Malware Analysis Report

2024-11-16 13:48

Sample ID 240629-e7xjas1cpg
Target 2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware
SHA256 a6948279d46c237e099bc1adfee11b0640e692b1f1ce2fdf8df43058e211a711
Tags
vidar persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a6948279d46c237e099bc1adfee11b0640e692b1f1ce2fdf8df43058e211a711

Threat Level: Known bad

The file 2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware was found to be: Known bad.

Malicious Activity Summary

vidar persistence spyware stealer

Vidar

Reads user/profile data of web browsers

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Checks system information in the registry

Drops file in Windows directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

NTFS ADS

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-29 04:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-29 04:35

Reported

2024-06-29 04:38

Platform

win7-20240508-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe"

Signatures

Vidar

stealer vidar

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\Geo\Nation C:\$Windows.~WS\Sources\SetupHost.Exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tM4g4Wv2t5AZLAH.exe N/A
N/A N/A C:\$Windows.~WS\Sources\SetupHost.Exe N/A
N/A N/A C:\$Windows.~WS\Sources\SetupHost.Exe N/A
N/A N/A C:\$Windows.~WS\Sources\SetupHost.Exe N/A
N/A N/A C:\$Windows.~WS\Sources\SetupHost.Exe N/A
N/A N/A C:\$Windows.~WS\Sources\SetupHost.Exe N/A
N/A N/A C:\$Windows.~WS\Sources\SetupHost.Exe N/A
N/A N/A C:\$Windows.~WS\Sources\SetupHost.Exe N/A
N/A N/A C:\$Windows.~WS\Sources\SetupHost.Exe N/A
N/A N/A C:\$Windows.~WS\Sources\SetupHost.Exe N/A
N/A N/A C:\$Windows.~WS\Sources\SetupHost.Exe N/A
N/A N/A C:\$Windows.~WS\Sources\SetupHost.Exe N/A
N/A N/A C:\$Windows.~WS\Sources\SetupHost.Exe N/A
N/A N/A C:\$Windows.~WS\Sources\SetupHost.Exe N/A
N/A N/A C:\$Windows.~WS\Sources\SetupHost.Exe N/A
N/A N/A C:\$Windows.~WS\Sources\SetupHost.Exe N/A
N/A N/A C:\$Windows.~WS\Sources\SetupHost.Exe N/A
N/A N/A C:\$Windows.~WS\Sources\SetupHost.Exe N/A
N/A N/A C:\$Windows.~WS\Sources\SetupHost.Exe N/A
N/A N/A C:\$Windows.~WS\Sources\SetupHost.Exe N/A
N/A N/A C:\$Windows.~WS\Sources\SetupHost.Exe N/A
N/A N/A C:\$Windows.~WS\Sources\SetupHost.Exe N/A
N/A N/A C:\$Windows.~WS\Sources\SetupHost.Exe N/A
N/A N/A C:\$Windows.~WS\Sources\SetupHost.Exe N/A
N/A N/A C:\$Windows.~WS\Sources\SetupHost.Exe N/A
N/A N/A C:\$Windows.~WS\Sources\SetupHost.Exe N/A
N/A N/A C:\$Windows.~WS\Sources\SetupHost.Exe N/A
N/A N/A C:\$Windows.~WS\Sources\SetupHost.Exe N/A
N/A N/A C:\$Windows.~WS\Sources\SetupHost.Exe N/A
N/A N/A C:\$Windows.~WS\Sources\SetupHost.Exe N/A
N/A N/A C:\$Windows.~WS\Sources\SetupHost.Exe N/A
N/A N/A C:\$Windows.~WS\Sources\SetupHost.Exe N/A
N/A N/A C:\$Windows.~WS\Sources\SetupHost.Exe N/A
N/A N/A C:\$Windows.~WS\Sources\SetupHost.Exe N/A
N/A N/A C:\$Windows.~WS\Sources\SetupHost.Exe N/A
N/A N/A C:\$Windows.~WS\Sources\SetupHost.Exe N/A
N/A N/A C:\$Windows.~WS\Sources\DiagTrackRunner.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Checks system information in the registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer C:\$Windows.~WS\Sources\SetupHost.Exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName C:\$Windows.~WS\Sources\SetupHost.Exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A
File opened for modification C:\Windows\Logs\MoSetup\BlueBox.log C:\Users\Admin\AppData\Local\Temp\tM4g4Wv2t5AZLAH.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\$Windows.~WS\Sources\SetupHost.Exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\$Windows.~WS\Sources\SetupHost.Exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\$Windows.~WS\Sources\DiagTrackRunner.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\$Windows.~WS\Sources\DiagTrackRunner.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\ProgramData\Microsoft\Diagnosis\ETLLogs\DlTel-Merge.etl:$ETLUNIQUECVDATA C:\$Windows.~WS\Sources\SetupHost.Exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\$Windows.~WS\Sources\SetupHost.Exe N/A
