URL:

https://github.com/marticliment/UniGetUI/releases/download/3.1.5/UniGetUI.Installer.exe

Full analysis: https://app.any.run/tasks/3a7e8253-528a-42a0-bd81-689f642efe90
Verdict: Malicious activity
Analysis date: January 16, 2025, 04:21:26
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
github
Indicators:
MD5:

E54A989543C989A52C5C6D4946CDDC82

SHA1:

DAE4F870B48F58168092CB3C9A987D180BBD15B6

SHA256:

7949E86ADB91757F7C13A2FA1C927A15D03795F366E6CCF3D4A3803B7143805D

SSDEEP:

3:N8tEd4uiIuRr8wDdkCWgsLMiARwbWigXLNn:2uuwuRr8ud4gq8RCgXLN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • UniGetUI.Installer.tmp (PID: 5588)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6692)
      • powershell.exe (PID: 3688)

    • Changes powershell execution policy (Bypass)

      • UniGetUI.exe (PID: 6560)
      • UniGetUI.Installer.tmp (PID: 5588)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • UniGetUI.Installer.exe (PID: 5028)
      • UniGetUI.Installer.tmp (PID: 5588)
      • MicrosoftEdgeUpdate.exe (PID: 5460)
      • MicrosoftEdgeWebview2Setup.exe (PID: 4764)
      • MicrosoftEdgeWebview_X64_131.0.2903.146.exe (PID: 7940)
      • setup.exe (PID: 6376)
      • csc.exe (PID: 7844)
      • csc.exe (PID: 5980)
      • csc.exe (PID: 2392)

    • Reads the Windows owner or organization settings

      • UniGetUI.Installer.tmp (PID: 5588)

    • Reads security settings of Internet Explorer

      • UniGetUI.Installer.tmp (PID: 5588)
      • MicrosoftEdgeUpdate.exe (PID: 5460)
      • MicrosoftEdgeUpdate.exe (PID: 7728)
      • UniGetUI.exe (PID: 6560)
      • winget.exe (PID: 6980)
      • winget.exe (PID: 6468)
      • winget.exe (PID: 1684)
      • winget.exe (PID: 6420)

    • Starts a Microsoft application from unusual location

      • MicrosoftEdgeWebview2Setup.exe (PID: 4764)
      • MicrosoftEdgeUpdate.exe (PID: 5460)

    • Process drops legitimate windows executable

      • MicrosoftEdgeUpdate.exe (PID: 5460)
      • MicrosoftEdgeWebview2Setup.exe (PID: 4764)
      • MicrosoftEdgeWebview_X64_131.0.2903.146.exe (PID: 7940)
      • setup.exe (PID: 6376)
      • UniGetUI.Installer.tmp (PID: 5588)

    • Starts itself from another location

      • MicrosoftEdgeUpdate.exe (PID: 5460)

    • Creates/Modifies COM task schedule object

      • MicrosoftEdgeUpdate.exe (PID: 5032)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7232)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7568)

    • Checks Windows Trust Settings

      • MicrosoftEdgeUpdate.exe (PID: 7728)
      • winget.exe (PID: 6468)
      • winget.exe (PID: 6420)
      • winget.exe (PID: 1684)

    • Application launched itself

      • setup.exe (PID: 6376)
      • MicrosoftEdgeUpdate.exe (PID: 7728)

    • Uses TASKKILL.EXE to kill process

      • UniGetUI.Installer.tmp (PID: 5588)

    • Drops 7-zip archiver for unpacking

      • UniGetUI.Installer.tmp (PID: 5588)

    • The process executes Powershell scripts

      • UniGetUI.Installer.tmp (PID: 5588)

    • The process hide an interactive prompt from the user

      • UniGetUI.Installer.tmp (PID: 5588)

    • Starts POWERSHELL.EXE for commands execution

      • UniGetUI.exe (PID: 6560)
      • UniGetUI.Installer.tmp (PID: 5588)

    • Creates file in the systems drive root

      • explorer.exe (PID: 4488)

    • Starts application with an unusual extension

      • UniGetUI.exe (PID: 6560)

    • The process bypasses the loading of PowerShell profile settings

      • UniGetUI.exe (PID: 6560)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 7844)
      • csc.exe (PID: 2392)
      • csc.exe (PID: 5980)

    • Checks a user's role membership (POWERSHELL)

      • powershell.exe (PID: 3416)
      • powershell.exe (PID: 7000)
      • powershell.exe (PID: 6764)

    • Gets path to any of the special folders (POWERSHELL)

