Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24/01/2025, 15:01
Behavioral task
behavioral1
Sample
z65NF-E.msi
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
z65NF-E.msi
Resource
win10v2004-20241007-en
General
-
Target
z65NF-E.msi
-
Size
2.9MB
-
MD5
7c2346e58afd0cc0337fc935cd41d9c4
-
SHA1
32189bee035e465d2df8bb15c5d168f8eff6f187
-
SHA256
9219d0815a0320d65356c84003ea6d80935ebf855d2b7fbda79c4f38057a1e78
-
SHA512
b7267d28ec63ce3b3a2bd247094bf1a4cc8891549a4d43f8875ba1e37f97f3a1a6bddcbc8f9be009fc12a3836dd9d759394ec5a38ef87c8425990d42ce3cb9e2
-
SSDEEP
49152:M+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:M+lUlz9FKbsodq0YaH7ZPxMb8tT
Malware Config
Signatures
-
AteraAgent
AteraAgent is a remote monitoring and management tool.
-
Ateraagent family
-
Detects AteraAgent 1 IoCs
resource yara_rule behavioral2/files/0x000b000000023bb3-236.dat family_ateraagent -
Blocklisted process makes network request 4 IoCs
flow pid Process 4 4768 msiexec.exe 6 4768 msiexec.exe 27 1792 rundll32.exe 32 4032 rundll32.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944 AteraAgent.exe File opened for modification C:\Windows\system32\InstallUtil.InstallLog AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB AteraAgent.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 11 IoCs
description ioc Process File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll msiexec.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallState AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll msiexec.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog AteraAgent.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt AteraAgent.exe -
Drops file in Windows directory 35 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSICCF5.tmp-\System.Management.dll rundll32.exe File opened for modification C:\Windows\Installer\MSICFC4.tmp-\AlphaControlAgentInstallation.dll rundll32.exe File opened for modification C:\Windows\Installer\MSICFC4.tmp-\System.Management.dll rundll32.exe File opened for modification C:\Windows\Installer\MSID6CA.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIE2D5.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File created C:\Windows\Installer\e57cc68.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSICCF5.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSIE2D5.tmp-\Newtonsoft.Json.dll rundll32.exe File opened for modification C:\Windows\Installer\MSID853.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID93F.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSICCF5.tmp-\AlphaControlAgentInstallation.dll rundll32.exe File opened for modification C:\Windows\Installer\MSID6CA.tmp-\System.Management.dll rundll32.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSID8A2.tmp msiexec.exe File created C:\Windows\Installer\e57cc6a.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIE2D5.tmp-\AlphaControlAgentInstallation.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIE2D5.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSICFC4.tmp-\Newtonsoft.Json.dll rundll32.exe File opened for modification C:\Windows\Installer\MSID6CA.tmp-\AlphaControlAgentInstallation.dll rundll32.exe File opened for modification C:\Windows\Installer\MSID6CA.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSICCF5.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\MSICFC4.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSICFC4.