Analysis
-
max time kernel
38s -
max time network
39s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
17-10-2024 11:05
Behavioral task
behavioral1
Sample
MuddyWater.msi
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
MuddyWater.msi
Resource
win10v2004-20241007-en
General
-
Target
MuddyWater.msi
-
Size
2.6MB
-
MD5
809334c0b55009c5a50f37e4eec63c43
-
SHA1
24b60847bc0712c9ba0b8036c59ee16c211fa8bb
-
SHA256
2722e289767ae391e3c3773b8640a8b9f6eb24c6a9d6e541f29c8765f7a8944b
-
SHA512
a615b5ebce41db0ee6318d845daff393372fe4bf93d7f8af5f450df1ecdb9a9ebde9af39c40b5980b4d1002eb609ddffe6010247971842a855fd3922000322bd
-
SSDEEP
49152:r51VAM5R2KAHlcp8qFmmzDza2Rqr+kMdPTEe/pjO8xn+ch/TzOFNOnUI:rPCMr2NMRmk/XeM9TEeRvx+ch/TzAr
Malware Config
Signatures
-
AteraAgent
AteraAgent is a remote monitoring and management tool.
-
Detects AteraAgent 1 IoCs
Processes:
resource yara_rule behavioral1/files/0x002b0000000186cc-165.dat family_ateraagent -
Blocklisted process makes network request 3 IoCs
Processes:
msiexec.exeflow pid Process 3 1520 msiexec.exe 5 1520 msiexec.exe 7 1520 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc Process File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe -
Drops file in System32 directory 7 IoCs
Processes:
AteraAgent.exedescription ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_D6781754937F132531C364D68914BDA9 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_D6781754937F132531C364D68914BDA9 AteraAgent.exe File opened for modification C:\Windows\system32\InstallUtil.InstallLog AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB AteraAgent.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 10 IoCs
Processes:
msiexec.exeAteraAgent.exedescription ioc Process File created C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll msiexec.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallState AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll msiexec.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog AteraAgent.exe -
Drops file in Windows directory 18 IoCs
Processes:
msiexec.exerundll32.exeDrvInst.exedescription ioc Process File opened for modification C:\Windows\Installer\MSIDF20.tmp msiexec.exe File created C:\Windows\Installer\f77d94f.msi msiexec.exe File opened for modification C:\Windows\Installer\MSID9CE.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSIDCFA.tmp msiexec.exe File created C:\Windows\Installer\f77d950.ipi msiexec.exe File created C:\Windows\Installer\f77d952.msi msiexec.exe File opened for modification C:\Windows\Installer\f77d94f.msi msiexec.exe File opened for modification C:\Windows\Installer\MSID9CE.tmp-\AlphaControlAgentInstallation.dll rundll32.exe File opened for modification C:\Windows\Installer\MSID9CE.tmp-\System.Management.dll rundll32.exe File opened for modification C:\Windows\Installer\MSID9CE.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\f77d950.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSID9CE.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIDD0A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIDEA2.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe -
Executes dropped EXE 2 IoCs
Processes:
AteraAgent.exeAteraAgent.exepid Process 1072 AteraAgent.exe 1820 AteraAgent.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid Process 2964 sc.exe -
Loads dropped DLL 9 IoCs
Processes:
MsiExec.exerundll32.exeMsiExec.exepid Process 652 MsiExec.exe 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe 652 MsiExec.exe 628 MsiExec.exe 628 MsiExec.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
