File name:

2025-03-22_aa25da3afe423dff37cfa022c1e9fe13_coinminer_ismagent_ryuk_sliver

Full analysis: https://app.any.run/tasks/c92ea390-03a8-4c68-827f-ad66d92ce811
Verdict: Malicious activity
Analysis date: March 22, 2025, 21:18:40
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
meshagent
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 7 sections
MD5:

AA25DA3AFE423DFF37CFA022C1E9FE13

SHA1:

6D5847D12FB3F4850628567EA161F8A5D8EE946A

SHA256:

9899605EC7FA388416D1366AADEEA42AAF1CE9F5B6E6F11562E3F44139D4F9FC

SSDEEP:

98304:UdrmW4EM6E1vuMR9YQ2TNqG8VApYA3uoGCNSGPOAZVoL3:gM223

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 2025-03-22_aa25da3afe423dff37cfa022c1e9fe13_coinminer_ismagent_ryuk_sliver.exe (PID: 7036)
      • dlhost.exe (PID: 6584)

  • SUSPICIOUS

    • Reads the date of Windows installation

      • 2025-03-22_aa25da3afe423dff37cfa022c1e9fe13_coinminer_ismagent_ryuk_sliver.exe (PID: 7036)

    • Reads security settings of Internet Explorer

      • 2025-03-22_aa25da3afe423dff37cfa022c1e9fe13_coinminer_ismagent_ryuk_sliver.exe (PID: 7036)

    • Application launched itself

      • 2025-03-22_aa25da3afe423dff37cfa022c1e9fe13_coinminer_ismagent_ryuk_sliver.exe (PID: 7036)

    • The process creates files with name similar to system file names

      • 2025-03-22_aa25da3afe423dff37cfa022c1e9fe13_coinminer_ismagent_ryuk_sliver.exe (PID: 5528)

    • Executable content was dropped or overwritten

      • 2025-03-22_aa25da3afe423dff37cfa022c1e9fe13_coinminer_ismagent_ryuk_sliver.exe (PID: 5528)

    • Creates or modifies Windows services

      • 2025-03-22_aa25da3afe423dff37cfa022c1e9fe13_coinminer_ismagent_ryuk_sliver.exe (PID: 5528)

    • Creates a software uninstall entry

      • 2025-03-22_aa25da3afe423dff37cfa022c1e9fe13_coinminer_ismagent_ryuk_sliver.exe (PID: 5528)

    • Executes as Windows Service

      • dlhost.exe (PID: 6584)

    • MeshAgent potential remote access (YARA)

      • dlhost.exe (PID: 6584)

    • Connects to unusual port

      • dlhost.exe (PID: 6584)

  • INFO

    • Checks supported languages

      • 2025-03-22_aa25da3afe423dff37cfa022c1e9fe13_coinminer_ismagent_ryuk_sliver.exe (PID: 7036)
      • 2025-03-22_aa25da3afe423dff37cfa022c1e9fe13_coinminer_ismagent_ryuk_sliver.exe (PID: 5528)
      • dlhost.exe (PID: 6584)

    • Reads the computer name

      • 2025-03-22_aa25da3afe423dff37cfa022c1e9fe13_coinminer_ismagent_ryuk_sliver.exe (PID: 7036)
      • 2025-03-22_aa25da3afe423dff37cfa022c1e9fe13_coinminer_ismagent_ryuk_sliver.exe (PID: 5528)
      • dlhost.exe (PID: 6584)

    • The sample compiled with english language support

      • 2025-03-22_aa25da3afe423dff37cfa022c1e9fe13_coinminer_ismagent_ryuk_sliver.exe (PID: 7036)
      • 2025-03-22_aa25da3afe423dff37cfa022c1e9fe13_coinminer_ismagent_ryuk_sliver.exe (PID: 5528)

    • Process checks computer location settings

      • 2025-03-22_aa25da3afe423dff37cfa022c1e9fe13_coinminer_ismagent_ryuk_sliver.exe (PID: 7036)

    • Creates files in the program directory

      • 2025-03-22_aa25da3afe423dff37cfa022c1e9fe13_coinminer_ismagent_ryuk_sliver.exe (PID: 5528)
      • dlhost.exe (PID: 6584)

