Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-10-2024 02:56

General

  • Target

    e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe

  • Size

    147KB

  • MD5

    3dfa97751d9b74984c353be2f1da5508

  • SHA1

    3ab278f6f4ae48b8616f55c4b445ce2349b03a68

  • SHA256

    e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c

  • SHA512

    a9f70ac6018e37918f0b211c05b2c98e7bdbfa0bf782edd8ce9ed7fb8c8bd1c3deb094e0e5a19fe14a044023824d52daed8d556e8331ed7b4fe205453cf05204

  • SSDEEP

    3072:xSOCPeTzv5sKdp1gsvtj/tvF1BpVM2P4sFVGcMsBPFJWVxOemEBgACOUX:xSO3zv5fpm2h3BpO2lVDMsLL8UX

Malware Config

Extracted

Path

C:\ProgramData\PHALCON_RECOVER.txt

Ransom Note
~+ * + ' Phalcon | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Ransomware + O * ' . >>> What's happened? We encrypted and stolen all your files. Nobody can recover your files without our decryption service. >>> How to recover? We are not a politically motivated group and we want nothing more than money. If you pay, we will provide you with decryption software and destroy the stolen data. >>> What guarantees? You can send us an unimportant file less than 1MB, We decrypt it as guarantee. If we do not send you the decryption software or delete stolen data, no one will pay us in future so we will keep our promise. >>> Instructions: Please write an email to both: [email protected] and [email protected] Write your DECRYPTION ID in the subject. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>> Your DECRYPTION ID: BNuuQUGu2 <<<<< >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>> ATTENTION! - Never pay before DECRYPTION of the test file. - Do not go to recovery companies, they are just middlemen who will make money off you and cheat you. They secretly negotiate with us, buy decryption software and will sell it to you many times more expensive or they will simply scam you. - Do not hesitate for a long time. The faster you pay, the lower the price. - Do not rename or modify encrypted files, it will lead to problems with decryption of files. - Do not REPAIR your files with any third-party software, that will damage them and cause permanent data loss.

Signatures

  • Renames multiple (7857) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies Control Panel 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe
    "C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe"
    1⤵
    • Enumerates connected drives
    • Modifies WinLogon
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2156
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update ALPHV" /TR "C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe" /F
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2528
      • C:\Windows\SysWOW64\schtasks.exe
        SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update ALPHV" /TR "C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe" /F
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2548
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\LPW8.tmp"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2908
      • C:\ProgramData\LPW8.tmp
        C:\ProgramData\LPW8.tmp
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2392
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 > nul & del "C:\ProgramData\LPW8.tmp"
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Suspicious use of WriteProcessMemory
          PID:1928
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1 -n 5
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2052
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "Windows Update ALPHV" /F
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2988
      • C:\Windows\SysWOW64\schtasks.exe
        SCHTASKS.exe /Delete /TN "Windows Update ALPHV" /F
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2560
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2240

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

    Filesize

    24KB

    MD5

    06d9e6ddaeb9ea8a2439adc26ee12128

    SHA1

    bf74e3deb3388425447aed9c71939f13e1736a06

    SHA256

    9d2680944c9c4feec3a7f73b98d6dc416d29848e403f1e2744dc2b94db481453

    SHA512

    74dd5ba9cfb2191e05b6c22bc0203c99b70e16039663ac79f56ad01e28ec5308b0aeb2d1d621519e46681ca5b0fe91f9e84d30f4d95c546d55abce86b6ba3f4c

  • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

    Filesize

    5KB

    MD5

    3827c6d965edd5a8225ae820a38c8a26

    SHA1

    cd93c09ba69f789e6816051f31658fb7e520fdc4

    SHA256

    b87bbbf25c888e529c744215347792d8b9da15c29d628a6b762b3a3e6257aa88

    SHA512

    ea86611c1d112bf870c2cddd58e876fbfad6d4c03a38b10c04dee19758ef31c00ee69b7b4f58058e3331c40ab3f800dcdf0500168ba9bea08dade61a7796f340

  • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif.Phalcon

    Filesize

    4KB

    MD5

    4d0b67208a603a024db1ae788e63fb14

    SHA1

    aa2dc30a6a6d4339c311eb6c5839dfaa0da5cac3

    SHA256

    45150584c575d6eec736ca309fcf8933661cb02246b8fb93fdc52e1cb3a4d622

    SHA512

    9d932182ad18d193618937e4385c390b12720c55a7a0662e5796da004c8ba5d062929d429ca281c1edaebdc47cf9d3586f08505c09574315776966014eb2b67a

  • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

    Filesize

    21KB

    MD5

    ac9ef9d119fc8695c9272020a9880aa8

    SHA1

    f4dc4a31909bb66715f08c22ead7e7775d161478

    SHA256

    c47426050d3470b10be7327eae8c0ae3f7d5f17836f121152eba2b20c51ea74b

    SHA512

    87599d3554c3ddbfda2cf82ecff51d6e2f994e7019071528d2cac30f323d730264b4b9c13588e84ee3ae97eb17a37aec7da1e92449bd5ab02348bf14020115fb

  • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif.Phalcon

    Filesize

    15KB

    MD5

    eeb25c04b38eb818cae5d8073f37fd8c

    SHA1

    1eb82ac97f010672706c3637240fb1feeb154709

    SHA256

    f4deec6c4a19d0a8b3c6ed46ff51e61389c670ce5599e323329da8fe02354a29

    SHA512

    7cef7df023ffe89b015be5098be86ade65535bd18880c87f3df4670a9b843c6ec9927918978ce31b8de93271b8a2811ef26871ba8f4d94cc74ca107f101471bd

  • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif.Phalcon

    Filesize

    6KB

    MD5

    1791fa50e74c79bf7670ac053240d237

    SHA1

    78919904c6dbf5c4886bd1253a0e25153ce28699

    SHA256

    a43b68ad56e3398349f78c5222542f361f75747a5d1b26d609e2214c37324bf6

    SHA512

    70757818d8df277a8c5847e3120a17284403989531afa94d8d6755cbb5ff75de49b409b8f0bc0d9006691683b075d53e03758dc39335b97516faed5288f739d5

  • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif.Phalcon

    Filesize

    20KB

    MD5

    f3a0d8acec6fb8b311030c1e3704c2fd

    SHA1

    d6e7333b3943d9738da859deb5cfecd9db94ac98

    SHA256

    62d7aa071f21f8b65392db9a89d84281aef25ef8bdb7a28ab0259e94bea0edc0

    SHA512

    d0455d6a83e31948ad13d4b228d37ae1b6c71f81ae52e10631d0598081f89df5794bdb2a0f8fae29f481aabff4630a865655f61da620e4246f42d1d80ca2ec55

  • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif.Phalcon

    Filesize

    15KB

    MD5

    630277ba9988629b96dd62b0354c1592

    SHA1

    0e86f721b092cb1122b5bd9a48d07ca6a50ac05e

    SHA256

    e972e127e0d4022f7f4760ea6293a96c1135990d6460b16f651b3bdf9893ca2d

    SHA512

    1c259eb0e00bd7c969c1afbf9265101c0b6dcfc8836f8d4a36e851e3941f45f0f2d679ee3ccbaf14cfa781277eb6a6299dac892ff97cbcd7842da6b895e44a33

  • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

    Filesize

    7KB

    MD5

    58c7d2fc36910410902be705811088a9

    SHA1

    49f37954cc19e8c43bb85a66b84693920932f5a9

    SHA256

    66477f3b012ab3ad905d8c41d8804a62cd4ef26fd23d04c77b6b3c44f17087d0

    SHA512

    95945dc0a33f191cc0da2de3679589b15def364bb2d98368379067cb4eba1723219a600aae661300ea4bbdce1d4cd4f8f5596bbec8e24203215db163603f684f

  • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

    Filesize

    6KB

    MD5

    83732b1b7e43d182ca11890ccbbe184f

    SHA1

    8c3e3e51740cc7c6a4a25efc0fe25c3b2f6121a1

    SHA256

    510fd6e2a7238b2710cb91f7dadce04f3e5581192b4891240e5a2ca74d431a38

    SHA512

    4b0680aa88224604b65a46fe0334beeb77130004d826c1a6543fba967d5699ca24f7001c2aa575d75ef948c4e7abede5d11aa4d843a09758920a1204ebb5ee44

  • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\HEADER.GIF

    Filesize

    26KB

    MD5

    4dc0faf87f8a78299fd7a6c101c109b6

    SHA1

    dc236911925b7df73280c2ffb042757a94f1380a

    SHA256

    1056f50c402a531889f075504c39ede2534d86eb041154f9c49b08323304f81f

    SHA512

    e16ffc89e56bf95d12530d9cffa36876cd593c0799b5ede75a080758395ecb8a06fe47aa17087657d1d5d1b602425a995fb309f9906edfea726b81ee82bde14f

  • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Country.gif

    Filesize

    31KB

    MD5

    12ccfdb821229f29dfe2af18315034bd

    SHA1

    695dd90e0de31b41346941cf0c4185775d5d4f0a

    SHA256

    87925c485a1e618f17487f544562d4d2595785a3c79fa221282339314c28a285

    SHA512

    7fcf137815d81cbb259f1ec0b488937025f2bfb2dfd09ab10d707840df28e25b53cd0752779e32b9c7f0e715cdbe904767d358e605a9c81b94de5d83614ba4d6

  • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_TexturedBlue.gif

    Filesize

    6KB

    MD5

    6967037cd6f4c9324643fb1df0d07808

    SHA1

    0a989c8ce59cc9344af677519760c432cc4310be

    SHA256

    81301fc973d68b54bef0c76a7e17248c3f53525fb9767ccfd9d2adfd342d9c32

    SHA512

    3e25856df55381bd28f0a40f74135aa83d67b001fcafcb224ad0170232d936662f624f1ea1d2090035e4a34e56cfe84ce65ecb7bf39ab575882956eae21b7d2f

  • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

    Filesize

    5KB

    MD5

    332de38441a36eb84549a8a34a019523

    SHA1

    30dc15c09525d1e84fe8f2c6cfb250e953ea218a

    SHA256

    68ed6185e8aa5db3b8c786eb665182337610132fe241159ef22c46718db83a01

    SHA512

    e2bb9d52af25dcc94b3fae5c6969823e3eae2fffb6f59211d4fe0f90b3a76908df42443a34e672a0444f95148ddff3480281163cbe6a49f4aa4122bc76fdc78f

  • C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml

    Filesize

    247KB

    MD5

    c7c5bad6ed6d89e0b4101f3f26dbf6fb

    SHA1

    cdc99af5e41b6045a08c4c1049ea1bdc300721d4

    SHA256

    a896c8f31b4189637400836780614e8d82b223903cf36ea30e901055cf1f43b3

    SHA512

    3e1ad96a0d38ac1e2e032502796cadb460cb51175fcaf07c31c05c6e92a15b4d7ac8f7dcb07fdf17cff4e619e6eb3ad869e7d7295a11dbb783a55e8386adee17

  • C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl

    Filesize

    5KB

    MD5

    2f264164229787a132d04cf2f7a3bd9f

    SHA1

    3ed497992090f5d804d4c64c7d45bfed202b0cf1

    SHA256

    cd9a2b28bf438925e2460d8b45f951d7e2ba40f9e4426ffdc41c7cfc86cd0041

    SHA512

    4699707fa10b065ac7743b5327a1e2ff81b5a8104c71ab82bc5203b27b055ee0cf353dc45f10b64874963c359b137d3ec5e0ad1333828235fdc1596f69e7a321

  • C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt

    Filesize

    109KB

    MD5

    5bf436650a24b0f5feffb876595a7183

    SHA1

    43f02a64f16a6f52c971506cb867a8205fef3999

    SHA256

    14e51ada0c428478e89484801b65b04f8d01c57fc57ef4b5133f9047cb7450be

    SHA512

    f7d02cfad6eadab263dfe0c99e26386e7b404ee0272b8a49b3d38c1b6cab330ca1b516d844d0a93181c328eb2eabce184456fd977825503ae125dc8b4cf776d4

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

    Filesize

    12KB

    MD5

    02065828ba0bbedf5f46fbefe301e8d6

    SHA1

    6b464e9ee775636c70d80a00f56322642b9657ac

    SHA256

    f23e900f115667442d606c2b0d33aed32f87bd9c3f80347ff2175590694cb7c5

    SHA512

    3bdf68b156882fe8ff28021fb900b43e9acfbf54d73c3cff2830508daa22c28fc6a26312962a7cebfc188b8148c64cace4330233b95c481b03c42ac69d1dc2c9