rundll32.exeMsiExec.exeNET.exenet1.exeTaskKill.exeMsiExec.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TaskKill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Kills process with taskkill 1 IoCs
Processes:
TaskKill.exepid Process 2108 TaskKill.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
DrvInst.exemsiexec.exeAteraAgent.exeAteraAgent.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs AteraAgent.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates AteraAgent.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ AteraAgent.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs AteraAgent.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates AteraAgent.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\qagentrt.dll,-10 = "System Health Authentication" AteraAgent.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root AteraAgent.exe -
Modifies registry class 22 IoCs
Processes:
msiexec.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE\882A5F5CFF587524FA965D19E026865B msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\PackageCode = "8461E24D8232BC14CB270C3BD27759E8" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\SourceList\PackageName = "MuddyWater.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\SourceList\Media\1 = ";" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\882A5F5CFF587524FA965D19E026865B msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\ProductName = "IronSword" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\Version = "17301510" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\Assignment = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\882A5F5CFF587524FA965D19E026865B\INSTALLFOLDER_files_Feature msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\AuthorizedLUAApp = "0" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\Clients = 3a0000000000 msiexec.exe -
Processes:
AteraAgent.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 AteraAgent.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd AteraAgent.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid Process 2904 msiexec.exe 2904 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exeDrvInst.exeTaskKill.exedescription pid Process Token: SeShutdownPrivilege 1520 msiexec.exe Token: SeIncreaseQuotaPrivilege 1520 msiexec.exe Token: SeRestorePrivilege 2904 msiexec.exe Token: SeTakeOwnershipPrivilege 2904 msiexec.exe Token: SeSecurityPrivilege 2904 msiexec.exe Token: SeCreateTokenPrivilege 1520 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1520 msiexec.exe Token: SeLockMemoryPrivilege 1520 msiexec.exe Token: SeIncreaseQuotaPrivilege 1520 msiexec.exe Token: SeMachineAccountPrivilege 1520 msiexec.exe Token: SeTcbPrivilege 1520 msiexec.exe Token: SeSecurityPrivilege 1520 msiexec.exe Token: SeTakeOwnershipPrivilege 1520 msiexec.exe Token: SeLoadDriverPrivilege 1520 msiexec.exe Token: SeSystemProfilePrivilege 1520 msiexec.exe Token: SeSystemtimePrivilege 1520 msiexec.exe Token: SeProfSingleProcessPrivilege 1520 msiexec.exe Token: SeIncBasePriorityPrivilege 1520 msiexec.exe Token: SeCreatePagefilePrivilege 1520 msiexec.exe Token: SeCreatePermanentPrivilege 1520 msiexec.exe Token: SeBackupPrivilege 1520 msiexec.exe Token: SeRestorePrivilege 1520 msiexec.exe Token: SeShutdownPrivilege 1520 msiexec.exe Token: SeDebugPrivilege 1520 msiexec.exe Token: SeAuditPrivilege 1520 msiexec.exe Token: SeSystemEnvironmentPrivilege 1520 msiexec.exe Token: SeChangeNotifyPrivilege 1520 msiexec.exe Token: SeRemoteShutdownPrivilege 