75a7e4ff769e47c8b
SHA256 a6c03fee5791105f115090162004c582cbdac37703a3336590f2a74f62ba4a05
SHA512 3c64387bcfb3575e0ab7859331630b728fef87d7229331f9740bed6377099a4f615320bc5c9d09c478e6f15d62283b04e69ceef5dbff5c7d9b7180082118aeb4

C:\Users\Admin\AppData\Roaming\autopsy\config\ModuleConfig\CentralRepository\CentralRepository.properties

MD5 5a1d7b06cdb02765f77290967ae810cb
SHA1 accea9423d89a5b84d456ffa3234d9dcb68bf426
SHA256 50195062488bea2bef1a614a767cbeae180b2c4c665a9fb6136adfd34ad0b732
SHA512 165ea5f7b4a5aac1ae73edc1b598394f0ab3236b333f95d2ff935ba7295fbfb78644c8c4cc829c3e9163033be9ba38b7439a8193a948de74e47be76c98b4754c

C:\Users\Admin\AppData\Roaming\autopsy\config\ModuleConfig\CentralRepository\LocalDatabase\central_repository.db

MD5 105c7427f543efde37dbc07e9cb6d5fd
SHA1 12d407ed2c2e5e980d2a2440c9d5f1e96b7f1f73
SHA256 278e3e639af0ed304b8ab868919e772618e52254ad96b2c295881ecc83aaa00b
SHA512 45901d194186971f950356240550916a194ad5568e543294d8bb9996b8181acb7c75a7e7d0ddfbe7e4a74c2a6fe05a5ce13e72ce623cc9f55976dee70b8a02f9

C:\Users\Admin\AppData\Roaming\autopsy\config\KeywordSearch_Options.properties

MD5 9c453010ccf01552f94869ef0b9696fc
SHA1 17931039d8722270b64d3c9888a7362fe03b0ec1
SHA256 816faf29477c0c1686f8be082a822bd1a980a4c4a12f63eb0002a3ed19c50b2f
SHA512 4648aeeb89fd8238d1119d8a957d1f61b3c45acd2712431a4606a1dc4370b25bb94b9fd201eb9d08f0d2c3b4ef3986c6d6789a1e8647a24ec1061121fdbe594d

C:\Users\Admin\AppData\Roaming\autopsy\config\KeywordSearch.properties

MD5 bea6984c3c14a39793124d911daec82e
SHA1 f5d8e9ffb4a476479b48dd4c0843508b829bc37e
SHA256 d2cf2f3eb78bcd3b1a93b1404d60cdf7531033bf54d03b402004d59702888234
SHA512 10a01c5ead19ac6e493435adf10c321603c91b62eefb6f17b21890c8804216265c56460a061e1e76961b7d8bd30207a2ea1cd2f825f24dbdba6c0b84acc64130

C:\Users\Admin\AppData\Roaming\autopsy\config\KeywordSearch_NSRL.properties

MD5 c831aa1538d4f8cf06fd981cda840b81
SHA1 a2ea85c9c2c140443b97be5b780884044714ff29
SHA256 a9d7cd3ff1206a5ba285c5f4b742f51746edea4b4a6aa17f605d8d460b3a6e42
SHA512 0fa10552586e292e374cb76a5216b6f29a8ae91c76f7020cfa735fe48251d64118c6262591f63c20923b1331cc34c694b9802499eef43a52e3c1ea0c76f40681

C:\Users\Admin\AppData\Roaming\autopsy\config\GoogleTranslate.properties

MD5 796ede5a792bdd5b925df9945e6bbfe0
SHA1 af84f5ed19a1f69c431b4888efb7ea0fb22aee18
SHA256 de249227b10d550f3524cf0dfcc1d527b5c6ae14ebe2651259f3d9c00ed39ff5
SHA512 cade536048b48258787525d3fff3d6e13249b751d76037f375c49bce55d75ae14abec4afe149cb35b0885b5fc56cc5f96bffba5d89fcfa9d1ad5c93e5a8291d4

C:\Users\Admin\AppData\Roaming\autopsy\config\Preferences\org\netbeans\modules\autoupdate.properties

MD5 e3016d31f61b449b75cbb16a941423a4
SHA1 b9a15fef2d57f2509eb5d8d5982c8c84cdc4f261
SHA256 b17044a68044fd08e4d19813e04d70217c630473855f2d41644f1c9840dd004e
SHA512 d92eb76b098dca2b4c4077c098a83c97f29a717f25524754ffead917e5ef68fe56416513a023505de8564f6bbdcfba09b44d6bdc7edad3fd913843fd975ae526

C:\Users\Admin\AppData\Roaming\autopsy\config\BingTranslate.properties

MD5 db2546ba2737ef6d3c5c34abba8e5906
SHA1 4f9f9c22abc1cfdc30c04bac6fbed0b8c6e65f44
SHA256 985c9e9654e83bf1b399c76eb4355ea1aa0456b6ec3396422f4af4c16e46b72a
SHA512 704f6f84f68226e39f7eec487d875d3904b433759bb4b22d120a0891deae304f4c8279248e8c0963e5ce4e2277d834d0cbbc2f34656f3ff492170340a3840b47

C:\Users\Admin\AppData\Roaming\autopsy\config\KeywordSearch_Scripts.properties

MD5 8545f9dccba284848ecbb7e44deef51d
SHA1 0f717bd9929a28e23578c07d1849c7fb302cd6c7
SHA256 4d03bcd7b41640c95d8b7bc276b48ded613314d14ef3a9257fac2918d8fad0e6
SHA512 3407f099b6fceb160922bb190750a5bca8aeeea05f939e4fc8ef8758597d83ebf2cb4feeff2c22bae26db3a72d797aea8d2e82a0cc5127458918f268b5ba2d06

C:\Users\Admin\AppData\Roaming\autopsy\var\log\solr.log.stdout

MD5 bbe118c74e1618d11340a5afc01309b5
SHA1 963ab54defa022dae461dfb5f7e800e949444761
SHA256 65b6e8d3fb3357587e71cb4e4daf4176d29af0aa55057943dec6d5a7ccb2b7c7
SHA512 4d63cd5bfb4bcb9cdf93548893deba4600374dea7792bc58775d1734c1824cd1b8e8358e0b809a2d39af27781b45cc833e8956cd21c06c9c219c4e13900ce93d

