File name:

3L1V_04ef501e_mardvcwm.exe

Full analysis: https://app.any.run/tasks/995dc22b-f287-45cb-a14a-5bc294d8a242
Verdict: Malicious activity
Analysis date: May 16, 2025, 22:42:01
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
scan
smbscan
icmp
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

04EF501E9084027CE0FCA42EEB519B80

SHA1:

16DC07B625E58933334E3D2EC045263800B018F3

SHA256:

B8E3DB0EF8D92B0919F06BE07EC94762EC07C67E8E0E45AED6952BFC498D5970

SSDEEP:

12288:3h4/P7ZfpUjztzYqVaNJdjI2Avft9HMrTAF+hLNh+gMPtJ6m4LoT/34oc/OQrB7d:w7Z4YwaJdjI2Avft9HMrTAF+hLNhHm4B

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Attempting to scan the network

      • 3L1V_04ef501e_mardvcwm.exe (PID: 7564)

    • SMBSCAN has been detected (SURICATA)

      • 3L1V_04ef501e_mardvcwm.exe (PID: 7564)

  • SUSPICIOUS

    • Potential Corporate Privacy Violation

      • 3L1V_04ef501e_mardvcwm.exe (PID: 7564)

    • There is functionality for sending ICMP (YARA)

      • 3L1V_04ef501e_mardvcwm.exe (PID: 7564)

  • INFO

    • Reads the computer name

      • 3L1V_04ef501e_mardvcwm.exe (PID: 7564)

    • Checks supported languages

      • 3L1V_04ef501e_mardvcwm.exe (PID: 7564)

    • Reads the machine GUID from the registry

      • 3L1V_04ef501e_mardvcwm.exe (PID: 7564)

    • UPX packer has been detected

      • 3L1V_04ef501e_mardvcwm.exe (PID: 7564)

    • Reads the software policy settings

      • slui.exe (PID: 8060)

    • Checks proxy server information

      • slui.exe (PID: 8060)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (46.7)
.exe | UPX compressed Win32 Executable (40.5)
.exe | Win32 Executable (generic) (6.7)
.exe | Generic Win/DOS Executable (2.9)
.exe | DOS Executable Generic (2.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1988:05:28 03:17:54+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 263680
InitializedDataSize: 43008
UninitializedDataSize: 65536
EntryPoint: 0x172d
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #SMBSCAN 3l1v_04ef501e_mardvcwm.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7564"C:\Users\admin\Desktop\3L1V_04ef501e_mardvcwm.exe" C:\Users\admin\Desktop\3L1V_04ef501e_mardvcwm.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\3l1v_04ef501e_mardvcwm.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
8060C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
4 007
Read events
4 007
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
75643L1V_04ef501e_mardvcwm.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\ui\index.htmlhtml
MD5:71D8A5A492351621C693D0E9ED085D9D
SHA256:CEAC8748A86F4304A9F22859A90DDA9629767F52E4AB50667DB61EB566BE07FE
75643L1V_04ef501e_mardvcwm.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\index.htmlhtml
MD5:73EB52830876B8403217EF42B2F13318
SHA256:4646FE51FC1E98E1C0DA0EE0BBD9F0C920073033F7CF13319AF52360BADA73D9
75643L1V_04ef501e_mardvcwm.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ENU\license.htmlhtml
MD5:17DDAAF08ED284F3C6E7F463A2451574
SHA256:9921C646E43C31E998B09DD052F07772945BF2B9541F8F19C839B9AE44A9E3F3
75643L1V_04ef501e_mardvcwm.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\index.htmlhtml
MD5:16773F7E1C70AA3254D6BF0B169F447E
SHA256:885AAFAFE0293A2B28BB9B3D67B64E2B3389D640D3D6CB0D83133E0B96DDEEC5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
1 179
DNS requests
17
Threats
27

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2568
RUXIMICS.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2568
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6540
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
6540
SIHClient.exe
GET
200
23.48.23.159:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
6540
SIHClient.exe
GET
200
23.48.23.159:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
6540
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6540
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
6540
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2568
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
2568
RUXIMICS.exe
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
7564
3L1V_04ef501e_mardvcwm.exe
222.121.99.36:139
Korea Telecom
KR
unknown
7564
3L1V_04ef501e_mardvcwm.exe
222.121.21.24:139
Korea Telecom
KR
unknown
2104
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.184.238
whitelisted
crl.microsoft.com
  • 2.16.164.49
  • 2.16.164.120
  • 23.48.23.159
  • 23.48.23.173
  • 23.48.23.177
  • 23.48.23.158
  • 23.48.23.194
  • 23.48.23.169
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 184.30.21.171
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 20.190.160.64
  • 20.190.160.14
  • 40.126.32.138
  • 20.190.160.132
  • 20.190.160.20
  • 40.126.32.74
  • 20.190.160.4
  • 20.190.160.3
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.11
whitelisted

Threats

PID
Process
Class
Message
7564
3L1V_04ef501e_mardvcwm.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
7564
3L1V_04ef501e_mardvcwm.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
7564
3L1V_04ef501e_mardvcwm.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
7564
3L1V_04ef501e_mardvcwm.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
7564
3L1V_04ef501e_mardvcwm.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
7564
3L1V_04ef501e_mardvcwm.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
7564
3L1V_04ef501e_mardvcwm.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
7564
3L1V_04ef501e_mardvcwm.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
7564
3L1V_04ef501e_mardvcwm.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
7564
3L1V_04ef501e_mardvcwm.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
3L1V_04ef501e_mardvcwm.exe