1520 msiexec.exe Token: SeUndockPrivilege 1520 msiexec.exe Token: SeSyncAgentPrivilege 1520 msiexec.exe Token: SeEnableDelegationPrivilege 1520 msiexec.exe Token: SeManageVolumePrivilege 1520 msiexec.exe Token: SeImpersonatePrivilege 1520 msiexec.exe Token: SeCreateGlobalPrivilege 1520 msiexec.exe Token: SeBackupPrivilege 2808 vssvc.exe Token: SeRestorePrivilege 2808 vssvc.exe Token: SeAuditPrivilege 2808 vssvc.exe Token: SeBackupPrivilege 2904 msiexec.exe Token: SeRestorePrivilege 2904 msiexec.exe Token: SeRestorePrivilege 1968 DrvInst.exe Token: SeRestorePrivilege 1968 DrvInst.exe Token: SeRestorePrivilege 1968 DrvInst.exe Token: SeRestorePrivilege 1968 DrvInst.exe Token: SeRestorePrivilege 1968 DrvInst.exe Token: SeRestorePrivilege 1968 DrvInst.exe Token: SeRestorePrivilege 1968 DrvInst.exe Token: SeLoadDriverPrivilege 1968 DrvInst.exe Token: SeLoadDriverPrivilege 1968 DrvInst.exe Token: SeLoadDriverPrivilege 1968 DrvInst.exe Token: SeRestorePrivilege 2904 msiexec.exe Token: SeTakeOwnershipPrivilege 2904 msiexec.exe Token: SeRestorePrivilege 2904 msiexec.exe Token: SeTakeOwnershipPrivilege 2904 msiexec.exe Token: SeRestorePrivilege 2904 msiexec.exe Token: SeTakeOwnershipPrivilege 2904 msiexec.exe Token: SeRestorePrivilege 2904 msiexec.exe Token: SeTakeOwnershipPrivilege 2904 msiexec.exe Token: SeRestorePrivilege 2904 msiexec.exe Token: SeTakeOwnershipPrivilege 2904 msiexec.exe Token: SeRestorePrivilege 2904 msiexec.exe Token: SeTakeOwnershipPrivilege 2904 msiexec.exe Token: SeRestorePrivilege 2904 msiexec.exe Token: SeTakeOwnershipPrivilege 2904 msiexec.exe Token: SeDebugPrivilege 2108 TaskKill.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid Process 1520 msiexec.exe 1520 msiexec.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
msiexec.exeMsiExec.exeMsiExec.exeNET.exedescription pid Process procid_target PID 2904 wrote to memory of 652 2904 msiexec.exe 34 PID 2904 wrote to memory of 652 2904 msiexec.exe 34 PID 2904 wrote to memory of 652 2904 msiexec.exe 34 PID 2904 wrote to memory of 652 2904 msiexec.exe 34 PID 2904 wrote to memory of 652 2904 msiexec.exe 34 PID 2904 wrote to memory of 652 2904 msiexec.exe 34 PID 2904 wrote to memory of 652 2904 msiexec.exe 34 PID 652 wrote to memory of 2044 652 MsiExec.exe 35 PID 652 wrote to memory of 2044 652 MsiExec.exe 35 PID 652 wrote to memory of 2044 652 MsiExec.exe 35 PID 652 wrote to memory of 2044 652 MsiExec.exe 35 PID 652 wrote to memory of 2044 652 MsiExec.exe 35 PID 652 wrote to memory of 2044 652 MsiExec.exe 35 PID 652 wrote to memory of 2044 652 MsiExec.exe 35 PID 2904 wrote to memory of 628 2904 msiexec.exe 37 PID 2904 wrote to memory of 628 2904 msiexec.exe 37 PID 2904 wrote to memory of 628 2904 msiexec.exe 37 PID 2904 wrote to memory of 628 2904 msiexec.exe 37 PID 2904 wrote to memory of 628 2904 msiexec.exe 37 PID 2904 wrote to memory of 628 2904 msiexec.exe 37 PID 2904 wrote to memory of 628 2904 msiexec.exe 37 PID 628 wrote to memory of 896 628 MsiExec.exe 38 PID 628 wrote to memory of 896 628 MsiExec.exe 38 PID 628 wrote to memory of 896 628 MsiExec.exe 38 PID 628 wrote to memory of 896 628 MsiExec.exe 38 PID 896 wrote to memory of 1552 896 NET.exe 40 PID 896 wrote to memory of 1552 896 NET.exe 40 PID 896 wrote to memory of 1552 896 NET.exe 40 PID 896 wrote to memory of 1552 896 NET.exe 40 PID 628 wrote to memory of 2108 628 MsiExec.exe 41 PID 628 wrote to memory of 2108 628 MsiExec.exe 41 PID 628 wrote to memory of 2108 628 MsiExec.exe 41 PID 628 wrote to memory of 2108 628 MsiExec.exe 41 PID 2904 wrote to memory of 1072 2904 msiexec.exe 43 PID 2904 wrote to memory of 1072 2904 msiexec.exe 43 PID 2904 wrote to memory of 1072 2904 msiexec.exe 43 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\MuddyWater.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1520
