File name:

7zipInstall.exe

Full analysis: https://app.any.run/tasks/2eb4a85f-fea2-4369-8717-cbf7bd1551a2
Verdict: Malicious activity
Analysis date: July 07, 2025, 08:43:14
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

9EECA41AA10EF3C99D7DB2EA97160E17

SHA1:

3BF66C442B446BB642AB75360077203A1DDDC16F

SHA256:

7B67375B2B303E05D2989F23E986126EDA67435C71231FA4B0BDAEB7A619A0A6

SSDEEP:

49152:/PHtcOHyP4Rdkd2XMixIU8P8K1lGEfmvzqoVILcPyff7hkjIPdn0NdbZlpLYHqlQ:/ftcdWK2XMgqkKbt4ZtPg1kjI1n25zpI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 7zipInstall.exe (PID: 7100)

    • Drops 7-zip archiver for unpacking

      • 7zipInstall.exe (PID: 7100)

    • Creates a software uninstall entry

      • 7zipInstall.exe (PID: 7100)

    • Creates/Modifies COM task schedule object

      • 7zipInstall.exe (PID: 7100)

  • INFO

    • The sample compiled with russian language support

      • 7zipInstall.exe (PID: 7100)

    • Reads the computer name

      • 7zipInstall.exe (PID: 7100)

    • The sample compiled with english language support

      • 7zipInstall.exe (PID: 7100)

    • Checks supported languages

      • 7zipInstall.exe (PID: 7100)

    • Checks proxy server information

      • slui.exe (PID: 5716)

    • Reads the software policy settings

      • slui.exe (PID: 5716)

    • Creates files in the program directory

      • 7zipInstall.exe (PID: 7100)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:07:05 12:00:00+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26112
InitializedDataSize: 24064
UninitializedDataSize: -
EntryPoint: 0x7294
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 25.0.0.0
ProductVersionNumber: 25.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Igor Pavlov
FileDescription: 7-Zip Installer
FileVersion: 25
InternalName: 7zipInstall
LegalCopyright: Copyright (c) 1999-2025 Igor Pavlov
OriginalFileName: 7zipInstall.exe
ProductName: 7-Zip
ProductVersion: 25
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 7zipinstall.exe slui.exe 7zipinstall.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
5716C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7052"C:\Users\admin\Desktop\7zipInstall.exe" C:\Users\admin\Desktop\7zipInstall.exeexplorer.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
MEDIUM
Description:
7-Zip Installer
Exit code:
3221226540
Version:
25.00
Modules
Images
c:\users\admin\desktop\7zipinstall.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7100"C:\Users\admin\Desktop\7zipInstall.exe" C:\Users\admin\Desktop\7zipInstall.exe
explorer.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
HIGH
Description:
7-Zip Installer
Exit code:
0
Version:
25.00
Modules
Images
c:\users\admin\desktop\7zipinstall.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
Total events
3 656
Read events
3 635
Write events
21
Delete events
0

Modification events

(PID) Process:(7100) 7zipInstall.exeKey:HKEY_CURRENT_USER\SOFTWARE\7-Zip
Operation:writeName:Path64
Value:
C:\Program Files\7-Zip\
(PID) Process:(7100) 7zipInstall.exeKey:HKEY_CURRENT_USER\SOFTWARE\7-Zip
Operation:writeName:Path
Value:
C:\Program Files\7-Zip\
(PID) Process:(7100) 7zipInstall.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\7-Zip
Operation:writeName:Path64
Value:
C:\Program Files\7-Zip\
(PID) Process:(7100) 7zipInstall.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\7-Zip
Operation:writeName:Path
Value:
C:\Program Files\7-Zip\
(PID) Process:(7100) 7zipInstall.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32
Operation:writeName:ThreadingModel
Value:
Apartment
(PID) Process:(7100) 7zipInstall.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32
Operation:writeName:ThreadingModel
Value:
Apartment
(PID) Process:(7100) 7zipInstall.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
Operation:writeName:{23170F69-40C1-278A-1000-000100020000}
Value:
7-Zip Shell Extension
(PID) Process:(7100) 7zipInstall.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
Operation:writeName:{23170F69-40C1-278A-1000-000100020000}
Value:
7-Zip Shell Extension
(PID) Process:(7100) 7zipInstall.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\7zFM.exe
Operation:writeName:Path
Value:
C:\Program Files\7-Zip\
(PID) Process:(7100) 7zipInstall.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip
Operation:writeName:DisplayName
Value:
7-Zip 25.00 (x64)
Executable files
9
Suspicious files
0
Text files
97
Unknown types
3

