File name:

64deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exe

Full analysis: https://app.any.run/tasks/195b71ca-6e0f-4edb-aa5c-78af7a2591eb
Verdict: Malicious activity
Analysis date: May 16, 2025, 22:49:37
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

04F0D6AE04089387B73F89E5F660D4EE

SHA1:

3AF6D77B2F78AAC77D92650DD891D0223175D4BF

SHA256:

CD1C64A69A48BEE49E6527624F8CE1A1D8317D6D06C169F4C00C632A172A9138

SSDEEP:

24576:aZ332qICgJAJ/iXNMRk35DPruCUUVs3Xrr95uGGFQII5GVBeh:6332qICgJAxiXNMRk35DPxUUVs3Xrr9z

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 64deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exe (PID: 7784)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 64deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exe (PID: 7784)
      • 64deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exe (PID: 7816)
      • 64deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exe (PID: 7844)

    • Application launched itself

      • 64deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exe (PID: 7784)
      • 64deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exe (PID: 7816)

    • The process creates files with name similar to system file names

      • 64deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exe (PID: 7844)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • 64deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exe (PID: 7844)

    • Drops 7-zip archiver for unpacking

      • 64deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exe (PID: 7844)

    • Reads security settings of Internet Explorer

      • 64deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exe (PID: 7844)

  • INFO

    • Create files in a temporary directory

      • 64deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exe (PID: 7784)
      • 64deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exe (PID: 7816)
      • 64deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exe (PID: 7844)

    • Checks supported languages

      • 64deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exe (PID: 7784)
      • 64deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exe (PID: 7816)
      • 64deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exe (PID: 7844)

    • The sample compiled with english language support

      • 64deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exe (PID: 7844)

    • Process checks whether UAC notifications are on

      • 64deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exe (PID: 7844)

    • Reads the computer name

      • 64deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exe (PID: 7844)

    • Checks proxy server information

      • 64deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exe (PID: 7844)
      • slui.exe (PID: 7488)

    • Reads the software policy settings

      • slui.exe (PID: 7488)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2015:01:29 06:35:11+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 23552
InitializedDataSize: 123392
UninitializedDataSize: 1024
EntryPoint: 0x234a
OSVersion: 5.1
ImageVersion: 6
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 4.0.0.1
ProductVersionNumber: 4.0.0.1
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Windows, Latin1
Tag86a1a918f248164e11012: 61e14834143079405fa242387f3a76bdef0599bed028b28bc346d98d08ec0bdab2c1b8b26d634ff673b21a27116a20321a1885bf9d174104ee3b33b05f979f9f0859a9c91f6f06dca2811983a2564f415172ea2733f5544fa34eb4a340d748eddb8003ebe19013a686a81d760d0fc6d6dc684e94e5ae3fdb5ddafe7e8a2dbc1b923cc2a5e99dd61155b5277059e91dec11f29b907b78c346d15fb4bd599e72848f376748b5ac1b6f194381bb535dac8f8bf6414909669f15400ccf9b0bc651c9a1f19f9a1c612fddfac7e458098bd850a3ec96da7afd0a4fc66ad6249a1e368ae301eb730f7385af3c0e8756289f40728542a512220e34b30db2764b934d38763b3d1c5416120553b4792ba64f67b6a96e809c60d927e840e053ee7f8077b59cf759b02de4ca0f42
Tag931e0c1771878c1400623: b5af6fa3
B2fdd353db79950eba741: 16acf41bd23f7ef33578502d08c540698c7d704073a13634278c1d4f20aae7aa5ab108ba98696598ab88db184fb66af0d62a65b741ff9b0ff2bee2b0a124dcaa
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
5
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start 64deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exe 64deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exe 64deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exe slui.exe 64deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
7488C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7688"C:\Users\admin\Desktop\64deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exe" C:\Users\admin\Desktop\64deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\64deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7784"C:\Users\admin\Desktop\64deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exe" C:\Users\admin\Desktop\64deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
2
Modules
Images
c:\users\admin\desktop\64deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7816"C:\Users\admin\Desktop\64deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exe" C:\Users\admin\Desktop\64deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exe
64deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\64deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7844"C:\Users\admin\Desktop\64deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exe" C:\Users\admin\Desktop\64deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exe
64deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exe
User:
admin
Integrity Level:
HIGH
Exit code:
2
Modules
Images
c:\users\admin\desktop\64deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
4 167
Read events
4 164
Write events
3
Delete events
0

Modification events

(PID) Process:(7844) 64deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7844) 64deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7844) 64deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
19
Suspicious files
32
Text files
28
Unknown types
1

