File name:

2025-01-10_98fedf655c52d5b8b84537b35987456a_ismagent_ryuk_sliver

Full analysis: https://app.any.run/tasks/2ca1ec97-5355-44ca-9ff6-2c8d34ecde27
Verdict: Malicious activity
Analysis date: January 10, 2025, 21:36:01
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 7 sections
MD5:

98FEDF655C52D5B8B84537B35987456A

SHA1:

0A8FDAAF376CC520C29CBC2C2BBC20FFA50F147E

SHA256:

7EBCE1AC5339B3163A6E323639424BDE8F385259F5E4FE6E41DB29D74A96E3BA

SSDEEP:

98304:b/NkRdEtqLdOvOSWHO2mSxzbOep2irTPjz1:x+dJh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 2025-01-10_98fedf655c52d5b8b84537b35987456a_ismagent_ryuk_sliver.exe (PID: 2324)

    • Reads the date of Windows installation

      • 2025-01-10_98fedf655c52d5b8b84537b35987456a_ismagent_ryuk_sliver.exe (PID: 2324)

    • Uses WMIC.EXE to obtain operating system information

      • 2025-01-10_98fedf655c52d5b8b84537b35987456a_ismagent_ryuk_sliver.exe (PID: 2324)

    • Application launched itself

      • 2025-01-10_98fedf655c52d5b8b84537b35987456a_ismagent_ryuk_sliver.exe (PID: 2324)

    • Executable content was dropped or overwritten

      • 2025-01-10_98fedf655c52d5b8b84537b35987456a_ismagent_ryuk_sliver.exe (PID: 2736)

    • Executes as Windows Service

      • MeshAgent.exe (PID: 5308)

    • Creates or modifies Windows services

      • 2025-01-10_98fedf655c52d5b8b84537b35987456a_ismagent_ryuk_sliver.exe (PID: 2736)

    • Creates a software uninstall entry

      • 2025-01-10_98fedf655c52d5b8b84537b35987456a_ismagent_ryuk_sliver.exe (PID: 2736)

  • INFO

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 2788)

    • Reads the machine GUID from the registry

      • 2025-01-10_98fedf655c52d5b8b84537b35987456a_ismagent_ryuk_sliver.exe (PID: 2324)
      • MeshAgent.exe (PID: 5308)

    • Reads the computer name

      • 2025-01-10_98fedf655c52d5b8b84537b35987456a_ismagent_ryuk_sliver.exe (PID: 2324)
      • MeshAgent.exe (PID: 5308)
      • 2025-01-10_98fedf655c52d5b8b84537b35987456a_ismagent_ryuk_sliver.exe (PID: 2736)

    • Checks supported languages

      • 2025-01-10_98fedf655c52d5b8b84537b35987456a_ismagent_ryuk_sliver.exe (PID: 2324)
      • 2025-01-10_98fedf655c52d5b8b84537b35987456a_ismagent_ryuk_sliver.exe (PID: 2736)
      • MeshAgent.exe (PID: 5308)

    • The sample compiled with english language support

      • 2025-01-10_98fedf655c52d5b8b84537b35987456a_ismagent_ryuk_sliver.exe (PID: 2324)
      • 2025-01-10_98fedf655c52d5b8b84537b35987456a_ismagent_ryuk_sliver.exe (PID: 2736)

    • The process uses the downloaded file

      • 2025-01-10_98fedf655c52d5b8b84537b35987456a_ismagent_ryuk_sliver.exe (PID: 2324)

    • Process checks computer location settings

      • 2025-01-10_98fedf655c52d5b8b84537b35987456a_ismagent_ryuk_sliver.exe (PID: 2324)