C:\Users\Admin\AppData\Roaming\autopsy\config\Case.properties

MD5 5ed4faa6cb56ff5e91e1253b75908dac
SHA1 9acaa62eb16ffa03aff7c409ab3dd219359b3ecd
SHA256 2f50a52d7df8608bd3a0a11afbc90f423a264bf8f5d3a6efcbaff239a7faaf77
SHA512 2f3ea5a66d809b6efcfc97403b80d624b8950664b47af595559b98dd4f5181f385abbb9a51d4993de567602b9108d554c3e2b49dc2f21642b094647df5acbe66

C:\Users\Admin\AppData\Roaming\autopsy\config\Preferences\org\netbeans\modules\autoupdate\org_sleuthkit_autopsy_core_update_center.properties

MD5 1223c8960937979bba282ea787f3f695
SHA1 fb303d6de1b2821f35e9ea648f862ac31367a61b
SHA256 82012f0cbfb8e635cd954eb9eae1e8c73aec5499ccfba85df71b257476dcc237
SHA512 a2969fc4a9414a9f58982375fc884eedd83bedab04f62a3e40f473acb831701accb7d3f39b1803e3fb9dfb33c1d9290926ca29bc1384eba25262ab51ca411936

C:\Users\Admin\AppData\Local\Temp\jffi2171062112944879624.dll

MD5 5d80b61c1f9e31860c17b3a410948e7e
SHA1 5ca292116336ee4ceed00d10e756afea580e62cf
SHA256 58398ba5cda1b7cb89ad4e03dd4a658006956f81acfef4efb4e7dd934e2733ef
SHA512 bd97f9b96c3d831bb6988878408dd6a26e4a64791b540766fe578e4c79fee54bca9af87447ac4c3392c1f0c4cf4f14278ba102fe9bf9cf8f96b545e2908f7346

memory/2224-9899-0x000000006E4C0000-0x000000006E4DF000-memory.dmp

memory/2224-10003-0x00000000075B0000-0x00000000085B0000-memory.dmp

memory/2224-10002-0x00000000075B0000-0x00000000085B0000-memory.dmp

C:\Users\Admin\AppData\Roaming\autopsy\config\Case.properties

MD5 5047357ce4ec64c59abcfa130fbfb769
SHA1 8af174cbb9e4ed0222473eda4d54350bbb23790a
SHA256 b13252ea531eba9b10c492e67f46dbac33422f8f39a5166db23929135076c662
SHA512 3f0bd736e638be6f5df230eddef1e3a802450c8cf2a4dbec3a03189b9470977bab36104e2ce521e61c69be62b19afbc29b4ef15349bc0540fc65be14ffe127ab

memory/2224-10022-0x00000000075B0000-0x00000000085B0000-memory.dmp

memory/2224-10023-0x00000000075B0000-0x00000000085B0000-memory.dmp

memory/2224-10025-0x00000000075B0000-0x00000000085B0000-memory.dmp

memory/2224-10024-0x00000000075B0000-0x00000000085B0000-memory.dmp

memory/2224-10021-0x00000000075B0000-0x00000000085B0000-memory.dmp

memory/2224-10017-0x00000000075B0000-0x00000000085B0000-memory.dmp

memory/2224-10030-0x00000000075B0000-0x00000000085B0000-memory.dmp

memory/2224-10029-0x00000000075B0000-0x00000000085B0000-memory.dmp

memory/2224-10031-0x00000000075B0000-0x00000000085B0000-memory.dmp

memory/2224-10033-0x00000000075B0000-0x00000000085B0000-memory.dmp

memory/2224-10034-0x00000000075B0000-0x00000000085B0000-memory.dmp

memory/2224-10032-0x00000000075B0000-0x00000000085B0000-memory.dmp

C:\Users\Admin\AppData\Roaming\autopsy\InternalPythonModules\GPX_Module\GPX_Parser_Module.py

MD5 7c90d60374097f9bd2801a37d5fbd14d
SHA1 bcccf7ebb6637318321c13f1a87430fe01016890
SHA256 6695ba8e7e2868641a129f21f024a20d8985376b378c4fa679a85fbfa3b022d4
SHA512 c59edfec60744b4797cb034173a98fbc5c82d93e25b7775e2c94df9b4f92918a64ecdb5bac263598cb24e971c03761252ef5a0be6e6cac96ffc879f4781af9ea

memory/2224-10037-0x00000000075B0000-0x00000000085B0000-memory.dmp

memory/2224-10040-0x00000000075B0000-0x00000000085B0000-memory.dmp

memory/2224-10038-0x00000000075B0000-0x00000000085B0000-memory.dmp

memory/2224-10042-0x00000000075B0000-0x00000000085B0000-memory.dmp

C:\Users\Admin\AppData\Roaming\autopsy\config\keywords.xml

MD5 68547416a0796740df3d9b90d987f2ff
SHA1 430cca99b42fb4e44d9e372eb06e0d256bc26d2d
SHA256 1a7e00b6b315a7b20f43bcb27708af9ea828c4a87db617977d3a3900ce3c38c2
SHA512 f665f4485dd21a66486b353e12843bace95dd9593d28141dc08d50e488bff40c55f158407a04da8d8fa658938e9b1413049ded6fd683fdccd61889d2f46c57df

C:\Users\Admin\AppData\Roaming\autopsy\config\Preferences\org\netbeans\modules\autoupdate\ui.properties

MD5 251ed043c60887a99c5b59eedb6cf5b9
SHA1 c064894a2545d3aad93763726cec82124dc1e267
SHA256 3295d0c7ae26b614f021b45bd716bda88609e925e7968ad20b5a69e25a5c4fd0
SHA512 c7eab2b51c68bde687b092d50063b60fc25eb30d4a277816349a116d640d0e8b789f65ef053795c7884e846ed0883748e56e7bdb7aab8f14c2a1f38a1eeec55a

memory/2224-10064-0x00000000075B0000-0x00000000085B0000-memory.dmp

memory/2224-10062-0x00000000075B0000-0x00000000085B0000-memory.dmp

C:\Users\Admin\AppData\Roaming\autopsy\config\Preferences\org\netbeans\modules\autoupdate\ui.properties

MD5 f83e4541a9e2f388fa76f6434cae0ea5
SHA1 0293d88c37bf78631c052e40c2fa26a77a4c2c54
SHA256 27f9bdc102b59b7e86a87018868a4fa9398a1b40f5af6ecccf966a57b380b206
SHA512 4c02a6c8a516ce5a2712aba8d6fa70f73112780a1cb396cfa57a0008f386d76d37749184f2774c018bf8ea2a96b152cce929ef4d4b7f88abc42017bee1ea30e5

memory/2224-10063-0x00000000075B0000-0x00000000085B0000-memory.dmp

memory/2224-10074-0x00000000075B0000-0x00000000085B0000-memory.dmp

memory/2224-10076-0x00000000075B0000-0x00000000085B0000-memory.dmp

memory/2224-10079-0x00000000075B0000-0x00000000085B0000-memory.dmp

memory/2224-10082-0x00000000075B0000-0x00000000085B0000-memory.dmp

memory/2224-10086-0x00000000075B0000-0x00000000085B0000-memory.dmp

memory/2224-10080-0x00000000075B0000-0x00000000085B0000-memory.dmp

C:\Users\Admin\AppData\Roaming\autopsy\InternalPythonModules\GPX_Module\gpxpy\__init__.py