N/A N/A C:\$Windows.~WS\Sources\SetupHost.Exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tM4g4Wv2t5AZLAH.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\tM4g4Wv2t5AZLAH.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tM4g4Wv2t5AZLAH.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\tM4g4Wv2t5AZLAH.exe N/A
Token: SeBackupPrivilege N/A C:\$Windows.~WS\Sources\SetupHost.Exe N/A
Token: SeRestorePrivilege N/A C:\$Windows.~WS\Sources\SetupHost.Exe N/A
Token: SeBackupPrivilege N/A C:\$Windows.~WS\Sources\SetupHost.Exe N/A
Token: SeRestorePrivilege N/A C:\$Windows.~WS\Sources\SetupHost.Exe N/A
Token: SeDebugPrivilege N/A C:\$Windows.~WS\Sources\DiagTrackRunner.exe N/A
Token: SeDebugPrivilege N/A C:\$Windows.~WS\Sources\DiagTrackRunner.exe N/A
Token: SeDebugPrivilege N/A C:\$Windows.~WS\Sources\DiagTrackRunner.exe N/A
Token: SeDebugPrivilege N/A C:\$Windows.~WS\Sources\DiagTrackRunner.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tM4g4Wv2t5AZLAH.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\tM4g4Wv2t5AZLAH.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tM4g4Wv2t5AZLAH.exe N/A
N/A N/A C:\$Windows.~WS\Sources\SetupHost.Exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2284 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe C:\Users\Admin\AppData\Local\Temp\tM4g4Wv2t5AZLAH.exe
PID 2284 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe C:\Users\Admin\AppData\Local\Temp\tM4g4Wv2t5AZLAH.exe
PID 2284 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe C:\Users\Admin\AppData\Local\Temp\tM4g4Wv2t5AZLAH.exe
PID 2284 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe C:\Users\Admin\AppData\Local\Temp\tM4g4Wv2t5AZLAH.exe
PID 2284 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe C:\Users\Admin\AppData\Local\Temp\tM4g4Wv2t5AZLAH.exe
PID 2284 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe C:\Users\Admin\AppData\Local\Temp\tM4g4Wv2t5AZLAH.exe
PID 2284 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe C:\Users\Admin\AppData\Local\Temp\tM4g4Wv2t5AZLAH.exe
PID 2284 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe C:\Windows\CTS.exe
PID 2284 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe C:\Windows\CTS.exe
PID 2284 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe C:\Windows\CTS.exe
PID 2284 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe C:\Windows\CTS.exe
PID 1900 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\tM4g4Wv2t5AZLAH.exe C:\$Windows.~WS\Sources\SetupHost.Exe
PID 1900 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\tM4g4Wv2t5AZLAH.exe C:\$Windows.~WS\Sources\SetupHost.Exe
PID 1900 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\tM4g4Wv2t5AZLAH.exe C:\$Windows.~WS\Sources\SetupHost.Exe
PID 1900 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\tM4g4Wv2t5AZLAH.exe C:\$Windows.~WS\Sources\SetupHost.Exe
PID 1900 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\tM4g4Wv2t5AZLAH.exe C:\$Windows.~WS\Sources\SetupHost.Exe
PID 1900 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\tM4g4Wv2t5AZLAH.exe C:\$Windows.~WS\Sources\SetupHost.Exe
PID 1900 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\tM4g4Wv2t5AZLAH.exe C:\$Windows.~WS\Sources\SetupHost.Exe
PID 2460 wrote to memory of 1676 N/A C:\$Windows.~WS\Sources\SetupHost.Exe C:\$Windows.~WS\Sources\DiagTrackRunner.exe
PID 2460 wrote to memory of 1676 N/A C:\$Windows.~WS\Sources\SetupHost.Exe C:\$Windows.~WS\Sources\DiagTrackRunner.exe
PID 2460 wrote to memory of 1676 N/A C:\$Windows.~WS\Sources\SetupHost.Exe C:\$Windows.~WS\Sources\DiagTrackRunner.exe
PID 2460 wrote to memory of 1676 N/A C:\$Windows.~WS\Sources\SetupHost.Exe C:\$Windows.~WS\Sources\DiagTrackRunner.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe"