Dropped files

PID
Process
Filename
Type
71007zipInstall.exeC:\Program Files\7-Zip\Lang\af.txttext
MD5:DF216FAE5B13D3C3AFE87E405FD34B97
SHA256:9CF684EA88EA5A479F510750E4089AEE60BBB2452AA85285312BAFCC02C10A34
71007zipInstall.exeC:\Program Files\7-Zip\History.txttext
MD5:D0B8877E2887EBB5ED1C743536DAB79A
SHA256:9C92C646E66AC7C8F200659AE3153785E7D6C07EFDE95C81EC131EA4BBCC394E
71007zipInstall.exeC:\Program Files\7-Zip\7-zip.chmchm
MD5:22AB036830DE22E7E63C8E700EF5583C
SHA256:07BA58F647B1C56FC96129EC1FE8B892E824BD3F996255F33F396E76B1EFA90C
71007zipInstall.exeC:\Program Files\7-Zip\Lang\ast.txttext
MD5:1CF6411FF9154A34AFB512901BA3EE02
SHA256:F5F2174DAF36E65790C7F0E9A4496B12E14816DAD2EE5B1D48A52307076BE35F
71007zipInstall.exeC:\Program Files\7-Zip\descript.iontext
MD5:EB7E322BDC62614E49DED60E0FB23845
SHA256:1DA513F5A4E8018B9AE143884EB3EAF72454B606FD51F2401B7CFD9BE4DBBF4F
71007zipInstall.exeC:\Program Files\7-Zip\Lang\ba.txttext
MD5:387FF78CF5F524FC44640F3025746145
SHA256:8A85C3FCB5F81157490971EE4F5E6B9E4F80BE69A802EBED04E6724CE859713F
71007zipInstall.exeC:\Program Files\7-Zip\Lang\br.txttext
MD5:07504A4EDAB058C2F67C8BCB95C605DD
SHA256:432BDB3EAA9953B084EE14EEE8FE0ABBC1B384CBDD984CCF35F0415D45AABBA8
71007zipInstall.exeC:\Program Files\7-Zip\Lang\ar.txttext
MD5:5747381DC970306051432B18FB2236F2
SHA256:85A26C7B59D6D9932F71518CCD03ECEEBA42043CB1707719B72BFC348C1C1D72
71007zipInstall.exeC:\Program Files\7-Zip\Lang\bn.txttext
MD5:771C8B73A374CB30DF4DF682D9C40EDF
SHA256:3F55B2EC5033C39C159593C6F5ECE667B92F32938B38FCAF58B4B2A98176C1FC
71007zipInstall.exeC:\Program Files\7-Zip\Lang\co.txttext
MD5:DE64842F09051E3AF6792930A0456B16
SHA256:DCFB95B47A4435EB7504B804DA47302D8A62BBE450DADF1A34BAEA51C7F60C77
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
35
TCP/UDP connections
41
DNS requests
17
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
825 b
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
814 b
whitelisted
POST
200
20.190.160.2:443
https://login.live.com/RST2.srf
US
xml
1.24 Kb
whitelisted
3588
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
814 b
whitelisted
POST
400
40.126.31.128:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
whitelisted
POST
400
40.126.31.128:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
whitelisted
POST
400
20.190.159.68:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
whitelisted
GET
304
20.109.210.53:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
unknown
GET
200
40.69.42.241:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
IE
unknown
6664
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
DE
binary
813 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5944
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3588
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3588
RUXIMICS.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
whitelisted
google.com
  • 216.58.206.78
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
login.live.com
  • 40.126.31.1
  • 20.190.159.0
  • 40.126.31.128
  • 20.190.159.23
  • 20.190.159.64
  • 20.190.159.128
  • 40.126.31.67
  • 40.126.31.73
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.14
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
  • 40.91.76.224
whitelisted
x1.c.lencr.org
  • 2.23.197.184
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
7zipInstall.exe