MD5 b2d2e38af79ca877e6bd003963662727
SHA1 130115f16c07ef22a093563ca7834e4850d843a1
SHA256 da30a7c5154d216632bdfdf03c4c8cca4c0cc16306b6d1f1ccedbe318c2be306
SHA512 ad67d8dcb42b399b565745fe8fdd961f95eb4430d6ec5138ba62f230f8efead400c744c8df99164326ae460aab189bdec7b5c198cc178b0195637f19a0735cab

memory/2224-10087-0x00000000075B0000-0x00000000085B0000-memory.dmp

memory/2224-10091-0x00000000075B0000-0x00000000085B0000-memory.dmp

memory/2224-10090-0x00000000075B0000-0x00000000085B0000-memory.dmp

memory/2224-10089-0x00000000075B0000-0x00000000085B0000-memory.dmp

memory/2224-10075-0x00000000075B0000-0x00000000085B0000-memory.dmp

memory/2224-10078-0x00000000075B0000-0x00000000085B0000-memory.dmp

memory/2224-10077-0x00000000075B0000-0x00000000085B0000-memory.dmp

C:\Users\Admin\AppData\Roaming\autopsy\InternalPythonModules\GPX_Module\gpxpy\gpx.py

MD5 1432bb1761139cfbc5811c3f010d2173
SHA1 540b057e89f7c2a0d03cfd3ba54a3124df411a0f
SHA256 937bf05e2d658910bed5508c555d644c6d214c235bc97d24484b5e185e2d1dbd
SHA512 7836ac6f1100ec282cd8f46cb360d36e68743600979ffcef23449af925ba00cd6a5e644e8cbc0398192656b4ec48b4c571319576a410160796ef745264809ebe

C:\Users\Admin\AppData\Roaming\autopsy\InternalPythonModules\GPX_Module\gpxpy\utils.py

MD5 a7b1fecdaa340809739c32de1d4f39c8
SHA1 a32e62d54fd014bb3d656523b7dd43ba46600fad
SHA256 1ff182e74ea15a56db16661b497abdbd00283c4ff6c0ba5c5afbcb4976cb5e56
SHA512 c8453cbd52e25a755b9e849db9e7b1f12c2be6f68002c606319c5d64a820ca537a8ac23e7a64e2dfc48085a0c0bb9e783f698fbbe2a51a15ff67a98499b196d3

C:\Users\Admin\AppData\Roaming\autopsy\config\Case.properties

MD5 9128f3bc1bca26de4878ecc796de2f00
SHA1 b65750c3e8783f50a34ee8d88b9e95581dd5ff91
SHA256 84580546c58758896cabd060eb015c4cb2cabc7657c43e9944ff0bc02054792f
SHA512 64916b44a3deba230469d5a9cca8690d9b477131928ae01da8863ed9f37700e0bf1015ff037b4c3e727ce8d5227eeaf7284884876367bace8c689059389607ac

C:\Users\Admin\AppData\Roaming\autopsy\config\Tags.properties

MD5 352d21f9ae4fbdd67d20124473154edc
SHA1 86e3cf9ca4dd48019d522ae79f6ad95892fd4422
SHA256 aaef350dbc60ec3c05645ed4637107b8274938cdf3cf2fb953d2289cad8c1c72
SHA512 1ccb8c1481596b18060da199fa5450c4e490391c73dfd42c5b2f2efeddcd11102ead323ac3003ac7d62451291b949563f6fd9e0a092e90073de6d70938701909

C:\Users\Admin\AppData\Roaming\autopsy\InternalPythonModules\GPX_Module\gpxpy\geo.py

MD5 5f4ed131e7231711f695140073a5bb08
SHA1 db5efd64e6b1d1eb60a0c49d4a7d3d4d0def1a93
SHA256 6898bd52e7907c092074d849c24e495c57c71dace5a487c7316db162f7b17edc
SHA512 70f15e69f83d38f0966c8f4491b6330eb4df12b879d0069d8250ed14ff07fd0fb8bed53285b3bffd8a0b6baa1ddca9ad6f10cdfaac6c356b55bd98fa2085ccd6

C:\Users\Admin\AppData\Roaming\autopsy\InternalPythonModules\GPX_Module\gpxpy\parser.py

MD5 8bca17474edbd8759ea21fcf43c8591d
SHA1 6ed9d2e98a4a383de85cc42642f1c52502d525c5
SHA256 9d8585ed0678a559aadcea47677e38065f0529c6ff91e5434651b39bebcab04a
SHA512 b8a0af5d45ad4bb89f0179b55576313242aeae3bd863f9af0de307e402839bf8877b1222d632dad6c1301b74c1db31b248e1bb97a019aa2d9c1b14a80261d76d

C:\Users\Admin\AppData\Roaming\autopsy\InternalPythonModules\android\browserlocation.py

MD5 53d0b8c9012a5342e3728bf1fe29e67e
SHA1 52c82e14e0905e16848201d60b363870f08a8222
SHA256 b9a163cc5b64c902e5918babd3fe771697396ce9c15341cf0e1c5a057b6234e3
SHA512 3b2d7baf00dcc0075ec7625bccc84a34e7a489db1c1b38adb45ad8746d1ac065b236c89e12682c7338402265c0f0d58131875a3c4ec911bcbb75a4a28d1df05c

C:\Users\Admin\AppData\Roaming\autopsy\InternalPythonModules\android\textmessage.py

MD5 f7342a3ad91623a1f4880d986088ae25
SHA1 9d1c6b741e362607b08e01e172613cd24a27a315
SHA256 bb0b5fe1a70c1cc871ea28eb615af416c604366abfbd9e91770d3f777035bd7f
SHA512 400ff7fae35de41d4f9657781605bce22b94928acad2ab7f2d74f1a3eb83fbec035770e9f5bdee8b106f28a0c47e444ea3b50539b615d5d68f60147cc74b55e3

C:\Users\Admin\AppData\Roaming\autopsy\InternalPythonModules\android\fbmessenger.py