C:\Users\Admin\AppData\Local\Temp\tM4g4Wv2t5AZLAH.exe

C:\Users\Admin\AppData\Local\Temp\tM4g4Wv2t5AZLAH.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

C:\$Windows.~WS\Sources\SetupHost.Exe

"C:\$Windows.~WS\Sources\SetupHost.Exe" /Download /Web

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\$Windows.~WS\Sources\DiagTrackRunner.exe

C:\$Windows.~WS\Sources\DiagTrackRunner.exe /UploadEtlFilesOnly

Network

Files

\Users\Admin\AppData\Local\Temp\tM4g4Wv2t5AZLAH.exe

MD5 db3fccad4aead91689d62822232d56bc
SHA1 c00ecaf95ed3b727aae581d41af99b5fbc762865
SHA256 aa8b68133931e76ca58944641084943c60e0954bd6c829bd9c670284da071ca4
SHA512 8960b2c95db3a09ae2d7abf820ea45e7100959f20ccd7edcca9ec5028d684b28de3ac6ecdae834150d40b91c1c264ad29bc2288d388b528b970c0f7531acf909

C:\Windows\CTS.exe

MD5 66df4ffab62e674af2e75b163563fc0b
SHA1 dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA512 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

C:\$Windows.~WS\Sources\SetupHost.exe

MD5 a0b1786c1a59ddac1024956723f58a73
SHA1 828d9cdb9cc2b6c49843422da49a14ebbf44d3d5
SHA256 59a5573de59ae41e3781cd66a67281d5b30ff2e39f32d1caeb44ea20971c95c2
SHA512 a017fb73e2a0653a448b802bf049c47613e3beca0c83d3d81c247dc3b33577cabbfd1b78f86dbdc7dbbed143aac95a50924e6b82fd58d4f0a6626fc3c8494ffc

C:\$Windows.~WS\Sources\MediaSetupUIMgr.dll

MD5 9921c2a0d68a011620bd5916cc11e54d
SHA1 e68c1c59600d28968dafadc300225b3ef8e4ebdc
SHA256 50551abb9775962ff83ee746ad1e399d26fcc1520710c059464ec029466f4696
SHA512 4ff9e0aa32700f4dff46212456cef4bb41dbe37141f4b9e87311013f51ce218080d7cc8b318d18ec633f3e6be73b60e56ba641a75520fbedbf23c9874b28cb9f

C:\$Windows.~WS\Sources\SetupCore.dll

MD5 446969e79d71cb6075f26349ac9345bc
SHA1 6efefe6037458e495a07dd86dc68bf788c638ca9
SHA256 26c62d4675f7e35d4741f5277d5b9d40cdcd6fd1cce86ef42c1cc8209f9224c3
SHA512 8b1320207e92e9917addc0f25992dd6a589edea6aa102c51774ef22a387478e96d2903fa73163258668ee7cc2716588ea51f34fba040150b18cdd12f865e9f9d

\$Windows.~WS\Sources\api-ms-win-downlevel-advapi32-l1-1-1.dll

MD5 dbeac4d60d3985a086052d56fd84228e
SHA1 44a717d41388ce53d8e77fe1bb5e34ed4b72a851
SHA256 e5ce4dbda2c7bd078056cc17cc65714787cc50daa5e61de59fafa0d0223321b1
SHA512 44b7c321f1cdaa0145c7f4766f6b4f90c6d86a9a3eb842d2a007f44b27d9b25efe89421820514080e2a45d99da4bddcb877fd754c01a4801840ea7b7228c62ba

\$Windows.~WS\Sources\api-ms-win-downlevel-kernel32-l2-1-0.dll

MD5 daec93c3ac8dca1807147d304879acb0
SHA1 391cbc5e7cf40124f9640c1e7d6188e75af1b5f3
SHA256 107cf218d9af2523fb24da10b381436bb858ac0f8b1012bc56bf088983b2e9db
SHA512 ccc96c82b2cdcd36f56642cc6801de9d487ec593ccda9020efdc782cd3705e321367de7487080b5bdd10c89b9e6acf048a8f45a16c29caed5588bd6d1babe3d1

C:\$Windows.~WS\Sources\SetupPlatform.dll

MD5 10fe8f9a16755bf9ca3c5e94bfbf7178
SHA1 260c06924a55582d4f4dbdfe7d0bccdd00208f9b
SHA256 2f836af8e4e83992cd1c8aab7820520cac6a6f9796924ac83672b838286724cd
SHA512 c2aa007aaf009d5ad6081ed3fdea44964ed3a865aec9886dee1fa9bda424bf74135fd5c214a293897c561d8263c2528508bd01dda88c0c43cc3480146136d110

