Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12-10-2024 18:28
Behavioral task
behavioral1
Sample
2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe
Resource
win7-20240903-en
General
-
Target
2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe
-
Size
2.9MB
-
MD5
31c7fa68b69d8d229a6e9daa2949d895
-
SHA1
2f5593e25a34cbb303901bce8942a8505ba2a38f
-
SHA256
5036a62e5049d149c98856687b229e522f01c0db515a05e650b9ab40ca840e6f
-
SHA512
7fc7bff771c3bcc75ad95eafc762f344c06b5373f70eb7c43c81125b40cb2f3f952036c89a6bccb4aa53481f3f23f401eb9d7a56d9d0b1eaa48c3597fe2f7c37
-
SSDEEP
49152:JyEEFoRjQ86ctQAWrk9k+PhBFB3FFIBoYCIYSMFvf0VQc9pdQPp:Jnj36pUk0TkfYiQ/p
Malware Config
Extracted
meshagent
2
Home
http://control.tautolo.gy:443/agent.ashx
-
mesh_id
0x18936942A3E5AE65DF8836B6EEFA3FD5DD375127CA3DA1852C2EC2DBA43786A498AA27456851B49C48A8683629B450EB
-
server_id
08C4CDB1491A60BC30D0136004508FDDA3818CAB78A02628E44948AE98F2E0A2B4D87C34CBD4C18D959886F9B49EB33A
-
wss
wss://control.tautolo.gy:443/agent.ashx
Signatures
-
Detects MeshAgent payload 2 IoCs
Processes:
resource yara_rule C:\Program Files\Mesh Agent\MeshAgent.exe family_meshagent C:\Program Files\Mesh Agent\MeshAgent.update.exe family_meshagent -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent\ImagePath = "\"C:\\Program Files\\Mesh Agent\\MeshAgent.exe\" --installedByUser=\"S-1-5-21-4050598569-1597076380-177084960-1000\"" 2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation 2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe -
Executes dropped EXE 3 IoCs
Processes:
MeshAgent.exeMeshAgent.update.exeMeshAgent.exepid process 5044 MeshAgent.exe 4384 MeshAgent.update.exe 4892 MeshAgent.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 64 IoCs
Processes:
MeshAgent.exeMeshAgent.exepowershell.exedescription ioc process File opened for modification C:\Windows\System32\symbols\dll\ucrtbase.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dll\advapi32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\DLL\iphlpapi.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\dll\user32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\DLL\bcrypt.pdb MeshAgent.exe File opened for modification C:\Windows\System32\ntasn1.pdb MeshAgent.exe File opened for modification C:\Windows\System32\Kernel.Appcore.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dll\crypt32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\dll\ole32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\crypt32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dll\gdi32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\ws2_32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\dll\ws2_32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dll\win32u.pdb MeshAgent.exe File opened for modification C:\Windows\System32\DLL\iphlpapi.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\DLL\iphlpapi.pdb MeshAgent.exe File opened for modification C:\Windows\System32\bcrypt.pdb MeshAgent.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\System32\symbols\DLL\kernel32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\dll\gdi32full.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dll\msvcp_win.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dll\sechost.pdb MeshAgent.exe File opened for modification C:\Windows\System32\combase.pdb MeshAgent.exe File opened for modification C:\Windows\System32\gdiplus.pdb MeshAgent.exe File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\9525BE8F0A02CF02CF5D9C363549B8E09446C328 MeshAgent.exe File opened for modification C:\Windows\System32\user32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\dll\ntdll.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dbghelp.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dll\msvcp_win.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dll\ntasn1.pdb MeshAgent.exe File opened for modification C:\Windows\System32\version.