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIE2D5.tmp-\System.Management.dll rundll32.exe File opened for modification C:\Windows\Installer\MSICCF5.tmp-\Newtonsoft.Json.dll rundll32.exe File opened for modification C:\Windows\Installer\MSICFC4.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID6CA.tmp-\Newtonsoft.Json.dll rundll32.exe File opened for modification C:\Windows\Installer\MSID6CA.tmp-\CustomAction.config rundll32.exe File created C:\Windows\Installer\SourceHash{E732A0D7-A2F2-4657-AC41-B19742648E45} msiexec.exe File opened for modification C:\Windows\Installer\MSID852.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE2D5.tmp msiexec.exe File opened for modification C:\Windows\Installer\e57cc68.msi msiexec.exe File opened for modification C:\Windows\Installer\MSICCF5.tmp msiexec.exe -
Executes dropped EXE 2 IoCs
pid Process 3384 AteraAgent.exe 3188 AteraAgent.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1708 sc.exe -
Loads dropped DLL 31 IoCs
pid Process 540 MsiExec.exe 884 rundll32.exe 884 rundll32.exe 884 rundll32.exe 884 rundll32.exe 884 rundll32.exe 540 MsiExec.exe 1792 rundll32.exe 1792 rundll32.exe 1792 rundll32.exe 1792 rundll32.exe 1792 rundll32.exe 1792 rundll32.exe 1792 rundll32.exe 540 MsiExec.exe 664 rundll32.exe 664 rundll32.exe 664 rundll32.exe 664 rundll32.exe 664 rundll32.exe 540 MsiExec.exe 948 MsiExec.exe 948 MsiExec.exe 540 MsiExec.exe 4032 rundll32.exe 4032 rundll32.exe 4032 rundll32.exe 4032 rundll32.exe 4032 rundll32.exe 4032 rundll32.exe 4032 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 4768 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TaskKill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000c4d65e62b69e8e0b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000c4d65e620000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900c4d65e62000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dc4d65e62000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000c4d65e6200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Kills process with taskkill 1 IoCs
pid Process 3144 TaskKill.exe -
Modifies data under HKEY_USERS 55 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs AteraAgent.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" AteraAgent.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ AteraAgent.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates AteraAgent.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs AteraAgent.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs AteraAgent.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates AteraAgent.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople AteraAgent.exe -
Modifies registry class 22 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\InstanceType = "0" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7D0A237E2F2A7564CA141B792446E854\INSTALLFOLDER_files_Feature msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\ProductName = "AteraAgent" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\Version = "17301511" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\Language = "1033" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\PackageName = "z65NF-E.