Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-10-2024 18:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
58d950929edcfc0a3f1def7620d62fd0_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
29 signatures
150 seconds
Behavioral task
behavioral2
Sample
58d950929edcfc0a3f1def7620d62fd0_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
29 signatures
150 seconds
General
-
Target
58d950929edcfc0a3f1def7620d62fd0_JaffaCakes118.exe
-
Size
676KB
-
MD5
58d950929edcfc0a3f1def7620d62fd0
-
SHA1
d062ad6abfc4bf4e5491b70b1200ca2ff7922904
-
SHA256
f695eb089d4a33afab87887b5779fe39c48e13594c6b3d76e01393eb36da886c
-
SHA512
cf23ac522ef46f3f42be5e79d36e4c189bee8a1d282fdccec12ffb97e7200fcce4f161b17030c8ea5c90d99be7926732b25f4ab25886f8a3e6466021cfec5fb4
-
SSDEEP
12288:2QMuiMQn3i8BpVCFeKq9Ipo90lbKSpuQO2tW05l6qK8sWg4gPp73:wrBpMMKGIpu/jJ2EYl6qdgjd
Malware Config
Extracted
Family
darkcomet
Botnet
Guest16
C2
79.172.26.136:1604
Mutex
DC_MUTEX-HN17VDB
Attributes
-
InstallPath
System32\Drivers.exe
-
gencode
T3NMNGnXGHkl
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
AdlingV4.6.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\System32\\Drivers.exe" AdlingV4.6.exe -
Modifies firewall policy service 3 TTPs 3 IoCs
Processes:
Drivers.exedescription ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile Drivers.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" Drivers.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" Drivers.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
Drivers.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" Drivers.exe -
Processes:
Drivers.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Drivers.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Drivers.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
Drivers.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Drivers.exe -
Disables Task Manager via registry modification
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid Process 2632 attrib.exe 2832 attrib.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
result.exeresult.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion result.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion result.exe -
Drops startup file 5 IoCs
Processes:
result.exeresult.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ufr_reports\NO_PWDS_report_18-10-2024_18-14-29-F568C3BF0F97A052D1B46DB02CDA315B-JCFK.bin result.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ufr_reports\NO_PWDS_report_18-10-2024_18-14-29-F568C3BF0F97A052D1B46DB02CDA315B-JCFK.bin result.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\result.exe result.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\result.exe result.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ufr_reports result.exe -
Executes dropped EXE 4 IoCs
Processes:
AdlingV4.6.exeresult.exeresult.exeDrivers.exepid Process 2244 AdlingV4.6.exe 2248 result.exe 1664 result.exe 2524 Drivers.exe -
Loads dropped DLL 6 IoCs
Processes:
58d950929edcfc0a3f1def7620d62fd0_JaffaCakes118.exeresult.exeAdlingV4.6.exepid Process 2452 58d950929edcfc0a3f1def7620d62fd0_JaffaCakes118.exe 2452 58d950929edcfc0a3f1def7620d62fd0_JaffaCakes118.exe 2452 58d950929edcfc0a3f1def7620d62fd0_JaffaCakes118.exe 2248 result.exe 2244 AdlingV4.6.exe 2244 AdlingV4.6.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Processes:
Drivers.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Drivers.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Drivers.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
AdlingV4.6.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\System32\\Drivers.exe" AdlingV4.6.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
58d950929edcfc0a3f1def7620d62fd0_JaffaCakes118.exeresult.exeattrib.exeattrib.exenotepad.exeAdlingV4.6.exeresult.execmd.execmd.exeDrivers.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 58d950929edcfc0a3f1def7620d62fd0_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language result.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AdlingV4.6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language result.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Drivers.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
result.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier result.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 result.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString result.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