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dll\ucrtbase.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\dll\msvcrt.pdb MeshAgent.exe File opened for modification C:\Windows\System32\oleaut32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dll\comctl32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\shcore.pdb MeshAgent.exe File opened for modification C:\Windows\System32\ucrtbase.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\dll\kernelbase.pdb MeshAgent.exe File opened for modification C:\Windows\System32\win32u.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\dll\Kernel.Appcore.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\exe\MeshService64.pdb MeshAgent.exe File opened for modification C:\Windows\System32\ole32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\ntdll.pdb MeshAgent.exe File opened for modification C:\Windows\System32\user32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\gdi32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\msvcrt.pdb MeshAgent.exe File opened for modification C:\Windows\System32\shell32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\ole32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\shcore.pdb MeshAgent.exe File opened for modification C:\Windows\System32\rpcrt4.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\dll\rpcrt4.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dbgcore.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dll\gdiplus.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\dll\gdiplus.pdb MeshAgent.exe File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\80DE0A6A73FCC8CF134489DF5CC12F05F2244E40 MeshAgent.exe File opened for modification C:\Windows\System32\dll\gdiplus.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\dll\gdi32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\bcryptprimitives.pdb MeshAgent.exe File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\C2A1AB4CC63AD0C4F00B9D2CECA5487956CB5E4F MeshAgent.exe File opened for modification C:\Windows\System32\ntdll.pdb MeshAgent.exe File opened for modification C:\Windows\System32\symbols\dll\crypt32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\win32u.pdb MeshAgent.exe File opened for modification C:\Windows\System32\gdi32.pdb MeshAgent.exe File opened for modification C:\Windows\System32\dll\ncrypt.pdb MeshAgent.exe -
Drops file in Program Files directory 64 IoCs
Processes:
MeshAgent.update.exeMeshAgent.exeMeshAgent.exe2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exedescription ioc process File opened for modification C:\Program Files\Mesh Agent\shell32.pdb MeshAgent.update.exe File opened for modification C:\Program Files\Mesh Agent\symbols\exe\MeshService64.pdb MeshAgent.update.exe File opened for modification C:\Program Files\Mesh Agent\dll\crypt32.pdb MeshAgent.update.exe File opened for modification C:\Program Files\Mesh Agent\symbols\dll\comctl32.pdb MeshAgent.update.exe File opened for modification C:\Program Files\Mesh Agent\gdi32.pdb MeshAgent.update.exe File opened for modification C:\Program Files\Mesh Agent\msvcp_win.pdb MeshAgent.update.exe File opened for modification C:\Program Files\Mesh Agent\comctl32.pdb MeshAgent.update.exe File opened for modification C:\Program Files\Mesh Agent\DLL\dbgcore.pdb MeshAgent.update.exe File opened for modification C:\Program Files\Mesh Agent\symbols\dll\ntasn1.pdb MeshAgent.update.exe File opened for modification C:\Program Files\Mesh Agent\kernel32.pdb MeshAgent.update.exe File opened for modification C:\Program Files\Mesh Agent\apphelp.pdb MeshAgent.update.exe File opened for modification C:\Program Files\Mesh Agent\symbols\dll\msvcp_win.pdb MeshAgent.update.exe File created C:\Program Files\Mesh Agent\MeshAgent.update.exe_unzipped MeshAgent.exe File opened for modification