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Media\1 = ";" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7D0A237E2F2A7564CA141B792446E854 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\AuthorizedLUAApp = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\PackageCode = "559DA127DF979104BB5FD9CCC41157BB" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\Assignment = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE\7D0A237E2F2A7564CA141B792446E854 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3472 msiexec.exe 3472 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4768 msiexec.exe Token: SeIncreaseQuotaPrivilege 4768 msiexec.exe Token: SeSecurityPrivilege 3472 msiexec.exe Token: SeCreateTokenPrivilege 4768 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4768 msiexec.exe Token: SeLockMemoryPrivilege 4768 msiexec.exe Token: SeIncreaseQuotaPrivilege 4768 msiexec.exe Token: SeMachineAccountPrivilege 4768 msiexec.exe Token: SeTcbPrivilege 4768 msiexec.exe Token: SeSecurityPrivilege 4768 msiexec.exe Token: SeTakeOwnershipPrivilege 4768 msiexec.exe Token: SeLoadDriverPrivilege 4768 msiexec.exe Token: SeSystemProfilePrivilege 4768 msiexec.exe Token: SeSystemtimePrivilege 4768 msiexec.exe Token: SeProfSingleProcessPrivilege 4768 msiexec.exe Token: SeIncBasePriorityPrivilege 4768 msiexec.exe Token: SeCreatePagefilePrivilege 4768 msiexec.exe Token: SeCreatePermanentPrivilege 4768 msiexec.exe Token: SeBackupPrivilege 4768 msiexec.exe Token: SeRestorePrivilege 4768 msiexec.exe Token: SeShutdownPrivilege 4768 msiexec.exe Token: SeDebugPrivilege 4768 msiexec.exe Token: SeAuditPrivilege 4768 msiexec.exe Token: SeSystemEnvironmentPrivilege 4768 msiexec.exe Token: SeChangeNotifyPrivilege 4768 msiexec.exe Token: SeRemoteShutdownPrivilege 4768 msiexec.exe Token: SeUndockPrivilege 4768 msiexec.exe Token: SeSyncAgentPrivilege 4768 msiexec.exe Token: SeEnableDelegationPrivilege 4768 msiexec.exe Token: SeManageVolumePrivilege 4768 msiexec.exe Token: SeImpersonatePrivilege 4768 msiexec.exe Token: SeCreateGlobalPrivilege 4768 msiexec.exe Token: SeBackupPrivilege 1892 vssvc.exe Token: SeRestorePrivilege 1892 vssvc.exe Token: SeAuditPrivilege 1892 vssvc.exe Token: SeBackupPrivilege 3472 msiexec.exe Token: SeRestorePrivilege 3472 msiexec.exe Token: SeRestorePrivilege 3472 msiexec.exe Token: SeTakeOwnershipPrivilege 3472 msiexec.exe Token: SeRestorePrivilege 3472 msiexec.exe Token: SeTakeOwnershipPrivilege 3472 msiexec.exe Token: SeRestorePrivilege 3472 msiexec.exe Token: SeTakeOwnershipPrivilege 3472 msiexec.exe Token: SeDebugPrivilege 1792 rundll32.exe Token: SeRestorePrivilege 3472 msiexec.exe Token: SeTakeOwnershipPrivilege 3472 msiexec.exe Token: SeRestorePrivilege 3472 msiexec.exe Token: SeTakeOwnershipPrivilege 3472 msiexec.exe Token: SeRestorePrivilege 3472 msiexec.exe Token: SeTakeOwnershipPrivilege 3472 msiexec.exe Token: SeRestorePrivilege 3472 msiexec.exe Token: SeTakeOwnershipPrivilege 3472 msiexec.exe Token: SeRestorePrivilege 3472 msiexec.exe Token: SeTakeOwnershipPrivilege 3472 msiexec.exe Token: SeDebugPrivilege 3144 TaskKill.exe Token: SeRestorePrivilege 3472 msiexec.exe Token: SeTakeOwnershipPrivilege 3472 msiexec.exe Token: SeRestorePrivilege 3472 msiexec.exe Token: SeTakeOwnershipPrivilege 3472 msiexec.exe Token: SeRestorePrivilege 3472 msiexec.exe Token: SeTakeOwnershipPrivilege 3472 msiexec.exe Token: SeRestorePrivilege 3472 msiexec.exe Token: SeTakeOwnershipPrivilege 3472 msiexec.exe Token: SeRestorePrivilege 3472 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4768 msiexec.exe 4768 msiexec.