MD5 6f0a4a1b55a66fec1ff8794c4cdccfba
SHA1 5fb32b814ba1103fd862c38d8ba6a30589b2e5c7
SHA256 4d8b6918bfd8824bc99d0622e0e630bffff05fce95af686118928ab7b6089cac
SHA512 18d7703f8af698e731b75a4f493e973de08d32317fd69bac4c24446f1511ef5a8e22f89f0084c40b2e3cd75a88eb9d611dca33fd1f2a4a294414707e95a2af52

C:\Users\Admin\AppData\Roaming\autopsy\InternalPythonModules\android\installedapps.py

MD5 6315a70ce306a32a661d7335da6b1273
SHA1 48227a85e4bc038b790edb9f00aa47e7be5e86a4
SHA256 425a30a56d837944432604ac3fc8736824e6c521d3b1a3d687f14764ee414f1d
SHA512 e96ae8a17cfd22930b4e5abd74e285c487c66727e305dd73873102f14ca69fa1f427d2e706d9970244ffdf0bb108a7001ad7d162afc70af2fb6c8e4ef844936f

C:\Users\Admin\AppData\Roaming\autopsy\InternalPythonModules\android\oruxmaps.py

MD5 5558c71f9c800f09a23582b26142ba2e
SHA1 a904fa0b5ff1f00c16b39402cb1a0ea14734e143
SHA256 74a8daebf7a37a05f4e6b3cd242061fab5c0551973566651baa62b77183d0fc9
SHA512 69d7ce4f28e41e2aefb620b959d360d0b9e3595599a3900428cfa55f0886c99ac56a701bde9dee7a454fc663fb595d04cc45eeb4cc78ff6392644042b86d5199

C:\Users\Admin\Desktop\test\ModuleOutput\keywordsearch\data\solr8_schema2.3\index\segments_1

MD5 3e0596f48a9db2571187f4a30cdb02c4
SHA1 7a32e09d896178f61187ba3edfd3ab09ebf5f7eb
SHA256 3625561b5a815da940a6493b5c188fc7996ed08dd16600931c61b3c4b896e71d
SHA512 3081815c97cca082494cac4e495af1557ab7167114c2188b975b4fd07a07c775ecc48430d8a3ffc98c61934e9978f6995de1450971598dd3309f64f55ab8a862

C:\Users\Admin\AppData\Roaming\autopsy\InternalPythonModules\android\operabrowser.py

MD5 9ffa79e5abce57a56a8d2bfe66bcf65c
SHA1 0a8148a709011c3c27f0c1d2b6f5e98440a079f2
SHA256 1bcc418e40b32c8713d62db6035271349aa598a1733b4f09144619bc1e8423cc
SHA512 1b4b7610a384c9e58daa72f82e309b841e5a7104ddbf0e116c3bf163142da9c0ca86396c4537204437ab1c192003276b24a58f9152d45e8272aac97ae271524a

C:\Users\Admin\AppData\Roaming\autopsy\InternalPythonModules\android\sbrowser.py

MD5 b702b3532ae502f8e5a43d01005f5d66
SHA1 8be77d1816c8a421082d435655b877fd38629c42
SHA256 bcee36034f79774500e10d69df0c856db5de5354ff0fced42410425047a57e82
SHA512 209cd787fa33dc2958078900246eb7ad0292404f625a8a3da5f195c0a3d85e2ee31a38debff6fd9f12b6ffc3117e793e99debac2262897191582cae837dae063

C:\Users\Admin\AppData\Roaming\autopsy\InternalPythonModules\android\textnow.py

MD5 fb995feb37df4e43a6179c59f2b69ec3
SHA1 4c86e2fd34cb3b440e5bef0b0b0f800fee795510
SHA256 829229ca1124f3b70e1078f08bb9223601812212b94ea13e363e00f8f97c33e5
SHA512 dbf113c3143a48e3721209fa60e3a892243e97ba0c980be616b1884e7da309f82f6d0748d99a176e4d052f4b3be79a4148690a3091e7238a9820ccbddf3577a3

C:\Users\Admin\AppData\Roaming\autopsy\InternalPythonModules\android\whatsapp.py

MD5 a0340169ede0b157b3291c252be36e79
SHA1 080826820a0a7a52223c9be79778b4d492a9db42
SHA256 07fde65c010b6b1787090544f1a50999d8c4b2e15a8a6c288cd21ba137d93667
SHA512 e86c3a874a350b78083736f78c287d6a0b73d027b6ab720b9abb51766213285b510c4c3a8823688db094c73034eb2c7fe81558cda7f8ab72d0f29500cad841ec

C:\Users\Admin\AppData\Roaming\autopsy\InternalPythonModules\android\line.py

MD5 d90d30c1f503f4f216753180e9503748
SHA1 95d77013523c3cf2d96175c39174869594773b4f
SHA256 b08d2407d67958ea6938146d51c0171a46292e4d5a56d2cf0191644fdbaaa776
SHA512 3eb76a2c9e88c95575316bbd37a09c00d011a777c73d13e0768d24885c3cb5420030a4db6b9c0c429ada727ee6d002b542791034be2fe6e6aa3da0e779dcd40c

C:\Users\Admin\AppData\Roaming\autopsy\InternalPythonModules\android\skype.py

MD5 d2b230e8745f16cab316245cf0d567dd
SHA1 e2a9f2fae2c13551d1c673664eccd98ebdd04312
SHA256 f781581675e790663bc00d90c39cdb9678f3890e9dafa0c18cb7a0fd744040ed
SHA512 5fec922ed852269cc1447fc34449ab043d5fdd6336dd41f45931dca734ec44e0fcd700e9b05f265429c3d0339d87fb14069bc55a5313bc653eafc2627cfaee1e

C:\Users\Admin\AppData\Roaming\autopsy\InternalPythonModules\android\TskCallLogsParser.py

MD5 662f4dfdcc0ab9d7390b770409f5b4d3
SHA1 1508c98ee89ae99faa5869d9ed46ac558080ceeb
SHA256 1d705909890c90d9a0db8ab355c0a22fbddd0cb72b37b6f02c3c794580c28334
SHA512 14d58e10aec8137c1327f604d71db46a1b53c3b95be6eef752c1fa7823f0730adb0050081e7036da3f0b7d33e9d99f192b2c2b8526ced3f093a3f9b50291fa9d

C:\Users\Admin\AppData\Roaming\autopsy\InternalPythonModules\android\TskContactsParser.py