C:\Program Files\Mesh Agent\dll\ntdll.pdb MeshAgent.update.exe File opened for modification C:\Program Files\Mesh Agent\dll\gdiplus.pdb MeshAgent.update.exe File opened for modification C:\Program Files\Mesh Agent\kernelbase.pdb MeshAgent.update.exe File opened for modification C:\Program Files\Mesh Agent\symbols\dll\win32u.pdb MeshAgent.update.exe File opened for modification C:\Program Files\Mesh Agent\symbols\dll\Kernel.Appcore.pdb MeshAgent.update.exe File created C:\Program Files\Mesh Agent\MeshAgent.msh MeshAgent.exe File created C:\Program Files\Mesh Agent\MeshAgent.update.exe MeshAgent.exe File opened for modification C:\Program Files\Mesh Agent\msvcrt.pdb MeshAgent.update.exe File opened for modification C:\Program Files\Mesh Agent\symbols\dll\ole32.pdb MeshAgent.update.exe File opened for modification C:\Program Files\Mesh Agent\dbghelp.pdb MeshAgent.update.exe File opened for modification C:\Program Files\Mesh Agent\dll\ntasn1.pdb MeshAgent.update.exe File opened for modification C:\Program Files\Mesh Agent\ntdll.pdb MeshAgent.update.exe File opened for modification C:\Program Files\Mesh Agent\dll\apphelp.pdb MeshAgent.update.exe File opened for modification C:\Program Files\Mesh Agent\dll\msvcrt.pdb MeshAgent.update.exe File opened for modification C:\Program Files\Mesh Agent\sechost.pdb MeshAgent.update.exe File opened for modification C:\Program Files\Mesh Agent\symbols\DLL\dbgcore.pdb MeshAgent.update.exe File opened for modification C:\Program Files\Mesh Agent\MeshService64.pdb MeshAgent.update.exe File opened for modification C:\Program Files\Mesh Agent\symbols\dll\ws2_32.pdb MeshAgent.update.exe File opened for modification C:\Program Files\Mesh Agent\crypt32.pdb MeshAgent.update.exe File opened for modification C:\Program Files\Mesh Agent\dll\combase.pdb MeshAgent.update.exe File opened for modification C:\Program Files\Mesh Agent\MeshAgent.update.exe MeshAgent.exe File opened for modification C:\Program Files\Mesh Agent\dll\user32.pdb MeshAgent.update.exe File opened for modification C:\Program Files\Mesh Agent\Kernel.Appcore.pdb MeshAgent.update.exe File opened for modification C:\Program Files\Mesh Agent\gdiplus.pdb MeshAgent.update.exe File opened for modification C:\Program Files\Mesh Agent\MeshAgent.log MeshAgent.exe File opened for modification C:\Program Files\Mesh Agent\symbols\DLL\kernel32.pdb MeshAgent.update.exe File opened for modification C:\Program Files\Mesh Agent\dll\ucrtbase.pdb MeshAgent.update.exe File opened for modification C:\Program Files\Mesh Agent\shcore.pdb MeshAgent.update.exe File opened for modification C:\Program Files\Mesh Agent\symbols\dll\gdiplus.pdb MeshAgent.update.exe File opened for modification C:\Program Files\Mesh Agent\dll\shcore.pdb MeshAgent.update.exe File opened for modification C:\Program Files\Mesh Agent\MeshAgent.db MeshAgent.exe File opened for modification C:\Program Files\Mesh Agent\symbols\dll\ncrypt.pdb MeshAgent.update.exe File created C:\Program Files\Mesh Agent\MeshAgent.db MeshAgent.exe File opened for modification C:\Program Files\Mesh Agent\dll\ncrypt.pdb MeshAgent.update.exe File opened for modification C:\Program Files\Mesh Agent\MeshAgent.db.tmp MeshAgent.exe File opened for modification C:\Program Files\Mesh Agent\dll\rpcrt4.pdb MeshAgent.update.exe File opened for modification C:\Program Files\Mesh Agent\dll\ole32.pdb MeshAgent.update.exe File opened for modification C:\Program Files\Mesh Agent\dll\dbghelp.pdb MeshAgent.update.exe File opened for modification C:\Program Files\Mesh Agent\dbgcore.pdb MeshAgent.update.exe File opened for modification C:\Program Files\Mesh Agent\DLL\kernel32.pdb MeshAgent.update.exe File opened for modification C:\Program Files\Mesh Agent\ws2_32.pdb MeshAgent.update.exe File opened for modification C:\Program Files\Mesh Agent\ucrtbase.pdb MeshAgent.update.exe File opened for modification