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 7DE9DC274D32ADDEB686FC4B81D99ADB2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSID9CE.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259512904 1 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation3⤵
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2044
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 5646C106332E1CAF512794A95191278E M Global\MSI00002⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\syswow64\NET.exe"NET" STOP AteraAgent3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AteraAgent4⤵
- System Location Discovery: System Language Discovery
PID:1552
-
-
-
C:\Windows\syswow64\TaskKill.exe"TaskKill.exe" /f /im AteraAgent.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2108
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="[email protected]" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q3000008IyacIAC"2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1072
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000060" "00000000000003DC"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1968
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies system certificate store
PID:1820 -
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/250002⤵
- Launches sc.exe
PID:2964
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1System Binary Proxy Execution
1Msiexec
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD51ea443d5f1d21d70a4760d34b150d6dd
SHA13ba0f9b4cda0964b6796dbdd29cfc6ba20c6e1ce
SHA2567e7257699d1b0d7ba63e8192a71405d0716e2ec7dd7cfd4668b1685abc25811d
SHA5129f993156940f07d17894254262a9b5f006fc8d1249afa0fb6f5351bb9ebe499590c798a1af9e1aeac4b7f2270deafe1aa62a978afa93055b8c615b7fbfde9563
-
Filesize
753B
MD58298451e4dee214334dd2e22b8996bdc
SHA1bc429029cc6b42c59c417773ea5df8ae54dbb971
SHA2566fbf5845a6738e2dc2aa67dd5f78da2c8f8cb41d866bbba10e5336787c731b25
SHA512cda4ffd7d6c6dff90521c6a67a3dba27bf172cc87cee2986ae46dccd02f771d7e784dcad8aea0ad10decf46a1c8ae1041c184206ec2796e54756e49b9217d7ba
-
Filesize
140KB
MD52899046a979bf463b612b5a80defe438
SHA121feaa6f3fbb1afa7096c155d6b1908abf4ea3b9
SHA256486b2c2b0ca934ab63a9cf9f4b660768ad34c8df85e6f070aec0b6a63f09b0d8
SHA5128c60eb0d9e82326543f2fbcd08783e041a7f5598723666b1c9ea5df7808d0c4947e8e64c2dcd46331bc3dbc38c6ec8b85ed2fcc5b97eaf0465ea624167829368
-
Filesize
1KB
MD5b3bb71f9bb4de4236c26578a8fae2dcd
SHA11ad6a034ccfdce5e3a3ced93068aa216bd0c6e0e
SHA256e505b08308622ad12d98e1c7a07e5dc619a2a00bcd4a5cbe04fe8b078bcf94a2
SHA512fb6a46708d048a8f964839a514315b9c76659c8e1ab2cd8c5c5d8f312aa4fb628ab3ce5d23a793c41c13a2aa6a95106a47964dad72a5ecb8d035106fc5b7ba71
-
Filesize
588KB
MD582b17dc9838e1e21e5c6f53d2867e94a
SHA1a09bfe6582bff9193337cc7dbab79d0b6b723205
SHA2568e7210c1cd0955aeb4cbbdce362d4c450e0bf1be47bdf263fbf2789a4d98fd00
SHA512c1b259655e2514449366f2d150d020a1eabb0e67af29c5e26c3a00f1d84d805216016c306d48e37354de09d4a056dc071c0d0d0d36f8ec9775843e6ae2712430
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize471B
MD565e2192e4dc04fc206f436f9a86e1023
SHA16435da8290f576c8604ddcddbb40bacd19458c8e
SHA2568df5fb73b8f3f863f2829e3911cd5446c5426437ec869bb87309c639ede8aec8
SHA512215b8f9c268587b4ba022e2d5374cfaa0d680a7f5277db9207367a4d9387d91ddefb4686c4449a6e80e473be6d67ddb7d80247586401c4dce9656a5e17290a31