\$Windows.~WS\Sources\api-ms-win-downlevel-user32-l1-1-1.dll

MD5 75285f0badb10b3291d8f921e76506c0
SHA1 d769aba460a768cb065346d9a9c3263af1372160
SHA256 a5af7a42ea3688d6fb5ce9388e11276bbeb3afb2e893b9f66b1bc7c9059d8f99
SHA512 f40c8f6ede3010f523ab28f41ad38e41d1fd541554b59104a7d7468ddb004efe6bd690a9467be6461ade71ce7b10b120b8cacf6c429f37fef3d3fc8318c0284b

\$Windows.~WS\Sources\api-ms-win-downlevel-shlwapi-l1-1-1.dll

MD5 40baccd1e7f60085248785bea899c61e
SHA1 d1e076fe8258ed5fb53707f639ceddaf7d5640fa
SHA256 d59814bb8bbcff15e192aa600ac09f344ac089e95034258c1ea3748363132a59
SHA512 4ad6b96b3aadfe5cccad0494e80258b709905349e82c858f27cbff4a871790bb7d0757a704f999cd86c9a788e44d286655940a81c8237e15aa2641e0ddf55930

\$Windows.~WS\Sources\wpx.dll

MD5 c963819dd589b833b2fde3b9e08605f3
SHA1 72613ba4e8161fb8a6d0e0237e397285747a1e72
SHA256 b59fc5c1c9e366d0cb8debe53359de9d38d5caab7e3f9b3e90519b92ac4c98e6
SHA512 5181bc5d277216c383de6bbf6d7fac3975b063505b673db1d1e23400209cbffff96d5932020641ea5f14b0c3e303c49b0a2fbf199e2a0397ae7610be697d97d1

\$Windows.~WS\Sources\unbcl.dll

MD5 9aebdb604a0cec305568f2742cc6a3d2
SHA1 851ebeedcdb9a4d5ac7ec6f2bc9b84b1964681d9
SHA256 82dde9532b94bc51748660270048aa29d635da2ae84df001a3d6c31cd1995c93
SHA512 3dfbfe9e7b23f1f792c0cad1334ddbdd2bd54ae5f870652e95ef1fbd5a7451a8059af223c43429bf8fe992e8cd46997a9774b1c103ff49b962d7a371d679a9cb

C:\$Windows.~WS\Sources\setupplatform.cfg

MD5 1405595a81a70c012ace6b3f618351b2
SHA1 9b398dbddef2a0c048790f6ca4be57899f0f71c0
SHA256 ac6d806551c43ec35edf3f4b3eb38040f40c3bf216bc635e2af45ee05e3a6d43
SHA512 a91e4c416a8c25e0462a5c5f71760b3fc81ad801f89af5bbedada02d52f8a77c67c9174d6583d54c4ce62ca655ef73f8b43104b22e2b1ed44f2c3ecc0f8ceb4d

\$Windows.~WS\Sources\api-ms-win-downlevel-advapi32-l4-1-0.dll

MD5 96fe4353f44be47fb877366d5f33c172
SHA1 ddea638bd1694b2eda295a0f508e4a857f8450f2
SHA256 904371b86f56414ff70d3d7a4ad878b70f8b9fd278e2b97a82a26bb13b89a9f4
SHA512 2d0a0e97ef5eba8701446891dd669735540ef185e3f8fb14053243bf4b9163e9354e5f905bd26d1910a80d8780cfe2dcc68f6f2ad9bf3275bb7efb30eeafa464

\$Windows.~WS\Sources\api-ms-win-downlevel-advapi32-l2-1-1.dll

MD5 4e2acbaa772797a0f86e15572fa44f84
SHA1 7f1846f886a27716ca918c65fb87458bd49fcfee
SHA256 70b4b4c427f235b2c2c7d49b3aff7c5a799b7a9616e7a11d2de5d78156665ba7
SHA512 b8143b54cf966f42abf9e2b083cd85aa1f7411fa4ceb2b8460946d708322ba2b81b93be771d8d04b027d0e22b13e68fa71bb53b6c2f6c8b3c0f5941d423d38b4

\$Windows.~WS\Sources\WinDlp.dll

MD5 6ca8df94e48799196c24b7274a48fdaa
SHA1 0cb34852203277829668db49afc5d25bd382f8ba
SHA256 0e516b94bd3014d82f20c680b205c915ad528e31522c1cd6d2c6c2c5b814d6a7
SHA512 e5b7c46b155713a21690cba3f1a4f4e4b3d4613fffeea335d57a97701d993cb846bbc51fbea0038f7c7cbc734b3764a270196a26adde77134571d0524a5e7038