C:\Program Files\Mesh Agent\symbols\dll\gdi32.pdb MeshAgent.update.exe File opened for modification C:\Program Files\Mesh Agent\symbols\dll\msvcrt.pdb MeshAgent.update.exe File opened for modification C:\Program Files\Mesh Agent\symbols\dll\shell32.pdb MeshAgent.update.exe File opened for modification C:\Program Files\Mesh Agent\symbols\DLL\bcrypt.pdb MeshAgent.update.exe File opened for modification C:\Program Files\Mesh Agent\dll\Kernel.Appcore.pdb MeshAgent.update.exe File opened for modification C:\Program Files\Mesh Agent\symbols\dll\bcryptprimitives.pdb MeshAgent.update.exe File created C:\Program Files\Mesh Agent\MeshAgent.exe 2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe File opened for modification C:\Program Files\Mesh Agent\symbols\dll\rpcrt4.pdb MeshAgent.update.exe File opened for modification C:\Program Files\Mesh Agent\user32.pdb MeshAgent.update.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
-
Modifies data under HKEY_USERS 53 IoCs
Processes:
powershell.exeMeshAgent.exeMeshAgent.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133732313341298267" MeshAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" MeshAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry MeshAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" MeshAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry MeshAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" MeshAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" MeshAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exeMeshAgent.update.exepowershell.exepid process 2948 powershell.exe 2948 powershell.exe 2140 powershell.exe 2140 powershell.exe 3932 powershell.exe 3932 powershell.exe 392 powershell.exe 392 powershell.exe 2008 powershell.exe 2008 powershell.exe 4384 MeshAgent.update.exe 4384 MeshAgent.update.exe 2300 powershell.exe 2300 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exepowershell.exepowershell.exedescription pid process Token: SeIncreaseQuotaPrivilege 4664 wmic.exe Token: SeSecurityPrivilege 4664 wmic.exe Token: SeTakeOwnershipPrivilege 4664 wmic.exe Token: SeLoadDriverPrivilege 4664 wmic.exe Token: SeSystemProfilePrivilege 4664 wmic.exe Token: SeSystemtimePrivilege 4664 wmic.exe Token: SeProfSingleProcessPrivilege 4664 wmic.exe Token: SeIncBasePriorityPrivilege 4664 wmic.exe Token: SeCreatePagefilePrivilege 4664 wmic.exe Token: SeBackupPrivilege 4664 wmic.exe Token: SeRestorePrivilege 4664 wmic.exe Token: SeShutdownPrivilege 4664 wmic.exe Token: SeDebugPrivilege 4664 wmic.exe Token: SeSystemEnvironmentPrivilege 4664 wmic.exe Token: SeRemoteShutdownPrivilege 4664 wmic.exe Token: SeUndockPrivilege 4664 wmic.exe Token: SeManageVolumePrivilege 4664 wmic.exe Token: 33 4664 wmic.exe Token: 34 4664 wmic.exe Token: 35 4664 wmic.exe Token: 36 4664 wmic.exe Token: SeIncreaseQuotaPrivilege 4664 wmic.exe Token: SeSecurityPrivilege 4664 wmic.exe Token: SeTakeOwnershipPrivilege 4664 wmic.exe Token: SeLoadDriverPrivilege 4664 wmic.exe Token: SeSystemProfilePrivilege 4664 wmic.exe Token: SeSystemtimePrivilege 4664 wmic.exe Token: SeProfSingleProcessPrivilege 4664 wmic.exe Token: SeIncBasePriorityPrivilege 4664 wmic.exe Token: SeCreatePagefilePrivilege 4664 wmic.exe Token: SeBackupPrivilege 4664 wmic.exe Token: SeRestorePrivilege 4664 wmic.exe Token: SeShutdownPrivilege 4664 wmic.exe Token: SeDebugPrivilege 4664 wmic.exe Token: SeSystemEnvironmentPrivilege 4664 wmic.exe Token: SeRemoteShutdownPrivilege 4664 wmic.exe Token: SeUndockPrivilege 4664 wmic.exe Token: SeManageVolumePrivilege 4664 wmic.exe Token: 33 4664 wmic.exe Token: 34 4664 wmic.exe Token: 35 4664 wmic.exe Token: 36 4664 wmic.exe Token: SeDebugPrivilege 2948 powershell.exe Token: SeDebugPrivilege 2140 powershell.exe Token: SeIncreaseQuotaPrivilege 2140 powershell.exe Token: SeSecurityPrivilege 2140 powershell.exe Token: SeTakeOwnershipPrivilege 2140 powershell.exe