MD5 4f4414b8e86c0a9464aa6728a7c0f26f
SHA1 0d36d7d0dd4c3c5b4710d94b71b20871787caccd
SHA256 c8c9f749467dc5341ea64b1afb1f6f82fb01d94d2294db04850d408142d64e32
SHA512 11d09b770a9099f9dae2f919ca7998ef41328be7c3669b5b71f86cba981ecb596b87b85b6d454507a601b42bfc2b0d7649cd918f53410d3cb9b15cd3f36e3870

C:\Users\Admin\AppData\Roaming\autopsy\InternalPythonModules\android\ResultSetIterator.py

MD5 e9fab5b58a16ec08cac39ba6bb9e5fae
SHA1 37e6bd7f527eca52c5f8968e7981d2a0f6248945
SHA256 5c38f9d48898e8466f1119841147a6a9d0dec4094634665b21144e7560f59b71
SHA512 7b7307a5f83badf5dce8eb71d52c158260bbab953b2bddfc6af3d501f1ced6900e615799a70ee9a52823371eb1ed9007354dfdb06364a13bc02a2deb64c065c0

C:\Users\Admin\AppData\Roaming\autopsy\InternalPythonModules\android\TskMessagesParser.py

MD5 5ca1c1b3199925e2f32c712336a68456
SHA1 905a739c25ca1e6e8bb35fce6ea714466b032edf
SHA256 2c40f107ba1d6cbe3a03beca817fb71b625646c57445146a2d88db6aa1335bb1
SHA512 21b3096338a0041ba45b5235981319a893ba04d02efe074b3bc0e71165a6be44f24670a6653fd292c30467d3580c75ef7bef00e8ff13f10879c4fd9fd711a8e8

C:\Users\Admin\AppData\Roaming\autopsy\InternalPythonModules\android\viber.py

MD5 a2a729ebce7b3bc16bf64af450f06cca
SHA1 9af2631882dc43765ba9906113e7a9b14e763f43
SHA256 f9c1b7b799419dc53c9666d54a9553ff7a4eebb296f60e36d48f68d339e69ef0
SHA512 f6c01623d194a90275de60fcf33fc1502069ba37dc699e7fa5613d09b50aac46aa7fff7d3aeeef561c90a44562a5fcbf15c61e264824c6f762663dfc3c475dec

C:\Users\Admin\AppData\Roaming\autopsy\InternalPythonModules\android\shareit.py

MD5 37bbc0a170d7e791f47c3ce5a8995602
SHA1 3e39f39a8e2d34a6901a27d0a13a647f706231a7
SHA256 6bd5e5a56a6238ac4a908cf233ab65ad343506b4b2ac88dccbd3ac7de1cea71a
SHA512 1071f5b58b44de52cc3a37fc7a2a7406ad9d5472135151e612f0b3ec25de253a6b6226160b4bfaea98a6e8c8c1a00a66ee7f4f24704233ca1986298a0750fcdc

C:\Users\Admin\AppData\Roaming\autopsy\InternalPythonModules\android\zapya.py

MD5 b2e213a1d642d0d1ca65b46e416a6d94
SHA1 74cb946057f21bf590af77052c6c9ad65463952a
SHA256 a6b9a31b5f8654853d2efae5f95e87932278e56823311bf54a6a461f8b7f6f9a
SHA512 50cc6101dc160bd31a0ab351e4026cb3c7943adcfa01b7e84cd8843950b6df9ddf65d1e3a1de2803127c8df0d91282800277f931f508fbda744d360151d9b6a9

C:\Users\Admin\AppData\Roaming\autopsy\InternalPythonModules\android\xender.py

MD5 df01f913e248faf83394a9e29af59484
SHA1 4a81ca4b518c950b063dbce9ed6f7e8956677ac6
SHA256 f73e98dd9c603df7995c493586ffdc12ccce765ae7566fb57044bb51be584368
SHA512 4cbfa094fcd5a39a0fba11d40c48397949c115b04c482718292b5fd7ad145786eeb5767061b58594d42ee5c65f1e11cfd4548a32fb0483e3747ea29a660c1ca1

C:\Users\Admin\AppData\Roaming\autopsy\InternalPythonModules\android\imo.py

MD5 930a24460a6a0526d4f08533f4d82be6
SHA1 466feaefbde181a7fea4387a00956d9f79dfd878
SHA256 17e9bf7577bcf4c20a1498e05f4c9594379f970f89c6d7fab2ab9779611a6096
SHA512 546aad83fb37343ea016c1f9b6082495f2e28b7072b15da318e13fce204471973c87c7dd6413bd40fd259fdb17b4ab6a1d91aedf24dc4cbcc6fa3057754e84d5

C:\Users\Admin\AppData\Roaming\autopsy\InternalPythonModules\android\wwfmessage.py

MD5 259b21c2c3e39fed2a483d55e97376dc
SHA1 3e167546556903aa14baf39d252ce350b05216fe
SHA256 d597e40df83b90e96869ae3bf20793433b81c0588b1bc38958b133caac3a391c
SHA512 3a988e03289a8995c612d730d45314f9aafa86b51f1699d269ca29c83bf10ca8584006d79c7d30379020be396bff2d60342225af04913cb32ad4d054537e8e19

C:\Users\Admin\AppData\Roaming\autopsy\InternalPythonModules\android\tangomessage.py

MD5 0d8359d6755ed436abafacac8dd660aa
SHA1 f8b39bc1d28365e051d9ca01a3df11ff53bc4690
SHA256 b83f97e56bf2f30c1424e132a941f8a3f0cfc44bd751fd97b898fb4c1485a3a6
SHA512 068c8265eff7fa9b4e5ad7211392956e8632c7ba58432cfba86e0cb7e72e81a14d6ccd921b9fff4577babc7f3e9bbeee8b7ef2df539c5497e0cafcfd3be7ca4d

C:\Users\Admin\AppData\Roaming\autopsy\InternalPythonModules\android\googlemaplocation.py

MD5 a5689637997de73dc7715297af864281
SHA1 fd04ec9f0ac25a40b8b215b9cc97c240565ea5a4
SHA256 ca86f3e77fed97f9b185626a564a0bb49dd70073c9dd0a1a96e31f57e4bc3f7d
SHA512 0cd527e970ef4c8c1a60020986c34d8cb32a0d2d0bc7efb034b13faa5b8fc68a632cfd059f6233c5314b1809df75288fe476e441d3d0ba4811e33af8dbac28bf

C:\Users\Admin\AppData\Roaming\autopsy\InternalPythonModules\android\contact.py

MD5 1a1d1f5f9d7475d41a4143375d9fc81b
SHA1 9bd07410233877c13a230a4696fba57a3673fce0
SHA256 c00e5f04595d2cc3ccf770dd09d2b3773015c120e092d9843b4c34b538d07826
SHA512 780c107f40c0a2f328d6d73dd58b4ea3cb7b1304517220f307a6d7558119674b5a9257d77182b69de85cc42f118e8464caf189a314ec4e8965e171941435983e

