File name:

MDAC_TYP.EXE

Full analysis: https://app.any.run/tasks/44b15be5-ecae-4f0d-8a03-0cc279bcdcfe
Verdict: Malicious activity
Analysis date: March 21, 2025, 20:20:09
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, MS CAB-Installer self-extracting archive, 3 sections
MD5:

DB045F71B17E39DCF3855AE37EF97353

SHA1:

8BE723A88DA18BDED00538A2AC85285DB8B4A4C1

SHA256:

9688ED4B64DAAB5D99DDF782B41858B0F951A2AF3C54E159B6DDB56DF26C6628

SSDEEP:

98304:COiRpXAeys23t2D1OmlnEqyfh0kR7QB2I4zrgqAKZDL8IJ97SLi/0ggk17hixvTT:i8Bb/CmeDr7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • MDAC_TYP.EXE.exe (PID: 5164)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • RUXIMICS.exe (PID: 5164)

    • Starts a Microsoft application from unusual location

      • MDAC_TYP.EXE.exe (PID: 5164)

  • INFO

    • The sample compiled with spanish language support

      • RUXIMICS.exe (PID: 5164)

    • Manual execution by a user

      • RUXIMICS.exe (PID: 7148)

    • Checks supported languages

      • MDAC_TYP.EXE.exe (PID: 5164)
      • RUXIMICS.exe (PID: 7148)

    • Reads the computer name

      • MDAC_TYP.EXE.exe (PID: 5164)

    • Creates files in the program directory

      • RUXIMICS.exe (PID: 7148)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (44.9)
.exe | Win64 Executable (generic) (39.7)
.exe | Win32 Executable (generic) (6.4)
.exe | Win16/32 Executable Delphi generic (2.9)
.exe | Generic Win/DOS Executable (2.8)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1998:03:11 01:39:29+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 36864
InitializedDataSize: 6429184
UninitializedDataSize: -
EntryPoint: 0x2749
OSVersion: 5
ImageVersion: 5
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 4.72.3110.0
ProductVersionNumber: 4.72.3110.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Spanish (Modern)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Win32 Cabinet Self-Extractor
FileVersion: 4.72.3110.0
InternalName: Wextract
LegalCopyright: (C) Microsoft Corporation 1981-1997
OriginalFileName: WEXTRACT.EXE
ProductName: Sistema operativo Microsoft(R) Windows NT(R)
ProductVersion: 4.72.3110.0
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
5
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start start ruximics.exe ruximics.exe no specs mdac_typ.exe.exe no specs sppextcomobj.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
5164%ProgramFiles%\RUXIM\RUXIMICS.EXE /onlyloadcampaignsC:\Program Files\RUXIM\RUXIMICS.exe
PLUGScheduler.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Reusable UX Interaction Manager
Exit code:
0
Version:
10.0.19041.3623 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\temp\mdac_typ.exe.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\ntdll.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
5164"C:\Users\admin\AppData\Local\Temp\MDAC_TYP.EXE.exe" C:\Users\admin\AppData\Local\Temp\MDAC_TYP.EXE.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Win32 Cabinet Self-Extractor
Version:
4.72.3110.0
Modules
Images
c:\users\admin\appdata\local\temp\mdac_typ.exe.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
7148%ProgramFiles%\RUXIM\RUXIMICS.EXE /nonetworkC:\Program Files\RUXIM\RUXIMICS.exePLUGScheduler.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Reusable UX Interaction Manager
Exit code:
0
Version:
10.0.19041.3623 (WinBuild.160101.0800)
Modules
Images
c:\program files\ruxim\ruximics.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
7272C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
7308"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
170
Read events
168
Write events
2
Delete events
0