    • Creates files in the program directory

      • 2025-01-10_98fedf655c52d5b8b84537b35987456a_ismagent_ryuk_sliver.exe (PID: 2736)
      • MeshAgent.exe (PID: 5308)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2022:12:09 20:12:49+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14
CodeSize: 2122240
InitializedDataSize: 1475072
UninitializedDataSize: -
EntryPoint: 0x1d9d8c
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: MeshCentral Background Service Agent
FileVersion: 2022-Dec-2 11:42:16-0800
LegalCopyright: Apache 2.0 License
ProductName: MeshCentral Agent
ProductVersion: Commit: 2022-Dec-2 11:42:16-0800
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
125
Monitored processes
7
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-01-10_98fedf655c52d5b8b84537b35987456a_ismagent_ryuk_sliver.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs 2025-01-10_98fedf655c52d5b8b84537b35987456a_ismagent_ryuk_sliver.exe conhost.exe no specs meshagent.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2324"C:\Users\admin\Desktop\2025-01-10_98fedf655c52d5b8b84537b35987456a_ismagent_ryuk_sliver.exe" C:\Users\admin\Desktop\2025-01-10_98fedf655c52d5b8b84537b35987456a_ismagent_ryuk_sliver.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
MeshCentral Background Service Agent
Exit code:
0
Version:
2022-Dec-2 11:42:16-0800
Modules
Images
c:\users\admin\desktop\2025-01-10_98fedf655c52d5b8b84537b35987456a_ismagent_ryuk_sliver.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
5696\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe2025-01-10_98fedf655c52d5b8b84537b35987456a_ismagent_ryuk_sliver.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2788wmic os get oslanguage /FORMAT:LISTC:\Windows\System32\wbem\WMIC.exe2025-01-10_98fedf655c52d5b8b84537b35987456a_ismagent_ryuk_sliver.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
1544\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2736"C:\Users\admin\Desktop\2025-01-10_98fedf655c52d5b8b84537b35987456a_ismagent_ryuk_sliver.exe" -fullinstall C:\Users\admin\Desktop\2025-01-10_98fedf655c52d5b8b84537b35987456a_ismagent_ryuk_sliver.exe
2025-01-10_98fedf655c52d5b8b84537b35987456a_ismagent_ryuk_sliver.exe
User:
admin
Integrity Level:
HIGH
Description:
MeshCentral Background Service Agent
Exit code:
0
Version:
2022-Dec-2 11:42:16-0800
Modules
Images
c:\users\admin\desktop\2025-01-10_98fedf655c52d5b8b84537b35987456a_ismagent_ryuk_sliver.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.3636_none_60b6a03d71f818d5\comctl32.dll
c:\windows\system32\ucrtbase.dll
1612\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe2025-01-10_98fedf655c52d5b8b84537b35987456a_ismagent_ryuk_sliver.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5308"C:\Program Files\Mesh Agent\MeshAgent.exe" --installedByUser="S-1-5-21-1693682860-607145093-2874071422-1001"C:\Program Files\Mesh Agent\MeshAgent.exeservices.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Description:
MeshCentral Background Service Agent
Version:
2022-Dec-2 11:42:16-0800
Modules
Images
c:\program files\mesh agent\meshagent.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
Total events
1 270
Read events
1 254
Write events
16
Delete events
0