      • powershell.exe (PID: 3416)
      • powershell.exe (PID: 7000)
      • powershell.exe (PID: 6764)

    • Searches for installed software

      • winget.exe (PID: 6468)
      • winget.exe (PID: 1684)
      • winget.exe (PID: 6420)

  • INFO

    • Executable content was dropped or overwritten

      • firefox.exe (PID: 3612)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 4488)

    • Application launched itself

      • firefox.exe (PID: 5916)
      • firefox.exe (PID: 3612)

    • Creates files or folders in the user directory

      • explorer.exe (PID: 4488)
      • MicrosoftEdgeUpdate.exe (PID: 5460)
      • MicrosoftEdgeWebview_X64_131.0.2903.146.exe (PID: 7940)
      • setup.exe (PID: 6356)
      • setup.exe (PID: 6376)
      • UniGetUI.Installer.tmp (PID: 5588)
      • UniGetUI.exe (PID: 6560)
      • choco.exe (PID: 6276)
      • winget.exe (PID: 6468)
      • winget.exe (PID: 6420)

    • The process uses the downloaded file

      • firefox.exe (PID: 3612)
      • explorer.exe (PID: 4488)
      • UniGetUI.Installer.tmp (PID: 5588)
      • pwsh.exe (PID: 4580)
      • powershell.exe (PID: 3416)
      • pwsh.exe (PID: 6780)
      • pwsh.exe (PID: 6720)
      • powershell.exe (PID: 7000)

    • Checks proxy server information

      • explorer.exe (PID: 4488)
      • UniGetUI.Installer.tmp (PID: 5588)
      • MicrosoftEdgeUpdate.exe (PID: 7064)
      • powershell.exe (PID: 3416)
      • winget.exe (PID: 6468)
      • winget.exe (PID: 6980)
      • winget.exe (PID: 1684)
      • powershell.exe (PID: 7000)
      • powershell.exe (PID: 6764)
      • winget.exe (PID: 6420)

    • Checks supported languages

      • UniGetUI.Installer.exe (PID: 5028)
      • UniGetUI.Installer.tmp (PID: 5588)
      • MicrosoftEdgeWebview2Setup.exe (PID: 4764)
      • MicrosoftEdgeUpdate.exe (PID: 5460)
      • MicrosoftEdgeUpdate.exe (PID: 5032)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7568)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7232)
      • MicrosoftEdgeUpdate.exe (PID: 7064)
      • MicrosoftEdgeUpdate.exe (PID: 7880)
      • MicrosoftEdgeUpdate.exe (PID: 7728)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6544)
      • setup.exe (PID: 6356)
      • MicrosoftEdgeUpdate.exe (PID: 8036)
      • setup.exe (PID: 6376)
      • UniGetUI.exe (PID: 6560)
      • UniGetUI.exe (PID: 5628)
      • chcp.com (PID: 6600)
      • pwsh.exe (PID: 4580)
      • pwsh.exe (PID: 1616)
      • winget.exe (PID: 4592)
      • choco.exe (PID: 6276)
      • winget.exe (PID: 1544)
      • csc.exe (PID: 7844)
      • choco.exe (PID: 7524)
      • cvtres.exe (PID: 7756)
      • choco.exe (PID: 6824)
      • winget.exe (PID: 6468)
      • pwsh.exe (PID: 6720)
      • pwsh.exe (PID: 6780)
      • csc.exe (PID: 5980)
      • cvtres.exe (PID: 1412)
      • csc.exe (PID: 2392)
      • winget.exe (PID: 1684)
      • winget.exe (PID: 6420)

    • Create files in a temporary directory

      • UniGetUI.Installer.exe (PID: 5028)
      • UniGetUI.Installer.tmp (PID: 5588)
      • MicrosoftEdgeWebview2Setup.exe (PID: 4764)
      • MicrosoftEdgeUpdate.exe (PID: 5460)
      • winget.exe (PID: 1544)
      • winget.exe (PID: 4592)
      • csc.exe (PID: 7844)
      • winget.exe (PID: 6468)
      • winget.exe (PID: 6980)
      • winget.exe (PID: 1684)
      • csc.exe (PID: 5980)
      • winget.exe (PID: 6420)