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 3472 wrote to memory of 2204 3472 msiexec.exe 92 PID 3472 wrote to memory of 2204 3472 msiexec.exe 92 PID 3472 wrote to memory of 540 3472 msiexec.exe 94 PID 3472 wrote to memory of 540 3472 msiexec.exe 94 PID 3472 wrote to memory of 540 3472 msiexec.exe 94 PID 540 wrote to memory of 884 540 MsiExec.exe 97 PID 540 wrote to memory of 884 540 MsiExec.exe 97 PID 540 wrote to memory of 884 540 MsiExec.exe 97 PID 540 wrote to memory of 1792 540 MsiExec.exe 99 PID 540 wrote to memory of 1792 540 MsiExec.exe 99 PID 540 wrote to memory of 1792 540 MsiExec.exe 99 PID 540 wrote to memory of 664 540 MsiExec.exe 101 PID 540 wrote to memory of 664 540 MsiExec.exe 101 PID 540 wrote to memory of 664 540 MsiExec.exe 101 PID 3472 wrote to memory of 948 3472 msiexec.exe 102 PID 3472 wrote to memory of 948 3472 msiexec.exe 102 PID 3472 wrote to memory of 948 3472 msiexec.exe 102 PID 948 wrote to memory of 2040 948 MsiExec.exe 103 PID 948 wrote to memory of 2040 948 MsiExec.exe 103 PID 948 wrote to memory of 2040 948 MsiExec.exe 103 PID 2040 wrote to memory of 4516 2040 NET.exe 105 PID 2040 wrote to memory of 4516 2040 NET.exe 105 PID 2040 wrote to memory of 4516 2040 NET.exe 105 PID 948 wrote to memory of 3144 948 MsiExec.exe 106 PID 948 wrote to memory of 3144 948 MsiExec.exe 106 PID 948 wrote to memory of 3144 948 MsiExec.exe 106 PID 3472 wrote to memory of 3384 3472 msiexec.exe 108 PID 3472 wrote to memory of 3384 3472 msiexec.exe 108 PID 540 wrote to memory of 4032 540 MsiExec.exe 112 PID 540 wrote to memory of 4032 540 MsiExec.exe 112 PID 540 wrote to memory of 4032 540 MsiExec.exe 112 PID 3188 wrote to memory of 1708 3188 AteraAgent.exe 113 PID 3188 wrote to memory of 1708 3188 AteraAgent.exe 113 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\z65NF-E.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4768
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:2204
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 5E83639058C35AB65BE0D06D9DB884032⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSICCF5.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240635375 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId3⤵
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:884
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSICFC4.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240635906 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1792
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSID6CA.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240637687 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation3⤵
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:664
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSIE2D5.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240640765 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4032
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 586C87237C26263D455C31228C977712 E Global\MSI00002⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\SysWOW64\NET.exe"NET" STOP AteraAgent3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AteraAgent4⤵
- System Location Discovery: System Language Discovery
PID:4516
-
-
-
C:\Windows\SysWOW64\TaskKill.exe"TaskKill.exe" /f /im AteraAgent.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3144
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="[email protected]" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000Pps1uIAB" /AgentId="35384851-2ba0-4179-ac90-48d58455fd36"2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3384
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1892
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/250002⤵