Token: SeLoadDriverPrivilege 2140 powershell.exe Token: SeSystemProfilePrivilege 2140 powershell.exe Token: SeSystemtimePrivilege 2140 powershell.exe Token: SeProfSingleProcessPrivilege 2140 powershell.exe Token: SeIncBasePriorityPrivilege 2140 powershell.exe Token: SeCreatePagefilePrivilege 2140 powershell.exe Token: SeBackupPrivilege 2140 powershell.exe Token: SeRestorePrivilege 2140 powershell.exe Token: SeShutdownPrivilege 2140 powershell.exe Token: SeDebugPrivilege 2140 powershell.exe Token: SeSystemEnvironmentPrivilege 2140 powershell.exe Token: SeRemoteShutdownPrivilege 2140 powershell.exe Token: SeUndockPrivilege 2140 powershell.exe Token: SeManageVolumePrivilege 2140 powershell.exe Token: 33 2140 powershell.exe Token: 34 2140 powershell.exe Token: 35 2140 powershell.exe -
Suspicious use of WriteProcessMemory 60 IoCs
Processes:
2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exeMeshAgent.execmd.exeMeshAgent.exedescription pid process target process PID 1152 wrote to memory of 4664 1152 2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe wmic.exe PID 1152 wrote to memory of 4664 1152 2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe wmic.exe PID 1152 wrote to memory of 32 1152 2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe 2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe PID 1152 wrote to memory of 32 1152 2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe 2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe PID 32 wrote to memory of 2948 32 2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe powershell.exe PID 32 wrote to memory of 2948 32 2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe powershell.exe PID 32 wrote to memory of 2140 32 2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe powershell.exe PID 32 wrote to memory of 2140 32 2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe powershell.exe PID 32 wrote to memory of 3932 32 2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe powershell.exe PID 32 wrote to memory of 3932 32 2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe powershell.exe PID 32 wrote to memory of 392 32 2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe powershell.exe PID 32 wrote to memory of 392 32 2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe powershell.exe PID 32 wrote to memory of 2008 32 2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe powershell.exe PID 32 wrote to memory of 2008 32 2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe powershell.exe PID 5044 wrote to memory of 3648 5044 MeshAgent.exe wmic.exe PID 5044 wrote to memory of 3648 5044 MeshAgent.exe wmic.exe PID 5044 wrote to memory of 2812 5044 MeshAgent.exe wmic.exe PID 5044 wrote to memory of 2812 5044 MeshAgent.exe wmic.exe PID 5044 wrote to memory of 4056 5044 MeshAgent.exe wmic.exe PID 5044 wrote to memory of 4056 5044 MeshAgent.exe wmic.exe PID 5044 wrote to memory of 4296 5044 MeshAgent.exe wmic.exe PID 5044 wrote to memory of 4296 5044 MeshAgent.exe wmic.exe PID 5044 wrote to memory of 216 5044 MeshAgent.exe wmic.exe PID 5044 wrote to memory of 216 5044 MeshAgent.exe wmic.exe PID 5044 wrote to memory of 4180 5044 MeshAgent.exe wmic.exe PID 5044 wrote to memory of 4180 5044 MeshAgent.exe wmic.exe PID 5044 wrote to memory of 1516 5044 MeshAgent.exe wmic.exe PID 5044 wrote to memory of 1516 5044 MeshAgent.exe wmic.exe PID 5044 wrote to memory of 3664 5044 MeshAgent.exe wmic.exe PID 5044 wrote to memory of 3664 5044 MeshAgent.exe wmic.exe PID 5044 wrote to memory of 5112 5044 MeshAgent.exe wmic.exe PID 5044 wrote to memory of 5112 5044 MeshAgent.exe wmic.exe PID 5044 wrote to memory of 4920 5044 MeshAgent.exe wmic.exe PID 5044 wrote to memory of 4920 5044 MeshAgent.exe wmic.exe PID 5044 wrote to memory of 2672 5044 MeshAgent.exe wmic.exe PID 5044 wrote to memory of 2672 5044 MeshAgent.exe wmic.exe