Modification events

(PID) Process:(2736) 2025-01-10_98fedf655c52d5b8b84537b35987456a_ismagent_ryuk_sliver.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent
Operation:writeName:ImagePath
Value:
"C:\Program Files\Mesh Agent\MeshAgent.exe" --installedByUser="S-1-5-21-1693682860-607145093-2874071422-1001"
(PID) Process:(2736) 2025-01-10_98fedf655c52d5b8b84537b35987456a_ismagent_ryuk_sliver.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent
Operation:writeName:_InstalledBy
Value:
S-1-5-21-1693682860-607145093-2874071422-1001
(PID) Process:(2736) 2025-01-10_98fedf655c52d5b8b84537b35987456a_ismagent_ryuk_sliver.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mesh Agent
Operation:writeName:DisplayName
Value:
Mesh Agent
(PID) Process:(2736) 2025-01-10_98fedf655c52d5b8b84537b35987456a_ismagent_ryuk_sliver.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mesh Agent
Operation:writeName:DisplayIcon
Value:
C:\Program Files\Mesh Agent\MeshAgent.exe
(PID) Process:(2736) 2025-01-10_98fedf655c52d5b8b84537b35987456a_ismagent_ryuk_sliver.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mesh Agent
Operation:writeName:InstallLocation
Value:
C:\Program Files\Mesh Agent\
(PID) Process:(2736) 2025-01-10_98fedf655c52d5b8b84537b35987456a_ismagent_ryuk_sliver.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mesh Agent
Operation:writeName:EstimatedSize
Value:
3358
(PID) Process:(2736) 2025-01-10_98fedf655c52d5b8b84537b35987456a_ismagent_ryuk_sliver.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mesh Agent
Operation:writeName:NoModify
Value:
1
(PID) Process:(2736) 2025-01-10_98fedf655c52d5b8b84537b35987456a_ismagent_ryuk_sliver.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mesh Agent
Operation:writeName:NoRepair
Value:
1
(PID) Process:(2736) 2025-01-10_98fedf655c52d5b8b84537b35987456a_ismagent_ryuk_sliver.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mesh Agent
Operation:writeName:UninstallString
Value:
C:\Program Files\Mesh Agent\MeshAgent.exe -funinstall --meshServiceName="Mesh Agent"
(PID) Process:(2736) 2025-01-10_98fedf655c52d5b8b84537b35987456a_ismagent_ryuk_sliver.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mesh Agent
Operation:writeName:DisplayVersion
Value:
2022-12-02 19:42:16.000+00:00
Executable files
1
Suspicious files
4
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
27362025-01-10_98fedf655c52d5b8b84537b35987456a_ismagent_ryuk_sliver.exeC:\Program Files\Mesh Agent\MeshAgent.exeexecutable
MD5:98FEDF655C52D5B8B84537B35987456A
SHA256:7EBCE1AC5339B3163A6E323639424BDE8F385259F5E4FE6E41DB29D74A96E3BA
5308MeshAgent.exeC:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\A04E215925FA505F40D1BC29E4063289A31F680Bbinary
MD5:E5E3F616AE3CACA3BC0995E3C7A02E72
SHA256:56A5B4EFDE2B336C99DF681584E7BB47332263C88380AEC93520C00A03FF58EA
5308MeshAgent.exeC:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\80858169C3FA1FF9DAFDA0AC128014422FA6C66Fbinary
MD5:05B66B479FAA2423210EFB07D68469A2
SHA256:9C9AD4B578EDFC1D792D2E213A0D01F024273C8E433972A3E35DC0B84DF99E5C
5308MeshAgent.exeC:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\00056C324F1A689F8FAF03A9727DD31E6A9CC481binary
MD5:E09FC0328979636AF7B2DCC4E6BD3568
SHA256:7467E31E384B1793356C3376153B6F2BF81A6473AE03E3C0B02BDED8BB608873
5308MeshAgent.exeC:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\164FEF8315B70A36A1509D97CE930DDC74134E66binary
MD5:D842B64B79947CF8D260B7A1DFBA15FB
SHA256:06822735B37723A83C4FE6378E314D360624A8E7F2FC2F78E44198A9AA5D4166
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
19
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4428
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.173:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4428
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
unknown
4712
MoUsoCoreWorker.exe
23.48.23.173:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
4428
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
4428
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3976
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
unknown
google.com
  • 142.250.186.142
unknown
crl.microsoft.com
  • 23.48.23.173
  • 23.48.23.178
  • 23.48.23.176
  • 23.48.23.185
  • 23.48.23.168
  • 23.48.23.181
  • 23.48.23.183
  • 23.48.23.188
  • 23.48.23.177
unknown
www.microsoft.com
  • 184.30.21.171
unknown
self.events.data.microsoft.com
  • 20.189.173.17
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-01-10_98fedf655c52d5b8b84537b35987456a_ismagent_ryuk_sliver