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
Filesize727B
MD5eeceb3251441abeae81509d5ce1626f4
SHA18fb5a5fafcbe46ec6eec7336a0c7d43fe7d65334
SHA256037873c51f408c96c3d3ec8cd05d4550a965b3e449d12a078a2505041e43b0ff
SHA512e6a93fb7f18e2074e2d7f1772277f8692a9acd8fa15bfc72ee1911c0484fa6f17f553dc945904373c41c5757ce9ec828318314c4a822c75a0d9cd3d06f50bc4e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize727B
MD572db13da5fff7268cc2462be217daac9
SHA13eab5c472f6a341d752a3c38a9447db3eaeede10
SHA25608441bff263e0edff40c3d7b80737a4bfc3a0c93832daf1166bb512045282735
SHA5127d88cd7fc9371eae08d40e19f4d9f2204fa83716056d8ba5ba332eef278861907bc967b3e8f74c8a12e1be15f481ea7216c3ff669917943d462df3bc0c25de89
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize400B
MD5f99a485068c68a94b42a6e367d56d16d
SHA1e607a2f625809c5ae5fe738d1013d0cd67924a71
SHA2566e693a7db1eebdd6454614525c638ede0ad8854ae4bc935890db3ca38247a259
SHA5123bc88062916c55f134eab7bd968ffcda2d6388270391be7dde56a6ac3f8fba7e57a6ab1c8be464ca46477eedcce1f48378daa5d5dabba967ff0b1f2a9186e4b6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
Filesize404B
MD54e7ec662590bbe08422a3c6238a88ca5
SHA1b4cedc1d111044c5c0737bb45064d5eb3ff6a16b
SHA256789b439338324e503e006708973b89d0d42c72c968871215eacfc013429d31ae
SHA512a05809075e6d236e0a48b9a419b67cc0ba97c57446cec514349add2a2f8b91afdb29cb4f3023396a65cfa881d3018d710cf6eab1d5afcccb6a8adcc1ea2103f3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD515aed32c4ca0ea9658d46631d3c1edcd
SHA1dbe2f143717df71f8c59904b1e3381c3487f96d7
SHA256e26908aa8d09acbbb7f5c5b6b8a81f6d464bbec2647697b1874b04806f0264d3
SHA512fb7cc726db098127193616d003e2125312e6419c4fee39a6e85cc0f612cd4acf45e86d5ad783db2326e26043455f1b64713a6dd2298d1f77d72df361c2a73589
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize412B
MD54ca829c2911b72d71d9fe925174ec8ae
SHA1a490d46facc006178bfad7f67ff848695d891a6f
SHA2562f01cd487ba3824f162013fe405b9267fcba36a0e590b8531c19ab14e480d40e
SHA512b784e486a4d062bfdfe9795ba3c2a59717d4185f5e00f934e16b31063aff8584d8dd4b8c7d799ccc6a3ca5ea308d21720516cf106563a11e5f4f946adbd92406
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
275KB
MD5672e03b9d7a2d50f3e935909a198928b
SHA16cc8a45126243c6ad8a6336ef1789e6a8b5dd33f
SHA256c4772f8a8761f052bd0336923539699ba2f358ac203beb197cda576146e05a0d
SHA512bf5833ea48942319d560fb4dad62997fa5495e0d9c634361d919d3328364d0f4a999dfb56590d48227c3690d8a867b022f6d5fd01c46f27d2ad6421d88380372
-
Filesize
211KB
MD5a3ae5d86ecf38db9427359ea37a5f646
SHA1eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA51296ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0
-
Filesize
2.6MB
MD5809334c0b55009c5a50f37e4eec63c43
SHA124b60847bc0712c9ba0b8036c59ee16c211fa8bb
SHA2562722e289767ae391e3c3773b8640a8b9f6eb24c6a9d6e541f29c8765f7a8944b
SHA512a615b5ebce41db0ee6318d845daff393372fe4bf93d7f8af5f450df1ecdb9a9ebde9af39c40b5980b4d1002eb609ddffe6010247971842a855fd3922000322bd
-
Filesize
19KB
MD54db38e9e80632af71e1842422d4b1873
SHA184fe0d85c263168487b4125e70cd698920f44c53
SHA2564924aad650fa0f88c6fc6ca77068d73f70f0d0866a98212b615290ffb0b04efa
SHA5129ce1e75b11e43369fe2320cf52bef856170385a8e898a934c735cb92a8399e5e612a54b248579687c372dae58e47e05d9095116313aea9555cf2358944252d77
-
Filesize
179KB
MD51a5caea6734fdd07caa514c3f3fb75da
SHA1f070ac0d91bd337d7952abd1ddf19a737b94510c
SHA256cf06d4ed4a8baf88c82d6c9ae0efc81c469de6da8788ab35f373b350a4b4cdca
SHA512a22dd3b7cf1c2edcf5b540f3daa482268d8038d468b8f00ca623d1c254affbbc1446e5bd42adc3d8e274be3ba776b0034e179faccd9ac8612ccd75186d1e3bf1