PID 5044 wrote to memory of 1532 5044 MeshAgent.exe wmic.exe PID 5044 wrote to memory of 1532 5044 MeshAgent.exe wmic.exe PID 5044 wrote to memory of 4020 5044 MeshAgent.exe cmd.exe PID 5044 wrote to memory of 4020 5044 MeshAgent.exe cmd.exe PID 4020 wrote to memory of 4068 4020 cmd.exe WMIC.exe PID 4020 wrote to memory of 4068 4020 cmd.exe WMIC.exe PID 4020 wrote to memory of 4384 4020 cmd.exe MeshAgent.update.exe PID 4020 wrote to memory of 4384 4020 cmd.exe MeshAgent.update.exe PID 4020 wrote to memory of 5084 4020 cmd.exe WMIC.exe PID 4020 wrote to memory of 5084 4020 cmd.exe WMIC.exe PID 4892 wrote to memory of 3144 4892 MeshAgent.exe wmic.exe PID 4892 wrote to memory of 3144 4892 MeshAgent.exe wmic.exe PID 4892 wrote to memory of 4984 4892 MeshAgent.exe wmic.exe PID 4892 wrote to memory of 4984 4892 MeshAgent.exe wmic.exe PID 4892 wrote to memory of 2156 4892 MeshAgent.exe wmic.exe PID 4892 wrote to memory of 2156 4892 MeshAgent.exe wmic.exe PID 4892 wrote to memory of 408 4892 MeshAgent.exe wmic.exe PID 4892 wrote to memory of 408 4892 MeshAgent.exe wmic.exe PID 4892 wrote to memory of 236 4892 MeshAgent.exe wmic.exe PID 4892 wrote to memory of 236 4892 MeshAgent.exe wmic.exe PID 4892 wrote to memory of 2536 4892 MeshAgent.exe wmic.exe PID 4892 wrote to memory of 2536 4892 MeshAgent.exe wmic.exe PID 4892 wrote to memory of 2300 4892 MeshAgent.exe powershell.exe PID 4892 wrote to memory of 2300 4892 MeshAgent.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\system32\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4664 -
C:\Users\Admin\AppData\Local\Temp\2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe" -fullinstall2⤵
- Sets service image path in registry
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:32 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe/C "Get-Module -ListAvailable -Name netsecurity"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2948 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe/C "New-NetFirewallRule -Action Allow -Description \"Mesh Central Agent Management Traffic\" -Direction Inbound -DisplayName \"Mesh Agent Management Traffic (TCP-1)\" -DynamicTarget Any -EdgeTraversalPolicy Allow -Enabled True -InterfaceType Any -LocalPort 16990 -Profile \"Public, Private, Domain\" -Program \"C:\Program Files\Mesh Agent\MeshAgent.exe\" -Protocol TCP"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2140 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe/C "New-NetFirewallRule -Action Allow -Description \"Mesh Central Agent Management Traffic\" -Direction Inbound -DisplayName \"Mesh Agent Management Traffic (TCP-2)\" -DynamicTarget Any -EdgeTraversalPolicy Allow -Enabled True -InterfaceType Any -LocalPort 16991 -Profile \"Public, Private, Domain\" -Program \"C:\Program Files\Mesh Agent\MeshAgent.exe\" -Protocol TCP"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3932 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe/C "New-NetFirewallRule -Action Allow -Description \"Mesh Central Agent Peer-to-Peer Traffic\" -Direction Inbound -DisplayName \"Mesh Agent Peer-to-Peer Traffic (UDP-1)\" -DynamicTarget Any -EdgeTraversalPolicy Allow -Enabled True -InterfaceType Any -LocalPort 16990 -Profile \"Public, Private, Domain\" -Program \"C:\Program Files\Mesh Agent\MeshAgent.exe\" -Protocol UDP"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:392 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe/C "New-NetFirewallRule -Action Allow -Description \"Mesh Central Agent Peer-to-Peer Traffic\" -Direction Inbound -DisplayName \"Mesh Agent Peer-to-Peer Traffic (UDP-2)\" -DynamicTarget Any -EdgeTraversalPolicy Allow -Enabled True -InterfaceType Any -LocalPort 16991 -Profile \"Public, Private, Domain\" -Program \"C:\Program Files\Mesh Agent\MeshAgent.exe\" -Protocol UDP"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2008
-