\$Windows.~WS\Sources\SetupMgr.dll

MD5 5492a750f2c92ef126621fe0468b779a
SHA1 64e2d1fafbc008144df94cf3160319e0452d929e
SHA256 2dd7d16db9d71fe0358cd520057d466585802f1d921a791cbfb0e7e607b55b10
SHA512 a354ca3deafda57dfbaa7eb64409e663476a91a37d2e6cfcd06002e7790f40157719ba86b6a9bc4d159b9a9bde71c6a7c3e8f2852ed752d65826fdd8b4881a35

\$Windows.~WS\Sources\api-ms-win-downlevel-ole32-l1-1-1.dll

MD5 8cd60551eec672a732db658555c051d9
SHA1 f675ee4b04a5a3afb758ff89e077dd401e192379
SHA256 5d0ba298919d78b726c625c7e6ad31f2632e095f7c79ac08f0ff25f8e15a4295
SHA512 d3950f90d50e90b2ba62fa1028ae6226c8fe2ee8c0517f769dafa3cc4ba81f38a50ce1676be3eb40669d7ea830752a331975867fb117937b7fffd21c2845b313

\$Windows.~WS\Sources\api-ms-win-downlevel-kernel32-l1-1-0.dll

MD5 cfd98d71d80f41c3f155e573b1ffdda1
SHA1 966336882e88ca6a311c5e9948b4bb22a815bd7f
SHA256 1b202df705c429d3d1be26f71274743f0859db81aedead53bf2624d35899294d
SHA512 16d266bd3dc858bbc37fa95ad7f0a60ce654fbcf1f5c9b3f3e0abc1f7b95e86f2a04a9b0e1d98cae3e616af2129985f92aea7595aeeef898eae399e4669f44ff

\$Windows.~WS\Sources\wdscore.dll

MD5 8929e1ce63abc413ab88f31f3a45aba2
SHA1 49f37061d17cbe0482255aacfdabf10e67839ecb
SHA256 80e3c3f207d0df8424711c133ad10082ca36ce2b5a6a19a179473aa994cc7161
SHA512 3e8212e63595e0f3b1e661f4c7e0c839e9535777eea86b85dc1aad5b3eaa767652d96ead2b8d7fffefaaffcc621e0a20ef0d75120700ee2715af0b8860161cb5

memory/2460-109-0x0000000002AA0000-0x0000000002AE9000-memory.dmp

memory/2460-110-0x0000000002AA0000-0x0000000002AE9000-memory.dmp

C:\$Windows.~WS\Sources\WDSUTIL.dll

MD5 66190a933f32c6521a08c6ea76ac0fe3
SHA1 3b1a6786e900f4f4e9ca52fdbf50cc0b0cbfd9de
SHA256 d9599ce02d1096fe3bc9bbfa8e5cc9dd859aad04bc725522eb9c8c25ca408df9
SHA512 fc54735c1a1666176d23f8c8c2390b0cf4bfd0940dcb1fe7099e39ffbb80bcfbaca707b4cf95039fe42ae8eb5293b141ecfdfd0a47c035db9b51f077694c84fe

\$Windows.~WS\Sources\DiagTrackRunner.exe

MD5 76f30a1e149792d2542a253b920cbef6
SHA1 9040e0873df5cc2a64b850d1b8159b77528ba62c
SHA256 488cbc8330952dd13b797bb40e4e30610ed03483c25919c39555f7b334a3c159
SHA512 ec39861a3f39f88aad52975974c988ae76376a09136d95f5d4fedd60ee7ec252736d882cef77298d82d786e0dad13c61148b29d7c5fb7ba7d7c74b05de9d7e84

C:\$Windows.~WS\Sources\diagtrack.dll

MD5 6c3f6a6bc5ede978e9dfe1acce386339
SHA1 3b7b51d762c593e92123f9365a896ed64ee26a7a
SHA256 b55d66f2943f1c63ea9b39dae88aa2a4f91775cefffefd263bd302866a7bd91c
SHA512 3f87064354a0f55f36aa272c5918d208b8a77fffb7965e9b50727c06fd8d8db5e6695636a7db37926fe444c91e4a4a7dc892ef5ef57676ba9515216d5e5f94ff

memory/2460-132-0x0000000002AA0000-0x0000000002AE9000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-29 04:35