Dropped files

PID
Process
Filename
Type
784464deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exeC:\Users\admin\AppData\Local\Temp\nscD6BC.tmp\LuaBridge.dllexecutable
MD5:4E08FE995AB74BA4D145DDB77EA095FC
SHA256:2EF56248D49DB506630F712CEBDEDA81D2C20448F4728888E6D11520DAB6F78C
781664deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exeC:\Users\admin\AppData\Local\Temp\nscD61F.tmpbinary
MD5:546AC609FE164E246113793E6643ECAF
SHA256:1AA6335E7712760F5C489B62857673648B4B42BB30E82252D8029C2D5966085B
784464deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exeC:\Users\admin\AppData\Local\Temp\nscD6BC.tmp\7d4b85d62fb353e7a43256f40d539ceb6fd06006.luatext
MD5:E440044AFE6C761507A996B5B45AB0F9
SHA256:B1864AED85C114354B04FBE9B3F41C5EBC4DF6D129E08EF65A0C413D0DAABD29
778464deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exeC:\Users\admin\AppData\Local\Temp\nsxD565.tmp\LuaBridge.dllexecutable
MD5:4E08FE995AB74BA4D145DDB77EA095FC
SHA256:2EF56248D49DB506630F712CEBDEDA81D2C20448F4728888E6D11520DAB6F78C
784464deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exeC:\Users\admin\AppData\Local\Temp\nscD6BC.tmp\step1.luabinary
MD5:966E7A1D6E0124AF8FB30584AC477FB1
SHA256:DF0E627304ADD6595E583D7BB7843CE21F51AB2A5B56526D3F0A0B5023183E65
784464deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exeC:\Users\admin\AppData\Local\Temp\nscD6BC.tmp\897d21056a341314b60764c31b36c1fad542e78a.luatext
MD5:74DBE1060E91112E1C21EF9870B4A587
SHA256:15FD138A169CAE80FECF4C797B33A257D587ED446F02ECF3EF913E307A22F96D
784464deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exeC:\Users\admin\AppData\Local\Temp\nscD6BC.tmp\System.dllexecutable
MD5:7E3C808299AA2C405DFFA864471DDB7F
SHA256:91C47A9A54A3A8C359E89A8B4E133E6B7296586748ED3E8F4FE566ABD6C81DDD
784464deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exeC:\Users\admin\AppData\Local\Temp\nscD6BC.tmp\c6d51ab09f96b7569326130e860517b7d87e866d.luatext
MD5:4BFDAAAB9014FE129BC6388FD5687C8F
SHA256:E9167E0DA842A0B856CBE6A2CF576F2D11BCEDB5985E8E4C8C71A73486F6FA5A
784464deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exeC:\Users\admin\AppData\Local\Temp\nscD6BC.tmp\LuaXml_lib.dllexecutable
MD5:7292B642BD958AEB7FD7CFD19E45B068
SHA256:90F1BB98E034FCF7BFDDB8CB0A85B27A9C9DDB01B926B4E139E1E8FC53D41D09
784464deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exeC:\Users\admin\AppData\Local\Temp\nscD6BC.tmp\7b33b2bde409277581a53da83ac5b1bfdcf29afa.luabinary
MD5:14920D935A6DF3772FABE3DACCF878FB
SHA256:E6FDF6A535C2E980910E786F08F9F4CBFC84F6D2F8EECBD23C914B37D6FB69C3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
52
DNS requests
18
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.48.23.149:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7844
64deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exe
GET
404
23.23.235.104:80
http://service.downloadadmin.com/install?bc=1180520&pid=mundomedia_cpa&brand=securedownload01.com&aid=CD7045&country=EU&osName=Windows&osVersion=9.0&browserName=Google+App+Engine%26zTmp%3D1&secure=true&p_tid=dcb0669e-746b-5749-b6b6-090d04a668e6&checksum=0
unknown
malicious
7844
64deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exe
POST
404
23.23.235.104:80
http://service.downloadadmin.com/install?bc=1180520&pid=mundomedia_cpa&brand=securedownload01.com&aid=CD7045&country=EU&osName=Windows&osVersion=9.0&browserName=Google+App+Engine%26zTmp%3D1&secure=true&p_tid=dcb0669e-746b-5749-b6b6-090d04a668e6&checksum=0
unknown
malicious
2104
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
8112
SIHClient.exe
GET
200
23.48.23.142:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
8112
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
8112
SIHClient.exe
GET
200
23.48.23.142:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
8112
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
8112
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2104
svchost.exe
23.48.23.149:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
7844
64deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exe
23.23.235.104:80
service.downloadadmin.com
AMAZON-AES
US
malicious
2104
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6544
svchost.exe
40.126.31.3:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.238
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
crl.microsoft.com
  • 23.48.23.149
  • 23.48.23.135
  • 23.48.23.157
  • 23.48.23.158
  • 23.48.23.134
  • 23.48.23.151
  • 23.48.23.159
  • 23.48.23.194
  • 23.48.23.195
  • 23.48.23.142
  • 23.48.23.141
  • 23.48.23.174
  • 23.48.23.170
  • 23.48.23.175
  • 23.48.23.183
  • 23.48.23.189
  • 23.48.23.181
whitelisted
service.downloadadmin.com
  • 23.23.235.104
  • 18.233.221.25
malicious
www.microsoft.com
  • 23.35.229.160
whitelisted
login.live.com
  • 40.126.31.3
  • 40.126.31.128
  • 40.126.31.130
  • 40.126.31.73
  • 40.126.31.129
  • 40.126.31.71
  • 20.190.159.71
  • 40.126.31.69
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
7844
64deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exe
A Network Trojan was detected
ET MALWARE Win32/DownloadAdmin Activity
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
64deb93a91e185d8b9fdd54f12e902_04f0d6ae_mare54vs.exe