C:\Program Files\Mesh Agent\MeshAgent.exe"C:\Program Files\Mesh Agent\MeshAgent.exe" --installedByUser="S-1-5-21-4050598569-1597076380-177084960-1000"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\System32\wbem\wmic.exewmic bios get /VALUE2⤵PID:3648
-
C:\Windows\System32\wbem\wmic.exewmic BASEBOARD get /VALUE2⤵PID:2812
-
C:\Windows\System32\wbem\wmic.exewmic CSProduct get /VALUE2⤵PID:4056
-
C:\Windows\system32\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵PID:4296
-
C:\Windows\System32\wbem\wmic.exewmic MEMORYCHIP LIST /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:216
-
C:\Windows\System32\wbem\wmic.exewmic OS GET /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:4180
-
C:\Windows\System32\wbem\wmic.exewmic PARTITION LIST /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:1516
-
C:\Windows\System32\wbem\wmic.exewmic CPU LIST BRIEF /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:3664
-
C:\Windows\System32\wbem\wmic.exewmic PATH Win32_VideoController GET Name,CurrentHorizontalResolution,CurrentVerticalResolution /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- Detects videocard installed
PID:5112 -
C:\Windows\System32\wbem\wmic.exewmic diskdrive LIST BRIEF /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:4920
-
C:\Windows\System32\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵PID:2672
-
C:\Windows\System32\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:1532
-
C:\Windows\system32\cmd.execmd /C wmic service "Mesh Agent" call stopservice & "C:\Program Files\Mesh Agent\MeshAgent.update.exe" -b64exec dHJ5CnsKICAgIHZhciBzZXJ2aWNlTG9jYXRpb24gPSBwcm9jZXNzLmFyZ3YucG9wKCk7CiAgICByZXF1aXJlKCdwcm9jZXNzLW1hbmFnZXInKS5lbnVtZXJhdGVQcm9jZXNzZXMoKS50aGVuKGZ1bmN0aW9uIChwcm9jKQogICAgewogICAgICAgIGZvciAodmFyIHAgaW4gcHJvYykKICAgICAgICB7CiAgICAgICAgICAgIGlmIChwcm9jW3BdLnBhdGggPT0gc2VydmljZUxvY2F0aW9uKQogICAgICAgICAgICB7CiAgICAgICAgICAgICAgICBwcm9jZXNzLmtpbGwocHJvY1twXS5waWQpOwogICAgICAgICAgICB9CiAgICAgICAgfQogICAgICAgIHByb2Nlc3MuZXhpdCgpOwogICAgfSk7Cn0KY2F0Y2goZSkKewogICAgcHJvY2Vzcy5leGl0KCk7Cn0= "C:\Program Files\Mesh Agent\MeshAgent.exe" & copy "C:\Program Files\Mesh Agent\MeshAgent.update.exe" "C:\Program Files\Mesh Agent\MeshAgent.exe" & wmic service "Mesh Agent" call startservice & erase "C:\Program Files\Mesh Agent\MeshAgent.update.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\System32\Wbem\WMIC.exewmic service "Mesh Agent" call stopservice3⤵PID:4068
-
C:\Program Files\Mesh Agent\MeshAgent.update.exe"C:\Program Files\Mesh Agent\MeshAgent.update.exe" -b64exec dHJ5CnsKICAgIHZhciBzZXJ2aWNlTG9jYXRpb24gPSBwcm9jZXNzLmFyZ3YucG9wKCk7CiAgICByZXF1aXJlKCdwcm9jZXNzLW1hbmFnZXInKS5lbnVtZXJhdGVQcm9jZXNzZXMoKS50aGVuKGZ1bmN0aW9uIChwcm9jKQogICAgewogICAgICAgIGZvciAodmFyIHAgaW4gcHJvYykKICAgICAgICB7CiAgICAgICAgICAgIGlmIChwcm9jW3BdLnBhdGggPT0gc2VydmljZUxvY2F0aW9uKQogICAgICAgICAgICB7CiAgICAgICAgICAgICAgICBwcm9jZXNzLmtpbGwocHJvY1twXS5waWQpOwogICAgICAgICAgICB9CiAgICAgICAgfQogICAgICAgIHByb2Nlc3MuZXhpdCgpOwogICAgfSk7Cn0KY2F0Y2goZSkKewogICAgcHJvY2Vzcy5leGl0KCk7Cn0= "C:\Program Files\Mesh Agent\MeshAgent.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:4384 -
C:\Windows\System32\Wbem\WMIC.exewmic service "Mesh Agent" call startservice3⤵PID:5084
-
C:\Program Files\Mesh Agent\MeshAgent.exe"C:\Program Files\Mesh Agent\MeshAgent.exe" --installedByUser="S-1-5-21-4050598569-1597076380-177084960-1000"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\System32\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵PID:3144
-
C:\Windows\system32\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵PID:4984
-
C:\Windows\System32\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:2156
-
C:\Windows\system32\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵PID:408
-
C:\Windows\System32\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵PID:236
-