- Launches sc.exe
PID:1708
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD53e216220ee940a8bf4086521d14c96f1
SHA17c0af0522655adac471ed56160cb38857aa423c9
SHA256b43d0074f658b95c3f1e66371c2dd8f6a1baa1054d931302aeccfa0a0a8c3b4f
SHA5126ff9415055e19a263aac79ca431b4293fccdce1b79f125968c4f25913fd4f49654f3795f0206223c3db69653b4edd479d300be0673f1659e0ccec601680c4213
-
Filesize
142KB
MD5477293f80461713d51a98a24023d45e8
SHA1e9aa4e6c514ee951665a7cd6f0b4a4c49146241d
SHA256a96a0ba7998a6956c8073b6eff9306398cc03fb9866e4cabf0810a69bb2a43b2
SHA51223f3bd44a5fb66be7fea3f7d6440742b657e4050b565c1f8f4684722502d46b68c9e54dcc2486e7de441482fcc6aa4ad54e94b1d73992eb5d070e2a17f35de2f
-
Filesize
1KB
MD5b3bb71f9bb4de4236c26578a8fae2dcd
SHA11ad6a034ccfdce5e3a3ced93068aa216bd0c6e0e
SHA256e505b08308622ad12d98e1c7a07e5dc619a2a00bcd4a5cbe04fe8b078bcf94a2
SHA512fb6a46708d048a8f964839a514315b9c76659c8e1ab2cd8c5c5d8f312aa4fb628ab3ce5d23a793c41c13a2aa6a95106a47964dad72a5ecb8d035106fc5b7ba71
-
Filesize
693KB
MD52c4d25b7fbd1adfd4471052fa482af72
SHA1fd6cd773d241b581e3c856f9e6cd06cb31a01407
SHA2562a7a84768cc09a15362878b270371daad9872caacbbeebe7f30c4a7ed6c03ca7
SHA512f7f94ec00435466db2fb535a490162b906d60a3cfa531a36c4c552183d62d58ccc9a6bb8bbfe39815844b0c3a861d3e1f1178e29dbcb6c09fa2e6ebbb7ab943a
-
Filesize
588KB
MD517d74c03b6bcbcd88b46fcc58fc79a0d
SHA1bc0316e11c119806907c058d62513eb8ce32288c
SHA25613774cc16c1254752ea801538bfb9a9d1328f8b4dd3ff41760ac492a245fbb15
SHA512f1457a8596a4d4f9b98a7dcb79f79885fa28bd7fc09a606ad3cd6f37d732ec7e334a64458e51e65d839ddfcdf20b8b5676267aa8ced0080e8cf81a1b2291f030
-
Filesize
225B
MD568210dc87ce0f1ee37ed566b205c4908
SHA17603ca17f88d80c754ebe68060e21587e5db5aa0
SHA256916e5fc8f3e0aca5f5bcf53f9efd8f2cc0d4901d4a0a7b57c4932d74586f70e5
SHA5120e57c3b302478c6fa8d4e1bcef654de026575d492582c9d8787e2b774d753106f2d34e67d70bc43d44cd47c436c2166ed99b6125ab57aed060d2f128894ec1c7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize471B
MD5b37eee2552522d51b5d8045e6397c56a
SHA1df7cede952d9088326533e0675f9af3a0412cb2e
SHA2562f47246e72e3f6cc3e5172cc555fbf2bf4a018653a8b0f7ef36a437a149c2c88
SHA512189c7961e872c9001c5decf65113076adb7b3b76a43d047d34308b61082e0b59aa90182c3f53e87432233e731259bb590a0ef18f3ab173da7212d9b5ba701a97
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
Filesize727B
MD5e10202b6ab0b7420d6e690fb0b5f855d
SHA13a9f90af05c5e932c67aef0beb35464e99713991
SHA2561063967df0b5d68609eb4da57043fce6fcde597f420e401ac009ee5378db88f6
SHA51223bb38b05986566e73d59db162a4d8b1f9aa0396aa996f0f675f9dd29ec0835e930b1346d1315119a82903aa8db7318c5da164cd5cb26c847991c1c1ea05eee7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize727B
MD5b56ef82c98008d1730d873e5b1216f0d
SHA17932ff198c39e5ca5d46d513e22c7907e8282fd4
SHA256b7a65caf0de8c757ba1d28eae861fcbd0e5bdf53fea7af1d25260edcd523eaf5
SHA512aebf1a3c7d6b4a5b18aca73b073a15d00b0a3ae1de756e827e85833a6d96ca78e13778577869be4cb0f6d10cfb6a1409205920030fb4ed0fe45c14446d4e9a60
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize400B
MD5966212314c534fd4960072ed9a691858
SHA17d9d207fa9cf23944926bdb80e60a18bac0d2bb7
SHA256c02dfc426e4d36c4179077c7ba452569784118d7d5755ef52072e5cfde151425
SHA512ec667db0d127f9c6e1592ae2b6ee74e13501d5aa88157615b565f4d6ba9eb61aa38355c0d57d84742d66132e896a5594e1317cffd1bd1b1b8fb058400f60177a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
Filesize404B
MD59feb33475d255984da4dda6741c04f94
SHA12884b62d2bae6eb46e0ba463362666a8e584e541