    • Reads the machine GUID from the registry

      • 2025-03-22_aa25da3afe423dff37cfa022c1e9fe13_coinminer_ismagent_ryuk_sliver.exe (PID: 7036)
      • dlhost.exe (PID: 6584)

    • Reads the software policy settings

      • slui.exe (PID: 1168)

    • Checks proxy server information

      • slui.exe (PID: 1168)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:11:26 03:09:32+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14
CodeSize: 2122752
InitializedDataSize: 1300992
UninitializedDataSize: -
EntryPoint: 0x1da03c
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
FileVersionNumber: 10.0.22621.1
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: -
FileDescription: Security Process for Windows Services
FileVersion: 10.0.22621.1
InternalName: wcsvc
OriginalFileName: wcsvc.exe
ProductName: Security Center
ProductVersion: 10.0.22621.1
LegalCopyright: Microsoft Corporation. All rights reserved
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-03-22_aa25da3afe423dff37cfa022c1e9fe13_coinminer_ismagent_ryuk_sliver.exe no specs conhost.exe no specs 2025-03-22_aa25da3afe423dff37cfa022c1e9fe13_coinminer_ismagent_ryuk_sliver.exe conhost.exe no specs #MESHAGENT dlhost.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1168C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3304\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe2025-03-22_aa25da3afe423dff37cfa022c1e9fe13_coinminer_ismagent_ryuk_sliver.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5392\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe2025-03-22_aa25da3afe423dff37cfa022c1e9fe13_coinminer_ismagent_ryuk_sliver.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5528"C:\Users\admin\Desktop\2025-03-22_aa25da3afe423dff37cfa022c1e9fe13_coinminer_ismagent_ryuk_sliver.exe" -fullinstall C:\Users\admin\Desktop\2025-03-22_aa25da3afe423dff37cfa022c1e9fe13_coinminer_ismagent_ryuk_sliver.exe
2025-03-22_aa25da3afe423dff37cfa022c1e9fe13_coinminer_ismagent_ryuk_sliver.exe
User:
admin
Integrity Level:
HIGH
Description:
Security Process for Windows Services
Exit code:
0
Version:
10.0.22621.1
Modules
Images
c:\users\admin\desktop\2025-03-22_aa25da3afe423dff37cfa022c1e9fe13_coinminer_ismagent_ryuk_sliver.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
6584"C:\Program Files\donet\dlhost\dlhost.exe" --meshServiceName="dlhost" --installedByUser="S-1-5-21-1693682860-607145093-2874071422-1001"C:\Program Files\donet\dlhost\dlhost.exe
services.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Description:
Security Process for Windows Services
Version:
10.0.22621.1
Modules
Images
c:\program files\donet\dlhost\dlhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\dbghelp.dll
7036"C:\Users\admin\Desktop\2025-03-22_aa25da3afe423dff37cfa022c1e9fe13_coinminer_ismagent_ryuk_sliver.exe" C:\Users\admin\Desktop\2025-03-22_aa25da3afe423dff37cfa022c1e9fe13_coinminer_ismagent_ryuk_sliver.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Security Process for Windows Services
Exit code:
0
Version:
10.0.22621.1
Modules
Images
c:\users\admin\desktop\2025-03-22_aa25da3afe423dff37cfa022c1e9fe13_coinminer_ismagent_ryuk_sliver.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.3636_none_60b6a03d71f818d5\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\crypt32.dll
Total events
4 628
Read events
4 608
Write events
20
Delete events
0