Reported

2024-06-29 04:38

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe"

Signatures

Vidar

stealer vidar

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\$Windows.~WS\Sources\SetupHost.Exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Checks system information in the registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer C:\$Windows.~WS\Sources\SetupHost.Exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName C:\$Windows.~WS\Sources\SetupHost.Exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A
File opened for modification C:\Windows\Logs\MoSetup\BlueBox.log C:\Users\Admin\AppData\Local\Temp\CGmLd6UtAYTXgDG.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\$Windows.~WS\Sources\SetupHost.Exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\$Windows.~WS\Sources\SetupHost.Exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\ProgramData\Microsoft\Diagnosis\ETLLogs\DlTel-Merge.etl:$ETLUNIQUECVDATA C:\$Windows.~WS\Sources\SetupHost.Exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\$Windows.~WS\Sources\SetupHost.Exe N/A
N/A N/A C:\$Windows.~WS\Sources\SetupHost.Exe N/A
N/A N/A C:\$Windows.~WS\Sources\SetupHost.Exe N/A
N/A N/A C:\$Windows.~WS\Sources\SetupHost.Exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CGmLd6UtAYTXgDG.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\CGmLd6UtAYTXgDG.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CGmLd6UtAYTXgDG.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\CGmLd6UtAYTXgDG.exe N/A
Token: SeBackupPrivilege N/A C:\$Windows.~WS\Sources\SetupHost.Exe N/A
Token: SeRestorePrivilege N/A C:\$Windows.~WS\Sources\SetupHost.Exe N/A
Token: SeBackupPrivilege N/A C:\$Windows.~WS\Sources\SetupHost.Exe N/A
Token: SeRestorePrivilege N/A C:\$Windows.~WS\Sources\SetupHost.Exe N/A
Token: SeDebugPrivilege N/A C:\$Windows.~WS\Sources\DiagTrackRunner.exe N/A
Token: SeDebugPrivilege N/A C:\$Windows.~WS\Sources\DiagTrackRunner.exe N/A
Token: SeDebugPrivilege N/A C:\$Windows.~WS\Sources\DiagTrackRunner.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CGmLd6UtAYTXgDG.exe N/A
N/A N/A C:\$Windows.~WS\Sources\SetupHost.Exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1908 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe C:\Users\Admin\AppData\Local\Temp\CGmLd6UtAYTXgDG.exe
PID 1908 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe C:\Users\Admin\AppData\Local\Temp\CGmLd6UtAYTXgDG.exe
PID 1908 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe C:\Users\Admin\AppData\Local\Temp\CGmLd6UtAYTXgDG.exe
PID 1908 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe C:\Windows\CTS.exe
PID 1908 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe C:\Windows\CTS.exe
PID 1908 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe C:\Windows\CTS.exe
PID 2172 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\CGmLd6UtAYTXgDG.exe C:\$Windows.~WS\Sources\SetupHost.Exe
PID 2172 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\CGmLd6UtAYTXgDG.exe C:\$Windows.~WS\Sources\SetupHost.Exe
PID 2172 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\CGmLd6UtAYTXgDG.exe C:\$Windows.~WS\Sources\SetupHost.Exe
PID 4588 wrote to memory of 4092 N/A C:\$Windows.~WS\Sources\SetupHost.Exe C:\$Windows.~WS\Sources\DiagTrackRunner.exe
PID 4588 wrote to memory of 4092 N/A C:\$Windows.~WS\Sources\SetupHost.Exe C:\$Windows.~WS\Sources\DiagTrackRunner.exe
PID 4588 wrote to memory of 4092 N/A C:\$Windows.~WS\Sources\SetupHost.Exe C:\$Windows.~WS\Sources\DiagTrackRunner.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection C:\$Windows.~WS\Sources\DiagTrackRunner.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-29_42ba3a14d9c6ab637d6bd3c8d2d159c9_bkransomware.exe"

C:\Users\Admin\AppData\Local\Temp\CGmLd6UtAYTXgDG.exe

C:\Users\Admin\AppData\Local\Temp\CGmLd6UtAYTXgDG.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

C:\$Windows.~WS\Sources\SetupHost.Exe

"C:\$Windows.~WS\Sources\SetupHost.Exe" /Download /Web

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\$Windows.~WS\Sources\DiagTrackRunner.exe

C:\$Windows.~WS\Sources\DiagTrackRunner.exe /UploadEtlFilesOnly

Network

Country Destination Domain Proto
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 download.microsoft.com udp
GB 2.21.189.207:443 download.microsoft.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 207.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.167.79.40.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\CGmLd6UtAYTXgDG.exe