SHA256dbca93c5604eb5f364527686ef9dc4be983bb85291a60b4377b4080a4ae2c9b3
SHA5123c85768da7ba0f0ac763e32bc9ab6db1213a3a8d915abc4d1c0ebbf488812468f97cc7bf1518c94c541a483dacc8b9d6d0befccd2fd09b16e4877aa6825d4d1a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize412B
MD5e07cbb53ae51e72d5c12c4a56312dfa6
SHA176990c65179ce81b2a11d684982ee7652cfa6055
SHA256c3073dab3566e3a4ee51abb998493c426321eafe20cf8aaccd79cbfe7b2a1b03
SHA512a62b04704e3b407d4424d2e8adb9921bae4dc2ea346055c89c0b407c25a0a7c049a0d5093ee9e61a6a21823b95c59d9122932dfbcc7b647e9f4a14acbf393bf4
-
Filesize
651B
MD59bbfe11735bac43a2ed1be18d0655fe2
SHA161141928bb248fd6e9cd5084a9db05a9b980fb3a
SHA256549953bd4fc8acc868a9374ec684ebd9e7b23939adf551016f3433b642697b74
SHA512a78c52b2ddc057dabf260eeb744b9f55eab3374ad96e1938a291d2b17f204a0d6e1aa02802de75f0b2cd6d156540d2ddee15e889b89d5e619207054df4c1d483
-
Filesize
509KB
MD588d29734f37bdcffd202eafcdd082f9d
SHA1823b40d05a1cab06b857ed87451bf683fdd56a5e
SHA25687c97269e2b68898be87b884cd6a21880e6f15336b1194713e12a2db45f1dccf
SHA5121343ed80dccf0fa4e7ae837b68926619d734bc52785b586a4f4102d205497d2715f951d9acacc8c3e5434a94837820493173040dc90fb7339a34b6f3ef0288d0
-
Filesize
25KB
MD5aa1b9c5c685173fad2dabebeb3171f01
SHA1ed756b1760e563ce888276ff248c734b7dd851fb
SHA256e44a6582cd3f84f4255d3c230e0a2c284e0cffa0ca5e62e4d749e089555494c7
SHA512d3bfb4bd7e7fdb7159fbfc14056067c813ce52cdd91e885bdaac36820b5385fb70077bf58ec434d31a5a48245eb62b6794794618c73fe7953f79a4fc26592334
-
Filesize
179KB
MD51a5caea6734fdd07caa514c3f3fb75da
SHA1f070ac0d91bd337d7952abd1ddf19a737b94510c
SHA256cf06d4ed4a8baf88c82d6c9ae0efc81c469de6da8788ab35f373b350a4b4cdca
SHA512a22dd3b7cf1c2edcf5b540f3daa482268d8038d468b8f00ca623d1c254affbbc1446e5bd42adc3d8e274be3ba776b0034e179faccd9ac8612ccd75186d1e3bf1
-
Filesize
1KB
MD5bc17e956cde8dd5425f2b2a68ed919f8
SHA15e3736331e9e2f6bf851e3355f31006ccd8caa99
SHA256e4ff538599c2d8e898d7f90ccf74081192d5afa8040e6b6c180f3aa0f46ad2c5
SHA51202090daf1d5226b33edaae80263431a7a5b35a2ece97f74f494cc138002211e71498d42c260395ed40aee8e4a40474b395690b8b24e4aee19f0231da7377a940
-
Filesize
695KB
MD5715a1fbee4665e99e859eda667fe8034
SHA1e13c6e4210043c4976dcdc447ea2b32854f70cc6
SHA256c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e
SHA512bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad
-
Filesize
211KB
MD5a3ae5d86ecf38db9427359ea37a5f646
SHA1eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA51296ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0
-
Filesize
2.9MB
MD57c2346e58afd0cc0337fc935cd41d9c4
SHA132189bee035e465d2df8bb15c5d168f8eff6f187
SHA2569219d0815a0320d65356c84003ea6d80935ebf855d2b7fbda79c4f38057a1e78
SHA512b7267d28ec63ce3b3a2bd247094bf1a4cc8891549a4d43f8875ba1e37f97f3a1a6bddcbc8f9be009fc12a3836dd9d759394ec5a38ef87c8425990d42ce3cb9e2
-
Filesize
24.1MB
MD52db83dfef187b3ab2f1ace6129a9835d
SHA16081447645df91169c01c7a8a3a5e60946d6dbe0
SHA25698067291d42bbde413925930707850e6cf5e835922719e83bf58bf5101fa7481
SHA5126c176bdfd6397968f92d5cb01f94c3dace0412b6b47e42726ba93f45d368ca5524ca82f16fb2a4570d56bb747da1425fe2d6192c6e9378a4a9b3040238a4c8dd
-
\??\Volume{625ed6c4-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{5226a823-cc19-4ab2-bf14-e14eebc60754}_OnDiskSnapshotProp
Filesize6KB
MD54a26f5576c46c7980751f0fc5d38014a
SHA16edd0550cd6b2ef86a8850505c0f81d6a0e64fda
SHA25646893df1b3de8c592fb8e3b85f409951c18983fc57d6712a9e87fb0ac61ce573
SHA512ac47ccb67e2fed02dffe99e15405cbde06ab198a4b30a07848b1857f906e24374b469814d69994bd30732ea60e80ff4e164be36ad6a18d8b0d0c25b3fc12a867