Extracted

• 2025-03-20_18900946e655949fdc301215783e19ab_coinminer_ismagent_ryuk_sliver

  .exe windows:6 windows x64 arch:x64

  fb0a8b4a81655f744a37af985e009476

  
  

  Headers

  DLL Characteristics

  IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA

  IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE

  IMAGE_DLLCHARACTERISTICS_NX_COMPAT

  IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

  File Characteristics

  IMAGE_FILE_EXECUTABLE_IMAGE

  IMAGE_FILE_LARGE_ADDRESS_AWARE

  PDB Paths

  C:\MeshAgent\MeshAgent\Release\MeshService64.pdb

  Imports

  comctl32

  InitCommonControlsEx

  dbghelp

  SymInitialize

  SymGetModuleBase64

  SymGetLineFromAddr64

  SymFunctionTableAccess64

  SymFromAddr

  StackWalk64

  MiniDumpWriteDump

  iphlpapi

  GetAdaptersAddresses

  SendARP

  ConvertLengthToIpv4Mask

  GetAdaptersInfo

  ws2_32

  WSACloseEvent

  htons

  htonl

  gethostname

  ntohs

  ntohl

  WSAGetLastError

  ioctlsocket

  recv

  WSASetLastError

  send

  getsockname

  WSASocketW

  listen

  closesocket

  bind

  accept

  __WSAFDIsSet

  setsockopt

  socket

  sendto

  getsockopt

  recvfrom

  connect

  shutdown

  WSAIoctl

  GetAddrInfoW

  WSAResetEvent

  WSAEventSelect

  WSAStartup

  WSACreateEvent

  WSACleanup

  FreeAddrInfoW

  select

  crypt32

  CertFindCertificateInStore

  CertDuplicateCertificateContext

  CertDeleteCertificateFromStore

  CryptAcquireCertificatePrivateKey

  CertAddEncodedCertificateToStore

  CryptMsgClose

  CryptMsgUpdate

  CryptExportPublicKeyInfo

  CertCreateSelfSignCertificate

  CertFreeCertificateContext

  CryptMsgOpenToEncode

  CertAddCertificateContextToStore

  PFXExportCertStore

  CryptSignAndEncodeCertificate

  CertCloseStore

  CertStrToNameA

  CryptMsgGetParam

  CryptEncodeObject

  CertSetCertificateContextProperty

  CertGetCertificateContextProperty

  CryptMsgCalculateEncodedLength

  CertOpenStore

  CertStrToNameW

  CertEnumCertificatesInStore

  gdiplus

  GdipGetImageEncoders

  GdiplusShutdown

  GdipCloneImage

  GdipAlloc

  GdipDisposeImage

  GdipFree

  GdipGetImageEncodersSize

  GdipLoadImageFromStream

  GdipSaveImageToStream

  GdiplusStartup

  ncrypt

  NCryptCreatePersistedKey

  NCryptFreeObject

  NCryptSetProperty

  BCryptCloseAlgorithmProvider

  BCryptGenRandom

  NCryptOpenStorageProvider

  BCryptOpenAlgorithmProvider

  NCryptFinalizeKey

  kernel32

  InitializeSListHead

  GetStartupInfoW

  RtlUnwindEx

  GetFullPathNameW

  GetStdHandle

  WriteFile

  LoadLibraryExA

  GetModuleFileNameW

  GetSystemPowerStatus

  OpenProcess

  MultiByteToWideChar

  Sleep

  GetLastError

  CloseHandle

  GetCurrentDirectoryW

  SetCurrentDirectoryW

  GetProcAddress

  SetEnvironmentVariableA

  CreateProcessW

  FreeLibrary

  WideCharToMultiByte

  GetCurrentThreadId

  GetModuleHandleA

  WaitForSingleObjectEx

  CreateThread

  QueueUserAPC

  OpenThread

  ReadFile

  LoadLibraryA

  SleepEx

  SetSystemPowerState

  GetCurrentProcess

  SetThreadExecutionState

  HeapFree

  HeapAlloc

  GetProcessHeap

  SystemTimeToFileTime

  GetSystemTime

  FileTimeToSystemTime

  SystemTimeToTzSpecificLocalTime

  QueryPerformanceCounter

  ReleaseSemaphore

  WaitForSingleObject

  CreateSemaphoreA

  CancelIo

  FindFirstFileW

  FindNextFileW

  RemoveDirectoryW

  GetFinalPathNameByHandleW

  GetDriveTypeA

  SetFilePointer

  FindFirstVolumeA

  FindClose

  CreateFileW

  GetVolumePathNamesForVolumeNameA

  GetFileAttributesExW

  ReadDirectoryChangesW

  FindNextVolumeA

  FindVolumeClose

  GetDiskFreeSpaceExA

  CreateEventA

  GetModuleHandleExA

  WaitForMultipleObjectsEx

  CreateNamedPipeA

  DisconnectNamedPipe

  CreateFileA

  CancelIoEx

  LocalFree

  ConnectNamedPipe

  SetConsoleMode

  GetConsoleMode

  SetConsoleOutputCP

  IsDebuggerPresent

  TerminateProcess

  GetTempPathW

  CancelSynchronousIo

  SetEvent

  ResetEvent

  IsProcessorFeaturePresent

  GetCurrentProcessId

  GetEnvironmentStrings

  FreeEnvironmentStringsA

  CopyFileW

  RtlCaptureContext

  SuspendThread

  ResumeThread

  DuplicateHandle

  GetTickCount64

  GetCurrentThread

  GetOverlappedResult

  GetThreadContext

  WTSGetActiveConsoleSessionId