result.exeresult.exepid Process 2248 result.exe 2248 result.exe 2248 result.exe 2248 result.exe 2248 result.exe 2248 result.exe 1664 result.exe 1664 result.exe 1664 result.exe 1664 result.exe 1664 result.exe 1664 result.exe 1664 result.exe 1664 result.exe 1664 result.exe 1664 result.exe 1664 result.exe 1664 result.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Drivers.exepid Process 2524 Drivers.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
AdlingV4.6.exeDrivers.exedescription pid Process Token: SeIncreaseQuotaPrivilege 2244 AdlingV4.6.exe Token: SeSecurityPrivilege 2244 AdlingV4.6.exe Token: SeTakeOwnershipPrivilege 2244 AdlingV4.6.exe Token: SeLoadDriverPrivilege 2244 AdlingV4.6.exe Token: SeSystemProfilePrivilege 2244 AdlingV4.6.exe Token: SeSystemtimePrivilege 2244 AdlingV4.6.exe Token: SeProfSingleProcessPrivilege 2244 AdlingV4.6.exe Token: SeIncBasePriorityPrivilege 2244 AdlingV4.6.exe Token: SeCreatePagefilePrivilege 2244 AdlingV4.6.exe Token: SeBackupPrivilege 2244 AdlingV4.6.exe Token: SeRestorePrivilege 2244 AdlingV4.6.exe Token: SeShutdownPrivilege 2244 AdlingV4.6.exe Token: SeDebugPrivilege 2244 AdlingV4.6.exe Token: SeSystemEnvironmentPrivilege 2244 AdlingV4.6.exe Token: SeChangeNotifyPrivilege 2244 AdlingV4.6.exe Token: SeRemoteShutdownPrivilege 2244 AdlingV4.6.exe Token: SeUndockPrivilege 2244 AdlingV4.6.exe Token: SeManageVolumePrivilege 2244 AdlingV4.6.exe Token: SeImpersonatePrivilege 2244 AdlingV4.6.exe Token: SeCreateGlobalPrivilege 2244 AdlingV4.6.exe Token: 33 2244 AdlingV4.6.exe Token: 34 2244 AdlingV4.6.exe Token: 35 2244 AdlingV4.6.exe Token: SeIncreaseQuotaPrivilege 2524 Drivers.exe Token: SeSecurityPrivilege 2524 Drivers.exe Token: SeTakeOwnershipPrivilege 2524 Drivers.exe Token: SeLoadDriverPrivilege 2524 Drivers.exe Token: SeSystemProfilePrivilege 2524 Drivers.exe Token: SeSystemtimePrivilege 2524 Drivers.exe Token: SeProfSingleProcessPrivilege 2524 Drivers.exe Token: SeIncBasePriorityPrivilege 2524 Drivers.exe Token: SeCreatePagefilePrivilege 2524 Drivers.exe Token: SeBackupPrivilege 2524 Drivers.exe Token: SeRestorePrivilege 2524 Drivers.exe Token: SeShutdownPrivilege 2524 Drivers.exe Token: SeDebugPrivilege 2524 Drivers.exe Token: SeSystemEnvironmentPrivilege 2524 Drivers.exe Token: SeChangeNotifyPrivilege 2524 Drivers.exe Token: SeRemoteShutdownPrivilege 2524 Drivers.exe Token: SeUndockPrivilege 2524 Drivers.exe Token: SeManageVolumePrivilege 2524 Drivers.exe Token: SeImpersonatePrivilege 2524 Drivers.exe Token: SeCreateGlobalPrivilege 2524 Drivers.exe Token: 33 2524 Drivers.exe Token: 34 2524 Drivers.exe Token: 35 2524 Drivers.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Drivers.exepid Process 2524 Drivers.exe -
Suspicious use of WriteProcessMemory 55 IoCs
Processes:
58d950929edcfc0a3f1def7620d62fd0_JaffaCakes118.exeresult.exeAdlingV4.6.execmd.execmd.exeDrivers.exedescription pid Process procid_target PID 2452 wrote to memory of 2244 2452 58d950929edcfc0a3f1def7620d62fd0_JaffaCakes118.exe 30 PID 2452 wrote to memory of 2244 2452 58d950929edcfc0a3f1def7620d62fd0_JaffaCakes118.exe 30 PID 2452 wrote to memory of 2244 2452 58d950929edcfc0a3f1def7620d62fd0_JaffaCakes118.exe 30 PID 2452 wrote to memory of 2244 2452 58d950929edcfc0a3f1def7620d62fd0_JaffaCakes118.exe 30 PID 2452 wrote to memory of 2248 2452 58d950929edcfc0a3f1def7620d62fd0_JaffaCakes118.exe 31 PID 2452 wrote to memory of 2248 2452 58d950929edcfc0a3f1def7620d62fd0_JaffaCakes118.exe 31 PID 2452 wrote to memory of 2248 2452 58d950929edcfc0a3f1def7620d62fd0_JaffaCakes118.exe 31 PID 2452 wrote to memory of 2248 2452 58d950929edcfc0a3f1def7620d62fd0_JaffaCakes118.exe 31 PID 2248 wrote to memory of 1664 2248 result.exe 32 PID 2248 wrote to memory of 1664 2248 result.exe 32 PID 2248 wrote to memory of 1664 2248 result.exe 32 PID 2248 wrote to memory of 1664 2248 result.exe 32 PID 2244 wrote to memory of 2180 2244 AdlingV4.6.exe 34 PID 2244 wrote to memory of 2180 2244 AdlingV4.6.exe 34 PID 2244 wrote to memory of 2180 2244 AdlingV4.6.exe 34 PID 2244 wrote to memory of 2180 2244 AdlingV4.6.exe 34 PID 2244 wrote to memory of 2912 2244 AdlingV4.6.exe 36 PID 2244 wrote to memory of 2912 2244 AdlingV4.6.exe 36 PID 2244 wrote to memory of 2912 2244 AdlingV4.6.exe 36 PID 2244 wrote to memory of 2912 2244 AdlingV4.6.exe 36 PID 2244 wrote to memory of 2524 2244 AdlingV4.6.exe 38 PID 2244 wrote to memory of 2524 2244 AdlingV4.6.exe 38 PID 2244 wrote