C:\Users\Admin\AppData\Roaming\autopsy\InternalPythonModules\android\calllog.py

MD5 1e06326bdfbc8756357ad368aabd9240
SHA1 2f69b99cb57b82e4c4e6d2a1aa77b522d98731df
SHA256 b105491c2a9974d89a0a24924151e443a725ee5aaa7256290178ded4e6bc7549
SHA512 ae8643d67c65bb024df39b301ced00fda60faaac63a679de49405606b8998aa1ae3912296b1239ea1f3121c571fda058373c4ec39ef638adee9562129edf5faa

C:\Users\Admin\AppData\Roaming\autopsy\InternalPythonModules\android\cachelocation.py

MD5 cd7b1b22cac623b5175e9df233463388
SHA1 55139ee91feb3ce1b3d516873a3233e1bb97535f
SHA256 cd7e9530545bbfa0ce9c364a84cbac5e5fcc749909366a69494300071cbb0ffd
SHA512 6fa2a4fa7bde1d50107141ab895aec764ec2bf80fc7a0cef3e24fd30abe26b932ee783a11b2da59788accf27ede74b2f1f31e21795592bde7ff864fcf1790cc0

C:\Users\Admin\AppData\Roaming\autopsy\InternalPythonModules\android\general.py

MD5 f8389eb3cef9caddc7bcea4c5e945bbc
SHA1 a7565c771d0a819f338acdbeaa73a6b17b0f55a2
SHA256 68607d0ca511723467dc373a26a09003a55a68d4080cf4a24c329bbf755b3b75
SHA512 b699ffd38391cdb62914b87e847727d7e5e6c4e182ba29eadae75ae970f8bf882c500b3b13138e5f78c237bfeef83b5c2fc5d40362aeca61efc11dedf567426f

C:\Users\Admin\AppData\Roaming\autopsy\InternalPythonModules\android\module.py

MD5 f80d8b3600222ac492ca79a5232f52d0
SHA1 c2c935da1bdf84dd72b3150c10cbe52d078573e5
SHA256 1e15ce3674294db9066d3affdbb27f156bcfca8749c8a6acb7c82fb41b7f6c57
SHA512 c8d36143bff162368c6e6ee1eab840df260b1418e012a3fbaea644d8010bf5235a90814840f59081d5f4adc4a19d363caf34e651699332b853b8b8e3e512039b

C:\Users\Admin\AppData\Roaming\autopsy\InternalPythonModules\GPX_Module\gpxpy\gpxfield.py

MD5 844fd2971daf80cfdf57a7eb3ed33bc6
SHA1 bef7b3a766263b86ef972e0ea4fc0098a9315ab7
SHA256 58dc89237a356188da245fd89ad6c7babd5706475f2f5814e57e76b5dee3eb79
SHA512 6d7b3004f3b342657e77c4ff5c595e293a39cf73eb4d4fd33c7539fbe0bfc2d1231df5bd289aaa9ea5cc695aa1b0ecd04b24db91829698c4a1c7fabd24273768

C:\Users\Admin\AppData\Roaming\autopsy\config\Case.properties

MD5 eeb009f5a97bee06167f8eef8e3c111c
SHA1 40b833d504e655433e55ecd0988d0c53f3983ce3
SHA256 8d0e0dfe62ef4a5f04650bee22334c43af239c64cb8c393dbf7946e8dd780e27
SHA512 6d1cce6c728d08b233aeb35f63d9c083f205a6df5b7ef0a5c047827b9c7559997fbbd5c08254fe3ea477c757b9690823e2f330c5a4c790eeb9cd7f878441e231

C:\Users\Admin\AppData\Roaming\autopsy\config\Windows2Local\Components\ImageGalleryTopComponent.settings

MD5 5ea7f55d3f8dba4cf1a210a7667c8ce6
SHA1 3adbc99ec7baa19db1518c2238a02085082230e2
SHA256 01860aebc08557761cb0d4aa6ff034423acbc1caf24f216eb0d82085b8a37263
SHA512 7a292a3d242e2d71a8293339bacf27e7303dfffbb30032ad894721c2d036834861abd5268ce9b10867038830396fa8b02fc041ce697f0e86db822e74791a6ce0

C:\Users\Admin\AppData\Roaming\autopsy\config\ModuleConfig\IngestSettings\org.sleuthkit.autopsy.casemodule.AddImageWizardIngestConfigPanel.properties

MD5 4b14e3a4f0eedf87ffd61dec23a3b32f
SHA1 554064b7be846e1879faa8065d71dfc57ecd5073
SHA256 28ef6a3c40be40f637da441487c3f56a938af4eaa6f70c3fe6580989a741f350
SHA512 8c1b8a8e72e94297516fb68526a254789274670e8a4f9af026ab2aac5e8a6bb33bd34525f4f843d2e7108420c166ec7b7cb3cf56f8e3f5a631f363742a0ba030

C:\Users\Admin\AppData\Roaming\autopsy\InternalPythonModules\android\module$py.class

MD5 600c1c57bcbb5b3c197d0e4f7cca34d2
SHA1 93d98a828e706d72379f1f709237382119a67f11
SHA256 b6c41368db9831102d9b806bb64deee81a46ef3434f3ed0446e9f7b90ac403ed
SHA512 870f0a4d54d7633dee9bbe90951daf3d4211fced0f9415283ec3393bb46345742526cf77ef56202bec53dece5eab967d9f8d1421005d0ef23df314b283ac1414

C:\Users\Admin\AppData\Roaming\autopsy\InternalPythonModules\GPX_Module\GPX_Parser_Module$py.class

MD5 eff6d99c94baec8a7a069a2726a732e6
SHA1 41696c191223aea7ea13fe150ad8b95cd4f6b761
SHA256 6e2c7ff6f4b1e0fa848ba80c4b131eedd2d7f5f80be61dd953b402a0d7d2d14a
SHA512 de0a2e317ec46b6668be068bc1ddc1f2ece641349b1940273e33daf787652388e99a4e3851842cd6eff941b2ecd5ed3f717807a9becb4d9be5cbea6710a6b165

C:\Users\Admin\AppData\Roaming\autopsy\config\ModuleConfig\IngestSettings\org.sleuthkit.autopsy.casemodule.AddImageWizardIngestConfigPanel\org.sleuthkit.autopsy.thunderbirdparser.EmailParserModuleFactory.settings