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

    Filesize

    8KB

    MD5

    abea79a749ae9a46014dba9a6f22027e

    SHA1

    c1b5a4e7f8a2e8ad8512dcb090c3940cd3069801

    SHA256

    c1c2875ca756c0452922a1ccf27e2c1cd9ceac092224471ee63c509101047cc2

    SHA512

    ae5de7ac45562113fd07299790fe4fd5b43fc9127920921c90803ccb1aeb7c8c1a31ac61566495425fe39b1ce02278a96584bbf6824ae6e0aa390e05aae00cfe

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt

    Filesize

    11KB

    MD5

    8ecd5e07508a52708628158df22f58f2

    SHA1

    ac0be020883068a9a0558894aeca7a819a665135

    SHA256

    ffdf1a4238a6ca91fe45b8813b893e13b0b388f25c6683a162e6d78e93cc48d7

    SHA512

    0c8af790112b6fe5991528b415b9ee653cd49eb41f241178ca6231c9816129062a2c10d83d037dc51bebc920fe29278ee44c1dc9dde78e712063e1e5f003dacc

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA

    Filesize

    7KB

    MD5

    f2d8654312d2660842ef0b37d4339381

    SHA1

    7ae59d2dfc5291eeae73c139d7b25aaeafc0002d

    SHA256

    c4d3148109beef331f11bdfbd264d70459eee8f59d9463efbd4e9c5dbaf567e4

    SHA512

    b2f2da30634278870d588e5efd2346d4777907f68686dc204813a890813e60331c71b28cfd592ec777d673147c30d695bc8080971df4967e5aa219fa91c8e233

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA

    Filesize

    7KB

    MD5

    372672697cb4fc0ec8b95111ee9b0bc5

    SHA1

    2f80ee8e7dbb03068159fedcaa464f2a03d8131d

    SHA256

    abc14989960d78120a3b8ad8cdb8c84a21793a32313cb60e3e7aa98f75ab600d

    SHA512

    2e49e98a9c08564a840dc7229e729029b93a9a6f99c9c1c0d21cd814e660daba7dccb987207a649ccfb6450abc4dd31734042e9d7f7d97d52622832095cb445f

  • C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\vlc.mo

    Filesize

    610KB

    MD5

    96842d552de9382667682d8a9fb02f7a

    SHA1

    a9e7621ada9156a923546974797165b657d96c80

    SHA256

    c4144a2c5481fd7b9788a4fec031954ff9ca12740f95b242b95639b8be6b50b4

    SHA512

    fe2a93393988bace44d10b1ff6ac2575a469a67e6a556713c875edb9971e544aa62e5aa640151e6a05d2d70b4ec112ae684eda58ed75fdb1feb122fc85501fdd

  • C:\ProgramData\PHALCON_RECOVER.txt

    Filesize

    1KB

    MD5

    148b9eb0a565c2a9226ec3285fc116da

    SHA1

    c1e0f4cdbc93c93d61ba641e18491a8f1abd1061

    SHA256

    8837381085f30e63714e45a07a0b2bd7c590e1008bc4b23b19db71034d89ef63

    SHA512

    65cc0f8720d0639271481c867c71214aa5fbbe73346ecd546ddef676f7ce0c6f9b36cd79c16d207efffa8b55468ef80dbf86d9c8ec01c8e6c679acf844b3262f

  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite

    Filesize

    48KB

    MD5

    d2b03ddf71347861ee32b5bd9566b66d

    SHA1

    2d0d0cedead781cf685b67411a4acea42096e3d4

    SHA256

    6b3ead336965f194c36db45be4da905cf61fd96b668791dfcfdf22f9e4c67647

    SHA512

    e9363bb94ba55b3404614b2f42feab2a5f44f06082e611d86b8f7698db399b96938313dbc8ac4deb9a520084ca85eaa0c3cd9f9bfa910051f6fc0388f2d3f0c4

  • \ProgramData\LPW8.tmp

    Filesize

    5KB

    MD5

    95aa713c2b8369f92260e6aabbfd30c2

    SHA1

    02118ff95b20b61ae2014021fb5caf93b4c78150

    SHA256

    29ca68ba176300fe7d0b1ca13293bbfcedde3cbce60fab214979422738b244e4

    SHA512

    65e7bf55f4196510db511efc3e60520e098e31e9a8f516691b3ed6230d42504ac3d6f744f4fa87097ba3f93a7834f52d1d36af5ca42a5dec84820b7983250df2