MD5 db3fccad4aead91689d62822232d56bc
SHA1 c00ecaf95ed3b727aae581d41af99b5fbc762865
SHA256 aa8b68133931e76ca58944641084943c60e0954bd6c829bd9c670284da071ca4
SHA512 8960b2c95db3a09ae2d7abf820ea45e7100959f20ccd7edcca9ec5028d684b28de3ac6ecdae834150d40b91c1c264ad29bc2288d388b528b970c0f7531acf909

C:\Windows\CTS.exe

MD5 66df4ffab62e674af2e75b163563fc0b
SHA1 dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256 075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA512 1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 4357ad059ae203f9d2de05c4cb416c5e
SHA1 2c8e8b7778e4b798b431c59612d556ac364b4e1e
SHA256 1d37a3f2a9940672abd32e38996ca137ec141beff8fce02f1e5008d65159f75e
SHA512 52db1204c48377e517247cc01ba9f0f66ae66e25a6f2474f36f827690fbdf705f408a9d5dacdd0463a7eb138ab7e2fe46d4fa5dc5eed5902e04b1c975091505d

C:\$Windows.~WS\Sources\SetupHost.exe

MD5 a0b1786c1a59ddac1024956723f58a73
SHA1 828d9cdb9cc2b6c49843422da49a14ebbf44d3d5
SHA256 59a5573de59ae41e3781cd66a67281d5b30ff2e39f32d1caeb44ea20971c95c2
SHA512 a017fb73e2a0653a448b802bf049c47613e3beca0c83d3d81c247dc3b33577cabbfd1b78f86dbdc7dbbed143aac95a50924e6b82fd58d4f0a6626fc3c8494ffc

C:\$Windows.~WS\Sources\MediaSetupUIMgr.dll

MD5 9921c2a0d68a011620bd5916cc11e54d
SHA1 e68c1c59600d28968dafadc300225b3ef8e4ebdc
SHA256 50551abb9775962ff83ee746ad1e399d26fcc1520710c059464ec029466f4696
SHA512 4ff9e0aa32700f4dff46212456cef4bb41dbe37141f4b9e87311013f51ce218080d7cc8b318d18ec633f3e6be73b60e56ba641a75520fbedbf23c9874b28cb9f

C:\$Windows.~WS\Sources\wdscore.dll

MD5 8929e1ce63abc413ab88f31f3a45aba2
SHA1 49f37061d17cbe0482255aacfdabf10e67839ecb
SHA256 80e3c3f207d0df8424711c133ad10082ca36ce2b5a6a19a179473aa994cc7161
SHA512 3e8212e63595e0f3b1e661f4c7e0c839e9535777eea86b85dc1aad5b3eaa767652d96ead2b8d7fffefaaffcc621e0a20ef0d75120700ee2715af0b8860161cb5

C:\$Windows.~WS\Sources\SetupPlatform.dll

MD5 10fe8f9a16755bf9ca3c5e94bfbf7178
SHA1 260c06924a55582d4f4dbdfe7d0bccdd00208f9b
SHA256 2f836af8e4e83992cd1c8aab7820520cac6a6f9796924ac83672b838286724cd
SHA512 c2aa007aaf009d5ad6081ed3fdea44964ed3a865aec9886dee1fa9bda424bf74135fd5c214a293897c561d8263c2528508bd01dda88c0c43cc3480146136d110

C:\$Windows.~WS\Sources\SetupCore.dll

MD5 446969e79d71cb6075f26349ac9345bc
SHA1 6efefe6037458e495a07dd86dc68bf788c638ca9
SHA256 26c62d4675f7e35d4741f5277d5b9d40cdcd6fd1cce86ef42c1cc8209f9224c3
SHA512 8b1320207e92e9917addc0f25992dd6a589edea6aa102c51774ef22a387478e96d2903fa73163258668ee7cc2716588ea51f34fba040150b18cdd12f865e9f9d

C:\$Windows.~WS\Sources\wpx.dll

MD5 c963819dd589b833b2fde3b9e08605f3
SHA1 72613ba4e8161fb8a6d0e0237e397285747a1e72
SHA256 b59fc5c1c9e366d0cb8debe53359de9d38d5caab7e3f9b3e90519b92ac4c98e6
SHA512 5181bc5d277216c383de6bbf6d7fac3975b063505b673db1d1e23400209cbffff96d5932020641ea5f14b0c3e303c49b0a2fbf199e2a0397ae7610be697d97d1