to memory of 2524 2244 AdlingV4.6.exe 38 PID 2244 wrote to memory of 2524 2244 AdlingV4.6.exe 38 PID 2180 wrote to memory of 2832 2180 cmd.exe 39 PID 2180 wrote to memory of 2832 2180 cmd.exe 39 PID 2180 wrote to memory of 2832 2180 cmd.exe 39 PID 2180 wrote to memory of 2832 2180 cmd.exe 39 PID 2912 wrote to memory of 2632 2912 cmd.exe 40 PID 2912 wrote to memory of 2632 2912 cmd.exe 40 PID 2912 wrote to memory of 2632 2912 cmd.exe 40 PID 2912 wrote to memory of 2632 2912 cmd.exe 40 PID 2524 wrote to memory of 2700 2524 Drivers.exe 41 PID 2524 wrote to memory of 2700 2524 Drivers.exe 41 PID 2524 wrote to memory of 2700 2524 Drivers.exe 41 PID 2524 wrote to memory of 2700 2524 Drivers.exe 41 PID 2524 wrote to memory of 2700 2524 Drivers.exe 41 PID 2524 wrote to memory of 2700 2524 Drivers.exe 41 PID 2524 wrote to memory of 2700 2524 Drivers.exe 41 PID 2524 wrote to memory of 2700 2524 Drivers.exe 41 PID 2524 wrote to memory of 2700 2524 Drivers.exe 41 PID 2524 wrote to memory of 2700 2524 Drivers.exe 41 PID 2524 wrote to memory of 2700 2524 Drivers.exe 41 PID 2524 wrote to memory of 2700 2524 Drivers.exe 41 PID 2524 wrote to memory of 2700 2524 Drivers.exe 41 PID 2524 wrote to memory of 2700 2524 Drivers.exe 41 PID 2524 wrote to memory of 2700 2524 Drivers.exe 41 PID 2524 wrote to memory of 2700 2524 Drivers.exe 41 PID 2524 wrote to memory of 2700 2524 Drivers.exe 41 PID 2524 wrote to memory of 2700 2524 Drivers.exe 41 PID 2524 wrote to memory of 2700 2524 Drivers.exe 41 PID 2524 wrote to memory of 2700 2524 Drivers.exe 41 PID 2524 wrote to memory of 2700 2524 Drivers.exe 41 PID 2524 wrote to memory of 2700 2524 Drivers.exe 41 PID 2524 wrote to memory of 2700 2524 Drivers.exe 41 -
System policy modification 1 TTPs 3 IoCs
Processes:
Drivers.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion Drivers.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern Drivers.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" Drivers.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid Process 2632 attrib.exe 2832 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\58d950929edcfc0a3f1def7620d62fd0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\58d950929edcfc0a3f1def7620d62fd0_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Users\Admin\AppData\Local\Temp\AdlingV4.6.exe"C:\Users\Admin\AppData\Local\Temp\AdlingV4.6.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\AdlingV4.6.exe" +s +h3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\AdlingV4.6.exe" +s +h4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2832
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2632
-
-
-
C:\ProgramData\Microsoft\Windows\Start Menu\System32\Drivers.exe"C:\ProgramData\Microsoft\Windows\Start Menu\System32\Drivers.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2524 -
C:\Windows\SysWOW64\notepad.exenotepad4⤵
- System Location Discovery: System Language Discovery
PID:2700
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\result.exe"C:\Users\Admin\AppData\Local\Temp\result.exe"2⤵
- Checks BIOS information in registry
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\result.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\result.exe"3⤵
- Checks BIOS information in registry
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1664
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
7Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
783KB
MD5b8a17bdc154014be41d991204ada6d1d
SHA19853a2addc170008fccaa6ab7f38583058be3d84
SHA25619477ea50733372be7440943b99e0e70c6235e0d8febffd68c37a167d6febf22
SHA5129831a3b0b7afc44b131bd35c0e0162e07f706f0f0e8c0a6b1355f82817a3d5c829cf6fa313c2fccbedbc7c5ee0a16fd1c112814c4c0b51470cd003d124ca4c60
-
Filesize
35KB
MD577172f5ce035f0f19f20153fc87fc763
SHA1fc33e0896c8837208b82f0671a2ec20442db17b1
SHA2566e37286d49bd98a5b77a2c52940bb4df50de4debc9dc40fadc1d55a92cb476f8
SHA5125f5f76267047978259458ab323d5bfc124738437e2b3bee224f5d5689d4685305f31015ea2a5f25f779db90bd9ff394d7c11f611b86779de5260c977e0ad172f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ufr_reports\NO_PWDS_report_18-10-2024_18-14-29-F568C3BF0F97A052D1B46DB02CDA315B-JCFK.bin
Filesize1KB
MD55b2f434bd54dc9b8c4162512223bc4c0
SHA18febc866725448c2a1c5289a7c6c6de7ace6cc1d
SHA256ca5c3480982ec71f3b292408d5ec4d482a3ec5ecccb8ac9201e6d235c5f487e7
SHA512343a647ddd5bb5bdd33a80d0f189c1725953be8eaa440a16a1d268811e19ed53710c5a39ac67b8de59247ab124ea9e861fc8f8202462e8f0db9856f9aba87357