File name:

UltraUXThemePatcher_4.4.3.exe

Full analysis: https://app.any.run/tasks/edd65de2-f437-435b-9596-494bc7bc6f56
Verdict: Malicious activity
Analysis date: November 08, 2024, 01:26:12
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

8992718C128B589E19216EF1609C50C3

SHA1:

DEE042937934AE88BA0ADB59752EF5ED13EDB0AD

SHA256:

431675FCBB448567FAFC83FEE2B93C620AB7A7F5D3D7A7C7B922FEC52D58DEB2

SSDEEP:

3072:0iIRsGru9dtkbDCuqIE7zvA328AE7N4DbdeTAskO1GD0RVBDJ:XGsHAfCtIE77A328A84DE9kOID0Jt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • UltraUXThemePatcher_4.4.3.exe (PID: 6368)

    • The process creates files with name similar to system file names

      • UltraUXThemePatcher_4.4.3.exe (PID: 6368)

    • Executable content was dropped or overwritten

      • UltraUXThemePatcher_4.4.3.exe (PID: 6368)

    • Executes as Windows Service

      • VSSVC.exe (PID: 6220)

    • Process drops legitimate windows executable

      • UltraUXThemePatcher_4.4.3.exe (PID: 6368)

    • Uses ICACLS.EXE to modify access control lists

      • UltraUXThemePatcher_4.4.3.exe (PID: 6368)

    • Takes ownership (TAKEOWN.EXE)

      • UltraUXThemePatcher_4.4.3.exe (PID: 6368)

  • INFO

    • Checks supported languages

      • UltraUXThemePatcher_4.4.3.exe (PID: 6368)

    • Create files in a temporary directory

      • UltraUXThemePatcher_4.4.3.exe (PID: 6368)

    • Reads the computer name

      • UltraUXThemePatcher_4.4.3.exe (PID: 6368)

    • Manages system restore points

      • SrTasks.exe (PID: 2364)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:03:30 16:55:19+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 139776
UninitializedDataSize: 2048
EntryPoint: 0x3665
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 4.4.3.0
ProductVersionNumber: 4.4.3.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: UltraUXThemePatcher modifies your system file(s) to use 3rd party themes
CompanyName: Manuel Hoefs (Zottel)
FileDescription: Windows UltraUXThemePatcher
FileVersion: 4.4.3.0
InternalName: UltraUXThemePatcher_4.4.3
LegalCopyright: 2008 - 2024 Manuel Hoefs (Zottel)
LegalTrademarks: UltraUXThemePatcher created by Manuel Hoefs (Zottel)
OriginalFileName: UltraUXThemePatcher_4.4.3.exe
ProductName: UltraUXThemePatcher
ProductVersion: 4.4.3.0
Website: https://mhoefs.eu
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
146
Monitored processes
18
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start ultrauxthemepatcher_4.4.3.exe SPPSurrogate no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs takeown.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs takeown.exe no specs conhost.exe no specs takeown.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs takeown.exe no specs conhost.exe no specs ultrauxthemepatcher_4.4.3.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
204\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeicacls.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
1008\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetakeown.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
1568C:\WINDOWS\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
2360"C:\WINDOWS\system32\takeown.exe" /f "C:\WINDOWS\system32\themeui.dll"C:\Windows\System32\takeown.exeUltraUXThemePatcher_4.4.3.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Takes ownership of a file
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
2364C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11C:\Windows\System32\SrTasks.exedllhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft® Windows System Protection background tasks.
Version:
10.0.19041.1 (WinBuild.160101.0800)
3508"C:\WINDOWS\system32\takeown.exe" /f "C:\WINDOWS\system32\uxinit.dll"C:\Windows\System32\takeown.exeUltraUXThemePatcher_4.4.3.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Takes ownership of a file
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
3728"C:\WINDOWS\system32\icacls.exe" "C:\WINDOWS\system32\themeui.dll" /grant admin:FC:\Windows\System32\icacls.exeUltraUXThemePatcher_4.4.3.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
4088\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetakeown.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
4260\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetakeown.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
5564"C:\WINDOWS\system32\takeown.exe" /f "C:\WINDOWS\system32\themeui.dll"C:\Windows\System32\takeown.exeUltraUXThemePatcher_4.4.3.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Takes ownership of a file
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Total events
1 030
Read events
996
Write events
25
Delete events
9