C:\Windows\System32\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:2536
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -noprofile -nologo -command -2⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2300
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD5598e7761af3c3e51c1e97c6c0ef90b10
SHA179339d6e8e403d7be70c4dbd34ce9cdb032058fd
SHA256c6f98d199b63b10fd72841110d4af749a19fb4cb5d50edeb42e92ce94fbd5606
SHA5128f1e33acddaa54d1270dfa9e2b8f8437184ad9bf6a2cba3c8325deeee335cf6ac3630c2fb5a102285f092a780652fe8942fc815b2822ec0fb0b9223c108d4d57
-
Filesize
133KB
MD5956d0a651036d77e4020a1a465437dea
SHA1dca45d94263d43240a5f05992b609fd6ae0e514e
SHA2565186a5c1707a0d977942d3d124a01e407ba21cb6482aea5ba887195a85e176d3
SHA512ef95d460330f091e3263372400e4ae6d488fa9bb811b827199e98d2284088b0a4a88910878117c3578931c8bf8ac67bcd8db277519363becd0232ae5b0083282
-
Filesize
2.9MB
MD531c7fa68b69d8d229a6e9daa2949d895
SHA12f5593e25a34cbb303901bce8942a8505ba2a38f
SHA2565036a62e5049d149c98856687b229e522f01c0db515a05e650b9ab40ca840e6f
SHA5127fc7bff771c3bcc75ad95eafc762f344c06b5373f70eb7c43c81125b40cb2f3f952036c89a6bccb4aa53481f3f23f401eb9d7a56d9d0b1eaa48c3597fe2f7c37
-
Filesize
24KB
MD5c2caa0b051fe5f485fae1bf815d6960d
SHA1f18e3e88b6740a063e4118a443c1a27944d355c8
SHA2564ae4265e705bd540cfd10e978b64d112cc74aa3fc3120a2391741250988572fa
SHA5129f4859e250ad06a2eaef94acf099209231c622a398b9999806f2b6735fd5abad933dc900788c583ce082c26e4aa5741eb050b3e537f6276055fc6612a1162a34
-
Filesize
319KB
MD5cc990bd595f607cf8b9fd686524913ce
SHA10859e146238b48ce64da2307c9c4cb7b9d1123d2
SHA2560e9a4e62e5d0c1809d21e4d9708aca61a4285025347dd0c8b6ed02a1ac063cd8
SHA512091ec6bbdee7e34b4bd13bf4d7bf81ec4fe36ea0a50687ab5298c1fe88c7328da09411c56d4e451405b4c074f24889ed6449a37b96f22c2a68076144b34f0633
-
Filesize
3.3MB
MD5d63d1f77d0bbaacb826330b6c7ec87b2
SHA12127974e685725237ae5e3ca5a720e529f893a1b
SHA2568993d212be2993fb5742fe3f253e002e41ecd40a736ffb483fe3e2cccf5dbcb6
SHA51244be62bd8d424ca76a958bc574aa8a77517e351dd7ad0a5475d57e24ea5dac8a67f68bbc49201f790ba6a8965ff9e628245557e218c1c0defc8565cd83b8e797
-
Filesize
3KB
MD5b5f63423f55e96fabcd1b186b27ce0c4
SHA1581b488265a2f159836409853f4b97eb5941bd48
SHA256451cd58d101dc6219943589eedc0789ff95f35be417f63555ebde5d354e7c11a
SHA512f1e9873c6c88964035589f1dbfa28bff55315a66d471e69332f96c837855252187b719d5660baee2d5e3bb5d86b8c42e54826546b6e0d949010a6c7d2facadeb
-
Filesize
64B
MD51a11402783a8686e08f8fa987dd07bca
SHA1580df3865059f4e2d8be10644590317336d146ce
SHA2569b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0
SHA5125f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510
-
Filesize
1KB
MD5fc08d9efbf45b4045fdf2cfc507ddceb
SHA17a1095765f0b9ed6a04afeb084f4e78cc25aed5c
SHA256b11437cfbe0773154d082440842d8754f31a0ff920b86a1c518cefbe9e0bc92e
SHA5122f765d087a043d05720445383409bbab5f2a17f46c10257589a94a8dfa22e5888692879d25df2e78192e6a226ad3c44921689104a3e40f2a45ffe2cc0ba10571
-
Filesize
1KB
MD54b50e76049fec4d6f2aaff1b49521c2f
SHA14cc854f1ed8f94067b742271cb69ffefc8355cd7
SHA256752054e3c44795d033e05aae7a251dd48ff6bccb524c6884994bebf53c08620c
SHA512836749249b39f8d335dcc4103b5587340b5b2a5f3c84db91d307a90e1fb622b02d8dd903b76ecc274c68d48fda75247284c4b571d081daeae57b634c5e40a1a8
-
Filesize
1KB
MD5afd0a743508cdc5ba7d3c45e8be63316
SHA17ad41e8c15174e65c3d4905b44fa2639d9867c6d
SHA256c0c04903981b71444d4928eb46610d58b798d4190cd25666cb614c5789236294
SHA51205cc5945fe0015ab6feaa32c1059c310bc0ade51a90aa6e03af7192b9807c9d58d3b8f5b438aa3bab05617ffe83fb486a08a3d2414256686987535f6c953342b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\B344CF7F573D290944F8AF7B5131BF6CD2B7EA6E
Filesize1KB
MD51d9aee6645a387018ee7fac7f1863c20
SHA1d3f66c488282965d5853c1f1a70e47f7e87b2447
SHA2564cb236c139457155a14d6767ae26f5ea9b8fb6866008fbf80b25e3ae0ab067fe
SHA51217da861e51fccf7b271cd80aa7ff8c51ea9b49847a172042762678424e9ca730da345626f2a0a45e73707834555f89469f08bb639945477689f734381c31e1c5