Modification events

(PID) Process:(5528) 2025-03-22_aa25da3afe423dff37cfa022c1e9fe13_coinminer_ismagent_ryuk_sliver.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\dlhost
Operation:writeName:ImagePath
Value:
"C:\Program Files\donet\dlhost\dlhost.exe" --meshServiceName="dlhost" --installedByUser="S-1-5-21-1693682860-607145093-2874071422-1001"
(PID) Process:(5528) 2025-03-22_aa25da3afe423dff37cfa022c1e9fe13_coinminer_ismagent_ryuk_sliver.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\dlhost
Operation:writeName:_InstalledBy
Value:
S-1-5-21-1693682860-607145093-2874071422-1001
(PID) Process:(5528) 2025-03-22_aa25da3afe423dff37cfa022c1e9fe13_coinminer_ismagent_ryuk_sliver.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\dlhost
Operation:writeName:DisplayName
Value:
Windows Connection Manager
(PID) Process:(5528) 2025-03-22_aa25da3afe423dff37cfa022c1e9fe13_coinminer_ismagent_ryuk_sliver.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\dlhost
Operation:writeName:DisplayIcon
Value:
C:\Program Files\donet\dlhost\dlhost.exe
(PID) Process:(5528) 2025-03-22_aa25da3afe423dff37cfa022c1e9fe13_coinminer_ismagent_ryuk_sliver.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\dlhost
Operation:writeName:InstallDate
Value:
20250322
(PID) Process:(5528) 2025-03-22_aa25da3afe423dff37cfa022c1e9fe13_coinminer_ismagent_ryuk_sliver.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\dlhost
Operation:writeName:InstallLocation
Value:
C:\Program Files\donet\dlhost\
(PID) Process:(5528) 2025-03-22_aa25da3afe423dff37cfa022c1e9fe13_coinminer_ismagent_ryuk_sliver.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\dlhost
Operation:writeName:EstimatedSize
Value:
3466
(PID) Process:(5528) 2025-03-22_aa25da3afe423dff37cfa022c1e9fe13_coinminer_ismagent_ryuk_sliver.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\dlhost
Operation:writeName:NoModify
Value:
1
(PID) Process:(5528) 2025-03-22_aa25da3afe423dff37cfa022c1e9fe13_coinminer_ismagent_ryuk_sliver.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\dlhost
Operation:writeName:NoRepair
Value:
1
(PID) Process:(5528) 2025-03-22_aa25da3afe423dff37cfa022c1e9fe13_coinminer_ismagent_ryuk_sliver.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\dlhost
Operation:writeName:UninstallString
Value:
C:\Program Files\donet\dlhost\dlhost.exe -funinstall --meshServiceName="dlhost"
Executable files
1
Suspicious files
4
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
6584dlhost.exeC:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\0A6D67210272F1FFE134B5AB7E1FFA83ABD3B37Fbinary
MD5:2B35D20AAFF7816632C9B7643AC32ED0
SHA256:ABCAAB64001B888E27ACE9E99A48F359880BACD55054C72AF91D9694FFC59C22
6584dlhost.exeC:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\D95EA086F6088EBE0EB66823FDD6C8F8D91CCD0Abinary
MD5:7C8A6F4D5ED84827BE36D9BB35F780E3
SHA256:D8EACD150749E3784BE09D429045939D63C0AF3A750336CF3D50A84B1C184EB5
6584dlhost.exeC:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\FC41DA9EAD9315773F18DF39CE07A3D9289FF9FFbinary
MD5:C2E09498E2A519F4CBFEB2018099B913
SHA256:6124B61DD48133D5D5EA3015DBDA59FDD657B598C1830927E4E62F7B80DFB054
6584dlhost.exeC:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\A9C4406AD44F836AF5B71290A750A570FA5610E3binary
MD5:345A89B2787BC6807F34C0677BDC1974
SHA256:464DF68EA3E07595D9DD8C12C5A2548F61AD03941613E7E263D00136A93FECC1
6584dlhost.exeC:\Program Files\donet\dlhost\dlhost.mshtext
MD5:8D3BF650DF6EEC111F93114BF05EE033
SHA256:1F5836F487156999B2E1F44D7042EBFB09C977DA4C3E19956D9C3C3BB26CB962
55282025-03-22_aa25da3afe423dff37cfa022c1e9fe13_coinminer_ismagent_ryuk_sliver.exeC:\Program Files\donet\dlhost\dlhost.exeexecutable
MD5:AA25DA3AFE423DFF37CFA022C1E9FE13
SHA256:9899605EC7FA388416D1366AADEEA42AAF1CE9F5B6E6F11562E3F44139D4F9FC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
21
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6584
dlhost.exe
122.175.11.226:444
remoteshare.in
Bharti Airtel Ltd., Telemedia Services
IN
unknown
2384
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1168
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 142.250.184.206
whitelisted
remoteshare.in
  • 122.175.11.226
  • 116.73.117.214
unknown
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-03-22_aa25da3afe423dff37cfa022c1e9fe13_coinminer_ismagent_ryuk_sliver