  GetExitCodeProcess

  SetEndOfFile

  DeleteFileW

  SetFilePointerEx

  SetConsoleCtrlHandler

  FreeConsole

  LoadLibraryExW

  SetLastError

  GetFileType

  GetModuleHandleW

  SwitchToFiber

  DeleteFiber

  CreateFiber

  GetSystemTimeAsFileTime

  ConvertFiberToThread

  ConvertThreadToFiber

  GetEnvironmentVariableW

  ReadConsoleA

  ReadConsoleW

  EnterCriticalSection

  LeaveCriticalSection

  DeleteCriticalSection

  InitializeCriticalSectionAndSpinCount

  TlsAlloc

  TlsGetValue

  TlsSetValue

  TlsFree

  ExitProcess

  GetModuleHandleExW

  CreateDirectoryW

  GetConsoleCP

  MoveFileExW

  SetEnvironmentVariableW

  GetTimeZoneInformation

  SetStdHandle

  GetDriveTypeW

  PeekNamedPipe

  GetCommandLineA

  GetCommandLineW

  GetACP

  GetDateFormatW

  GetTimeFormatW

  CompareStringW

  LCMapStringW

  GetStringTypeW

  HeapReAlloc

  FlushFileBuffers

  WriteConsoleW

  GetCPInfo

  FindFirstFileExW

  SetUnhandledExceptionFilter

  UnhandledExceptionFilter

  RtlLookupFunctionEntry

  GetThreadId

  RtlVirtualUnwind

  IsValidCodePage

  GetOEMCP

  GetEnvironmentStringsW

  FreeEnvironmentStringsW

  RaiseException

  HeapSize

  RtlPcToFileHeader

  QueryPerformanceFrequency

  EncodePointer

  user32

  EndDialog

  SetWindowTextW

  GetWindowPlacement

  ShowWindow

  GetDlgCtrlID

  SetWindowPlacement

  SetWindowTextA

  IsDlgButtonChecked

  GetDlgItem

  CheckDlgButton

  DialogBoxParamW

  EnableWindow

  MessageBeep

  ExitWindowsEx

  GetUserObjectInformationA

  EnumDisplayMonitors

  GetSystemMetrics

  SetThreadDesktop

  GetThreadDesktop

  CloseDesktop

  BlockInput

  GetMonitorInfoA

  OpenInputDesktop

  GetKeyState

  GetMessageA

  GetMessageExtraInfo

  SendMessageW

  LoadCursorA

  DestroyWindow

  GetDC

  PostMessageA

  GetIconInfo

  CallNextHookEx

  GetCursorInfo

  SetWindowsHookExA

  MapVirtualKeyA

  GetForegroundWindow

  UnhookWindowsHookEx

  DefWindowProcA

  CreateWindowExA

  TranslateMessage

  UnregisterClassA

  DrawIconEx

  SetWinEventHook

  RegisterClassExA

  UnhookWinEvent

  SetForegroundWindow

  ReleaseDC

  SendInput

  SetProcessDPIAware

  MessageBoxW

  GetUserObjectInformationW

  GetProcessWindowStation

  DispatchMessageA

  CreateWindowExW

  GetWindowRect

  gdi32

  SetBkMode

  SetBkColor

  CreateSolidBrush

  BitBlt

  StretchBlt

  DeleteDC

  SetStretchBltMode

  CreateCompatibleBitmap

  GetObjectA

  SelectObject

  CreateCompatibleDC

  GetDIBits

  DeleteObject

  SetTextColor

  GetStockObject

  advapi32

  CloseServiceHandle

  AllocateAndInitializeSid

  CryptEnumProvidersW

  CryptSignHashW

  CryptDestroyHash

  CryptCreateHash

  CryptDecrypt

  CryptExportKey

  CryptGetUserKey

  CryptGetProvParam

  CryptSetHashParam

  CryptAcquireContextW

  ReportEventW

  RegisterEventSourceW

  DeregisterEventSource

  StartServiceCtrlDispatcherA

  RegCreateKeyW

  RegSetValueExA

  RegDeleteKeyA

  RegCloseKey

  RegOpenKeyExA

  OpenProcessToken

  InitiateSystemShutdownA

  LookupPrivilegeValueA

  AdjustTokenPrivileges

  CryptReleaseContext

  RegSetValueExW

  CryptDestroyKey

  InitializeSecurityDescriptor

  SetEntriesInAclA

  SetSecurityDescriptorDacl

  DuplicateTokenEx

  CreateProcessAsUserW

  SetTokenInformation

  OpenServiceA

  CheckTokenMembership

  FreeSid

  RegisterServiceCtrlHandlerExA

  OpenSCManagerA

  SetServiceStatus

  QueryServiceStatus

  shell32

  ShellExecuteExW

  ole32

  CoInitializeEx

  CreateStreamOnHGlobal

  CoUninitialize

  Sections

  .text

  Size: 2.0MB - Virtual size: 2.0MB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  .rdata

  Size: 981KB - Virtual size: 981KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .data

  Size: 39KB - Virtual size: 201KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  .pdata

  Size: 102KB - Virtual size: 101KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .gfids

  Size: 512B - Virtual size: 196B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .rsrc

  Size: 136KB - Virtual size: 135KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .reloc

  Size: 19KB - Virtual size: 18KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_DISCARDABLE

  IMAGE_SCN_MEM_READ