Modification events

(PID) Process:(5164) RUXIMICS.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\PLUG\OneSettingsSync
Operation:writeName:x-ms-onesetinterval
Value:
1440
(PID) Process:(5164) RUXIMICS.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\PLUG\OneSettingsSync
Operation:writeName:RefreshAfter
Value:
A8066AD2679BDB01
Executable files
0
Suspicious files
43
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
7148RUXIMICS.exeC:\ProgramData\PLUG\Logs\RUXIMLog.048.etlbinary
MD5:5EA68411BF8E9EAF4621BAF73F61449E
SHA256:9D4CA5A1D871F819C139A498BB910A63576C2FE6367853544F8D172D8B6EBFF7
7148RUXIMICS.exeC:\ProgramData\PLUG\Logs\RUXIMLog.046.etlbinary
MD5:FED961067F664B5381B65A534B7AB728
SHA256:652F31A8284AE812D1D9D24192BC800976BF74C240591C6AC443A28C4709FB7C
7148RUXIMICS.exeC:\ProgramData\PLUG\Logs\RUXIMLog.045.etlbinary
MD5:A7A21FBC9D00F33F186B34A50E170C13
SHA256:64CAC91E46D4FC832958232A658431CBF9D8D9F265653ACA2BEB32428D4688EC
7148RUXIMICS.exeC:\ProgramData\PLUG\Logs\RUXIMLog.043.etlbinary
MD5:B53B2070E686FFB1FBC8B06994E7C8D7
SHA256:A3ABD06F4E40CB700B1908AB6BCD2E27455E13EF076E0BF2345BB2FA369EF802
7148RUXIMICS.exeC:\ProgramData\PLUG\Logs\RUXIMLog.044.etlbinary
MD5:89BD161BF7B46C9078937CF832786737
SHA256:2B83DF5532E9F54ED301C8F82E2CDD489799C8D5222A2D44C97DCB151A96FAA9
7148RUXIMICS.exeC:\ProgramData\PLUG\Logs\RUXIMLog.042.etlbinary
MD5:8A2BDE0EAFA7E946196A1B114AB636E9
SHA256:1C338CBDD9316D7FD8F208341466FEDC554A04D489B3A86C736EC3831A2F2BA2
7148RUXIMICS.exeC:\ProgramData\PLUG\Logs\RUXIMLog.041.etlbinary
MD5:C1F87CF12DD702D2185E703BA004D216
SHA256:9D993487866C9538DC19F281A6346E1796E7478C7C164D61437AF6E698C66125
7148RUXIMICS.exeC:\ProgramData\PLUG\Logs\RUXIMLog.038.etlbinary
MD5:0DE8B8CBE71A7CD60D67AFE279E1ACB9
SHA256:D17A442ABEB021BFA77E5EDAB3D7F3C6FFEA9C33B8D04409D149B518C5FDB57C
7148RUXIMICS.exeC:\ProgramData\PLUG\Logs\RUXIMLog.049.etlbinary
MD5:C8834D365FAE073DEDE1F1620454CE71
SHA256:C6DD793EEE1D5551CA507A3C5BFFECA82DD3E29C63C2C6DD218A7D4BFB37046B
7148RUXIMICS.exeC:\ProgramData\PLUG\Logs\RUXIMLog.040.etlbinary
MD5:09359EE89B0634478ADFF73CDA7BFB12
SHA256:4D800AC7C55960B107C9D3E40F63130407835E69DF4F5C558C500FC0BD20D8ED
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
20
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.48.23.190:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
8012
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
8012
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
4380
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
23.48.23.190:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5164
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3216
svchost.exe
20.198.162.76:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
SG
whitelisted
6544
svchost.exe
20.190.159.75:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
4380
backgroundTaskHost.exe
20.223.35.26:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4380
backgroundTaskHost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
8012
SIHClient.exe
4.175.87.197:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 23.48.23.190
  • 23.48.23.183
  • 23.48.23.140
  • 23.48.23.138
  • 23.48.23.137
  • 23.48.23.139
  • 23.48.23.145
  • 23.48.23.194
  • 23.48.23.193
whitelisted
google.com
  • 142.250.186.78
whitelisted
client.wns.windows.com
  • 20.198.162.76
whitelisted
login.live.com
  • 20.190.159.75
  • 20.190.159.130
  • 40.126.31.69
  • 40.126.31.1
  • 40.126.31.3
  • 40.126.31.131
  • 20.190.159.2
  • 20.190.159.0
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
www.microsoft.com
  • 23.219.150.101
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MDAC_TYP.EXE