C:\$Windows.~WS\Sources\unbcl.dll

MD5 9aebdb604a0cec305568f2742cc6a3d2
SHA1 851ebeedcdb9a4d5ac7ec6f2bc9b84b1964681d9
SHA256 82dde9532b94bc51748660270048aa29d635da2ae84df001a3d6c31cd1995c93
SHA512 3dfbfe9e7b23f1f792c0cad1334ddbdd2bd54ae5f870652e95ef1fbd5a7451a8059af223c43429bf8fe992e8cd46997a9774b1c103ff49b962d7a371d679a9cb

C:\$Windows.~WS\Sources\setupplatform.cfg

MD5 1405595a81a70c012ace6b3f618351b2
SHA1 9b398dbddef2a0c048790f6ca4be57899f0f71c0
SHA256 ac6d806551c43ec35edf3f4b3eb38040f40c3bf216bc635e2af45ee05e3a6d43
SHA512 a91e4c416a8c25e0462a5c5f71760b3fc81ad801f89af5bbedada02d52f8a77c67c9174d6583d54c4ce62ca655ef73f8b43104b22e2b1ed44f2c3ecc0f8ceb4d

C:\$Windows.~WS\Sources\WinDlp.dll

MD5 6ca8df94e48799196c24b7274a48fdaa
SHA1 0cb34852203277829668db49afc5d25bd382f8ba
SHA256 0e516b94bd3014d82f20c680b205c915ad528e31522c1cd6d2c6c2c5b814d6a7
SHA512 e5b7c46b155713a21690cba3f1a4f4e4b3d4613fffeea335d57a97701d993cb846bbc51fbea0038f7c7cbc734b3764a270196a26adde77134571d0524a5e7038

C:\$Windows.~WS\Sources\SetupMgr.dll

MD5 5492a750f2c92ef126621fe0468b779a
SHA1 64e2d1fafbc008144df94cf3160319e0452d929e
SHA256 2dd7d16db9d71fe0358cd520057d466585802f1d921a791cbfb0e7e607b55b10
SHA512 a354ca3deafda57dfbaa7eb64409e663476a91a37d2e6cfcd06002e7790f40157719ba86b6a9bc4d159b9a9bde71c6a7c3e8f2852ed752d65826fdd8b4881a35

C:\$Windows.~WS\Sources\WDSUTIL.dll

MD5 66190a933f32c6521a08c6ea76ac0fe3
SHA1 3b1a6786e900f4f4e9ca52fdbf50cc0b0cbfd9de
SHA256 d9599ce02d1096fe3bc9bbfa8e5cc9dd859aad04bc725522eb9c8c25ca408df9
SHA512 fc54735c1a1666176d23f8c8c2390b0cf4bfd0940dcb1fe7099e39ffbb80bcfbaca707b4cf95039fe42ae8eb5293b141ecfdfd0a47c035db9b51f077694c84fe

C:\$Windows.~WS\Sources\diagtrack.dll

MD5 6c3f6a6bc5ede978e9dfe1acce386339
SHA1 3b7b51d762c593e92123f9365a896ed64ee26a7a
SHA256 b55d66f2943f1c63ea9b39dae88aa2a4f91775cefffefd263bd302866a7bd91c
SHA512 3f87064354a0f55f36aa272c5918d208b8a77fffb7965e9b50727c06fd8d8db5e6695636a7db37926fe444c91e4a4a7dc892ef5ef57676ba9515216d5e5f94ff

C:\$Windows.~WS\Sources\DiagTrackRunner.exe

MD5 76f30a1e149792d2542a253b920cbef6
SHA1 9040e0873df5cc2a64b850d1b8159b77528ba62c
SHA256 488cbc8330952dd13b797bb40e4e30610ed03483c25919c39555f7b334a3c159
SHA512 ec39861a3f39f88aad52975974c988ae76376a09136d95f5d4fedd60ee7ec252736d882cef77298d82d786e0dad13c61148b29d7c5fb7ba7d7c74b05de9d7e84

C:\$Windows.~WS\Sources\Panther\DlTel-Merge.etl

MD5 4bc291b5d6ce45bc082e47bacb49c3ff
SHA1 c5ce9db96d10e0f50677704dcb7b524795a5c204
SHA256 7ebd88beb9c9eb0164850a93a33078d692a93a25a02b51bc0ad92ad14164ee29
SHA512 0b54ed8a83a50caba8dbbfeccabeaa385f1d729f4496e204a9a4c8ccbc146ffce46ab2c99dfaaed57b3d14b8f0abc0d0160e1be8575ae2c1ba5f8a6d0110ce39