MD5 aa1d37a17cc12951c63cc2360fa05dd2
SHA1 100bbd96e6fcde264e2aed3ab22782f3092a13a8
SHA256 b0ae6221d2cd68232c3235b9e2828d578e021fb33da7e9727d68728e2c4ad1b2
SHA512 c4474e763fca79aec2cd314b9294c290e99f686fd8b47ee71de2896a0802be1464f27d7f28c5e35b22a165d0806839ca2c8b96f171dfcc9f87cd80f725be31e3

C:\Users\Admin\AppData\Roaming\autopsy\config\ModuleConfig\IngestSettings\org.sleuthkit.autopsy.casemodule.AddImageWizardIngestConfigPanel.properties

MD5 2ba8f443e9e1fce46c5acd9fd6076e24
SHA1 b6b22f167d07c0d000f3335320f7dd3e7b9d6c02
SHA256 f36666fdc7b68dc31bba7d1afd7958d9ba1d9b18bdf7338f29ec8cbb0b1469c7
SHA512 862b444b803a1c6816628ab143ca2f7922ebf0b058d8b9fe48415d81bfeed5cfc298f3a2252bde6e6ad42868fe36206303b7dc9169541fdf88c0a5e2310053b5

C:\Users\Admin\AppData\Roaming\autopsy\config\Preferences\org\sleuthkit\autopsy\core.properties

MD5 0738988fc539c97e30ea4403b5539de2
SHA1 a4cd19edec86139b2ac302212b987957bf53a07d
SHA256 1e8b1d300bdb5e482c620521fa64c51f492e87ce1067436d553b754106b48bb9
SHA512 2bf04e3e47ff85c7f06fbad1b7a6dda9b492dc959f609ba167a43e8c77157366cfee622f8836809df4d4e034a0da32c44b9129a57d85853dcd4b65e4dc428bb5

C:\Users\Admin\AppData\Roaming\autopsy\config\LastDspUsed.properties

MD5 20fa96137a21fc40c4d07e6c2287ed9e
SHA1 f346e80e3ddc7dc71fb7e5c309475ebf560df746
SHA256 96993bbfdf5de8b0aeb564bd7db85deea8060b834d926659d66eb872ca24793f
SHA512 d584b199d81ad4b5ec33e7f1adc1aa55be0ac7ac99a82a6de823002d751cdfb8826c57eb7a4cbe998e6eaeca64b01e29fe78e5aed44e13bf2b260da31a9d9bdc

C:\Users\Admin\AppData\Roaming\autopsy\config\Windows2Local\Components\GeolocationTopComponent.settings

MD5 f43be684f79f7602b6fb2a8f56e60e10
SHA1 3aeffe0431a399c6da9d5fe24362641fedb6b597
SHA256 e0810b6bb1c6b636e6d949c5c9fa93557f7ddace7ba6c9d6c503deec4d2e3cb7
SHA512 4bad5e58e40b627085fd26ab2588e9ce7100ecdfd0abf5429be01979f4378d8e273b6af8fef8b1bc1a0b626ec71684cf15f6a4b51a9c6fafc876a23a53bc142f

C:\Users\Admin\AppData\Roaming\autopsy\config\Windows2Local\Components\properties.settings

MD5 3b58e2b094fafa414edb6900cbe34a73
SHA1 e93230a466bb8c1cf7b52f96bdcc643b4d4f2af6
SHA256 3bab0e4e9e9ac332ee3e23758b135ee998f642fe9065f46b880a337d8caadf65
SHA512 f709f18b159fd3ab0bee3931aa0cc39f1242f474e2dc53e8bba7b1b66b502ab31c3a1b1f1b3c11346696ad8b376322d101665730cd2644d6081d926cca89d1cb

C:\Users\Admin\AppData\Roaming\autopsy\config\Windows2Local\Components\favorites.settings

MD5 938befca94a2ab18d4432b06e199009a
SHA1 a03c99c4e6c703819fefe4214c5d0d1409a29e01
SHA256 4f6402043e73b3af9d41c8bd5dd42054d91b426943a1e26243ab92a98f02c83b
SHA512 158e6d9b2f00279657e1a732226c0b6e0d2c9342640f10f3f016a2ea64a0c101ac7d24377a4b48c45319199ea93dc782cadb5204b0a36202706923031d567e5f

C:\Users\Admin\AppData\Roaming\autopsy\config\Windows2Local\Components\DiscoveryTc.settings

MD5 06fd7b34f1d5a826bb74be4ba530ae87
SHA1 94081aa8ba61bf783bf81a51f4131f7db2baf49b
SHA256 4bae1e6a585b5d37f1c02eda6a01ecc16a52821ed38ae4dcee971a840abd99ed
SHA512 c72732e6b56b010537c4d9e9e83138ab50ddaab71740574cb39588f6378aa8700ab56468c151d8521bdf79bc46ae3fe34bf0c4a5dae6e61cff3a94e23556bd2a

C:\Users\Admin\AppData\Roaming\autopsy\config\Windows2Local\Components\CVTTopComponent.settings

MD5 1d44d20f8f7d4f67ad6a434da764c892
SHA1 71914cdc74e778c1524a2ecaee77af7977dc290d
SHA256 9b0fbae077aa7c625684b7495d72f11e4d50d86b71ce45dd3f61b677e7ce4fdb
SHA512 0ab6bbfe055d3e8d999983e87754b8cffe5ab92a6cac371932c087c84c963cfa5cc7faa492e47809390486e3146ce4a0ba635469d66f4ae8fa93a14e15cf8fa0

C:\Users\Admin\AppData\Roaming\autopsy\config\Windows2Local\Components\TimeLineTopComponent.settings

MD5 29d8d01bd63c73e5967a8ff019411ced
SHA1 bfdabe000e33c912ee52dd5b5bf08b716308cdb0
SHA256 508c10bbb3f0e1dcf14e080ccf5dc55bdc1984641754ecb28dc6e59335ce1673
SHA512 a7a42c6a4aeaddc81fa0024760f351dc9adcbb8be3b1a6fa5309f8fdf9f0ab8392ea630e9105490fe9225083ca2e9dbe2cf544272c55166195566d6f375a1ad8

C:\Users\Admin\AppData\Roaming\autopsy\config\Windows2Local\Components\output.settings

MD5 5c7113fb3d125db5c225aaa90284d25f
SHA1 62cdb5b43add156e5527e886141baa5ab25ea729
SHA256 92c78bd1969715e72d1de997cfe1a9573a973f815b27e85109ea0357f886f607
SHA512 c25cf3927bd115ae107f947e0e75a560e4cb31a2decba02eab5a12da367bd0521c9fd5b34b6c0cbe2f1d65655efa63bf67697443a0078d6b102e443fff7f4fb6