Modification events

(PID) Process:(6368) UltraUXThemePatcher_4.4.3.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4000000000000000501B2E7D7D31DB01E018000000190000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1568) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
4800000000000000501B2E7D7D31DB01200600007C0F0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1568) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
480000000000000060A2757D7D31DB01200600007C0F0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1568) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
480000000000000060A2757D7D31DB01200600007C0F0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1568) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
48000000000000002108787D7D31DB01200600007C0F0000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1568) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4800000000000000C68D817D7D31DB01200600007C0F0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1568) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
11
(PID) Process:(1568) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
4800000000000000D9E2EC7D7D31DB01200600007C0F0000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1568) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000A946EF7D7D31DB0120060000D8130000E80300000100000000000000000000002DCBD47DAF900D4193EB374BFEC6FE1200000000000000000000000000000000
(PID) Process:(6220) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Enter)
Value:
48000000000000007F28FB7D7D31DB014C180000380C0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
13
Suspicious files
4
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
1568dllhost.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
6368UltraUXThemePatcher_4.4.3.exeC:\Users\admin\AppData\Local\Temp\nsqC85C.tmp\modern-wizard.bmpimage
MD5:5F728E4E6B970DB76C64BE8CA3CAFC87
SHA256:AEA40659BDB08337064640EA8B4F171881D37456B37B3E2899349AC04F0889C5
6368UltraUXThemePatcher_4.4.3.exeC:\Users\admin\AppData\Local\Temp\nsqC85C.tmp\nsDialogs.dllexecutable
MD5:B7D61F3F56ABF7B7FF0D4E7DA3AD783D
SHA256:89A82C4849C21DFE765052681E1FAD02D2D7B13C8B5075880C52423DCA72A912
6368UltraUXThemePatcher_4.4.3.exeC:\Users\admin\AppData\Local\Temp\nsqC85C.tmp\System.dllexecutable
MD5:192639861E3DC2DC5C08BB8F8C7260D5
SHA256:23D618A0293C78CE00F7C6E6DD8B8923621DA7DD1F63A070163EF4C0EC3033D6
6368UltraUXThemePatcher_4.4.3.exeC:\Users\admin\AppData\Local\Temp\nsqC85C.tmp\SysRestore.dllexecutable
MD5:4310BD09FC2300B106F0437B6E995330
SHA256:C686B4DF9B4DB50FC1DDB7BE4CD50D4B1D75894288F4DC50571B79937D7C0D7E
6368UltraUXThemePatcher_4.4.3.exeC:\Windows\System32\uxinit.dllexecutable
MD5:40C064486D8D485BCCB0020EE33CCF8A
SHA256:F5D9874C6FF19307DA15FEFF354C7CD755945B7BACA6F3B6022B8347EB34CEFC
6368UltraUXThemePatcher_4.4.3.exeC:\Windows\System32\uxinit.dll.oldexecutable
MD5:F125A0876D8684A04F4BABD010DAF904
SHA256:D45894E386AA667220EA8B5397A82449EDC8E977EE1EA8CB2B78FFEE2A64A73B
6368UltraUXThemePatcher_4.4.3.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\UltraUXThemePatcher\Uninstall.lnkbinary
MD5:9EDE5962CC7B7C5640D908733F509E44
SHA256:6BCBE2D67B570AAF2333F87B5CBBA307AE8CEAF7ECBC19E8906FC95F14721958
6368UltraUXThemePatcher_4.4.3.exeC:\Windows\System32\themeui.dll.backupexecutable
MD5:DD04F37E7E19F9BCBCCE3119D2B30D2F
SHA256:69B401FF2CF6762E18B5665B40CFE2DDC143DCF7DA1C635036844A745918E67D
6368UltraUXThemePatcher_4.4.3.exeC:\Windows\System32\themeui.dll.newexecutable
MD5:DD04F37E7E19F9BCBCCE3119D2B30D2F
SHA256:69B401FF2CF6762E18B5665B40CFE2DDC143DCF7DA1C635036844A745918E67D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
21
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6944
svchost.exe
GET
200
2.16.168.11:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
2.16.168.11:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6944
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
864
RUXIMICS.exe
GET
200
2.16.168.11:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
864
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
204
2.16.204.135:443
https://www.bing.com/threshold/xls.aspx
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
6944
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5488
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
864
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
6944
svchost.exe
2.16.168.11:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
5488
MoUsoCoreWorker.exe
2.16.168.11:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
6944
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
864
RUXIMICS.exe
2.16.168.11:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
6944
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.142
whitelisted
crl.microsoft.com
  • 2.16.168.11
  • 2.16.168.12
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
self.events.data.microsoft.com
  • 20.189.173.14
whitelisted
www.bing.com
  • 2.23.209.182
  • 2.23.209.187
  • 2.23.209.130
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
UltraUXThemePatcher_4.4.3.exe