C:\Users\Admin\AppData\Roaming\autopsy\config\Windows2Local\Components\PersonasTopComponent.settings

MD5 d1e2734a763afd5f25105224cfde1979
SHA1 bd7782a63b43d759ba1825bce3c60426e1ac67ce
SHA256 340dc42fd08b6fd6409e6b6482daa9e9f40930fdfccefbd3b8b7c31b06d1ea8c
SHA512 584a20369b27c93d40d782adc16e07f76959497a88daec44a75109fd6ce559c79fa4c9841e839629820161e85fb26fcd22c46d4d9eb8075313ed86e0fbae64fd

C:\Users\Admin\AppData\Roaming\autopsy\config\org.sleuthkit.autopsy.casemodule.ImageDSProcessor.properties

MD5 c4c214a98a9e7c0980cae4a2e300c90d
SHA1 4d1fdec6a7e86b698a7dfe92d0b772829430fd36
SHA256 6e4cf6f7debd7a5e701e22eb602142e481dc00ee8952656c408f6bd6f7d0f266
SHA512 b74d735f7c0f5e85b311ba4f03c39c37298ed1dd41a8843f7e4a09cca42a5167ae32a57700d055668604b11ada726859f4f0028c59c7b7d037c8cf10805f914a

C:\Users\Admin\AppData\Roaming\autopsy\config\mismatch_config.xml

MD5 5b735c6604ea1674e935a5165d393ac7
SHA1 067c6744c5b7a1bebb7d3fc17e39db5bf11fbab2
SHA256 54eb5a7e071bae32d3baf1fe95da81978354b3fa6ebfeead5d9e8ce3046f332c
SHA512 dd81f6a9683436b4471a8562859a64803b055649f4db95b90fd1ee719228536d6a0171435c3f77617a325e9d45de74dc1962d114d97f6ed2fbc12a10d16f2900

C:\Users\Admin\AppData\Roaming\autopsy\config\Case.properties

MD5 309cd7414b9a366a1e5bcf0bbaa6fed7
SHA1 bf0d2472dfcbb254b629e6d4f41063c8bdba8755
SHA256 28e70c2a59583e4418459095871b408c052985f0717eca64bb453626706e4563
SHA512 97b879366e3efc1d3a8b2a2862fe47729458ab808beb09203ae71ccd4ba24f84524fd3a7ad1d046fe2807eba17aefa9cefd1508131da717429cbca89c1dd38dc

C:\Users\Admin\AppData\Roaming\autopsy\config\timeline.properties

MD5 a33d26fef34d633ca5176918768d9b2e
SHA1 d877a90ed2347efa183169e4a071ce03161ced98
SHA256 ad6a7818b007157327ea6c6abab85c41ce0b076356238d8d44bec5ab4a49f801
SHA512 5693f4b5db4cd42c552c0e2e264ac8006b4b427f1d553c0db92037c7b2610fd515594188bae9a381bab66cfb17ec5f8d9684e69e7b6e61d5458817203f95bf18

C:\Users\Admin\Desktop\test\autopsy.db

MD5 a46e15c8d9c3be9bfa5bf6a6c1767746
SHA1 e28c77e466d19658c759cb7a5df3de821c9fbc08
SHA256 64a53f62c164bc858be651a6fe8f8c8ec1155a606c41d11fd96fdb4693b2e82f
SHA512 d4ae99543d5ede62b66178536d7677287de78d9128c488bd2187dc780fae9e3b4aea56d119ec6811aab1856bf3ede11b868a258df16d800a0681890e1cec8ff3

C:\Users\Admin\AppData\Roaming\autopsy\config\ExternalViewerRules.properties

MD5 cab9fa41df154b5723aaee387b3889c6
SHA1 8ddc072b71fd92d3a8a5af599157e0061020a7d5
SHA256 41b70e837b1cfb690b6ee4cd2681044c9158c3820732271cfd4957fc365bca88
SHA512 2550704df60c5d86c92656662e64d7af9ca8fbf960f6e5ad339818984d701be14c17ee26c92b5d710f4fb66aea6f8d0e34e6745cc3f3e0981434d0899cc5a922

C:\Users\Admin\AppData\Roaming\autopsy\config\Preferences\org\netbeans\core\windows\tctracker.properties

MD5 2ec3a5827457296e781e1c8e87dfde22
SHA1 2323b7d54b1126c403c3da50c7a43a8d1e1e3ee7
SHA256 2b58f998de3752aff5d49245ec0e743106e626c85d082dd0a46cad826c37cd37
SHA512 2b14f5e2ada80fa74a89da804f93592d944abb9b4f0a4e706e3df5e759f22f61a60acbb1e0f5851ff0c8910be6dec8ba9a5afdde04ef23de636a1d1001d6779e

C:\Users\Admin\AppData\Roaming\autopsy\config\Windows2Local\Components\DataContentTopComponent.settings

MD5 e35469e5e2eebb4dffad1aac622b5dbd
SHA1 3cb914557930edd79cffe477fc298aadff6e7019
SHA256 553c4e746b1f228368541c1c685b44a8bdff2aa243bebf32a307d96cced4728b
SHA512 8fba413361fe345af0f7348bfbe6a32cc783b960e8a86e1b4e1038a5dbe9ae7429aad2148e273c455903c16eec5c8b3f0e7316b21aa4fb9958e3337a4b328307

C:\Users\Admin\AppData\Roaming\autopsy\config\Windows2Local\Components\DirectoryTreeTopComponent.settings

MD5 9eb2b09f1127168d0aedacce5a1f4f10
SHA1 aab38f8744ad764b381faa4bfd977a7da8a06adc
SHA256 500052ea62dc66a8c4c83ca0a38bd5b58d9e19edaaf34f545b50977f64b0ec78
SHA512 4348bb4d144d8bce399e6c6cd14aec25082fbb0c23ac56e01c40c96343a48c8e5f47934cf3cdfcbcfaff27760709b19f5d241ff015c6c0f6942f2cb92dc9970e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\datareporting\glean\db\data.safe.bin

MD5 7d3d11283370585b060d50a12715851a
SHA1 3a05d9b7daa2d377d95e7a5f3e8e7a8f705938e3
SHA256 86bff840e1bec67b7c91f97f4d37e3a638c5fdc7b56aae210b01745f292347b9
SHA512 a185a956e7105ad5a903d5d0e780df9421cf7b84ef1f83f7e9f3ab81bf683b440f23e55df4bbd52d60e89af467b5fc949bf1faa7810c523b98c7c2361fde010e