    • Reads the computer name

      • UniGetUI.Installer.tmp (PID: 5588)
      • MicrosoftEdgeUpdate.exe (PID: 5460)
      • MicrosoftEdgeUpdate.exe (PID: 5032)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7568)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7232)
      • MicrosoftEdgeUpdate.exe (PID: 7064)
      • setup.exe (PID: 6376)
      • MicrosoftEdgeUpdate.exe (PID: 8036)
      • UniGetUI.exe (PID: 5628)
      • UniGetUI.exe (PID: 6560)
      • choco.exe (PID: 6276)
      • pwsh.exe (PID: 1616)
      • winget.exe (PID: 4592)
      • choco.exe (PID: 4056)
      • choco.exe (PID: 7524)
      • choco.exe (PID: 6824)
      • winget.exe (PID: 6420)

    • Reads the software policy settings

      • explorer.exe (PID: 4488)
      • UniGetUI.Installer.tmp (PID: 5588)
      • MicrosoftEdgeUpdate.exe (PID: 7064)
      • MicrosoftEdgeUpdate.exe (PID: 7728)
      • winget.exe (PID: 6468)
      • winget.exe (PID: 6980)
      • winget.exe (PID: 1684)
      • winget.exe (PID: 6420)

    • The sample compiled with english language support

      • MicrosoftEdgeWebview2Setup.exe (PID: 4764)
      • MicrosoftEdgeUpdate.exe (PID: 5460)
      • setup.exe (PID: 6376)
      • MicrosoftEdgeWebview_X64_131.0.2903.146.exe (PID: 7940)
      • UniGetUI.Installer.tmp (PID: 5588)

    • Process checks computer location settings

      • UniGetUI.Installer.tmp (PID: 5588)
      • MicrosoftEdgeUpdate.exe (PID: 5460)
      • setup.exe (PID: 6376)
      • UniGetUI.exe (PID: 6560)
      • pwsh.exe (PID: 4580)
      • pwsh.exe (PID: 6780)
      • winget.exe (PID: 6468)
      • winget.exe (PID: 1684)
      • winget.exe (PID: 6420)

    • Reads Environment values

      • MicrosoftEdgeUpdate.exe (PID: 7064)
      • choco.exe (PID: 4056)
      • choco.exe (PID: 7524)

    • Reads the machine GUID from the registry

      • MicrosoftEdgeUpdate.exe (PID: 7728)
      • choco.exe (PID: 4056)
      • choco.exe (PID: 6276)
      • choco.exe (PID: 6824)
      • csc.exe (PID: 7844)
      • choco.exe (PID: 7524)
      • winget.exe (PID: 6468)
      • csc.exe (PID: 5980)
      • csc.exe (PID: 2392)
      • winget.exe (PID: 6420)
      • winget.exe (PID: 1684)

    • The sample compiled with german language support

      • UniGetUI.Installer.tmp (PID: 5588)

    • The sample compiled with czech language support

      • UniGetUI.Installer.tmp (PID: 5588)

    • The sample compiled with arabic language support

      • UniGetUI.Installer.tmp (PID: 5588)

    • The sample compiled with bulgarian language support

      • UniGetUI.Installer.tmp (PID: 5588)

    • The sample compiled with Indonesian language support

      • UniGetUI.Installer.tmp (PID: 5588)

    • The sample compiled with french language support

      • UniGetUI.Installer.tmp (PID: 5588)

    • The sample compiled with spanish language support

      • UniGetUI.Installer.tmp (PID: 5588)

    • The sample compiled with Italian language support

      • UniGetUI.Installer.tmp (PID: 5588)

    • The sample compiled with japanese language support

      • UniGetUI.Installer.tmp (PID: 5588)

    • The sample compiled with portuguese language support

      • UniGetUI.Installer.tmp (PID: 5588)

    • The sample compiled with korean language support

      • UniGetUI.Installer.tmp (PID: 5588)

    • The sample compiled with polish language support

      • UniGetUI.Installer.tmp (PID: 5588)

    • The sample compiled with russian language support

      • UniGetUI.Installer.tmp (PID: 5588)

    • The sample compiled with chinese language support

      • UniGetUI.Installer.tmp (PID: 5588)

    • The sample compiled with slovak language support

      • UniGetUI.Installer.tmp (PID: 5588)

    • The sample compiled with swedish language support

      • UniGetUI.Installer.tmp (PID: 5588)

    • The sample compiled with turkish language support

      • UniGetUI.Installer.tmp (PID: 5588)

    • Creates files in the program directory

      • UniGetUI.exe (PID: 5628)

    • Changes the display of characters in the console

      • UniGetUI.exe (PID: 6560)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 3688)

    • Disables trace logs

      • powershell.exe (PID: 3416)
      • choco.exe (PID: 6824)
      • powershell.exe (PID: 6764)

    • Checks current location (POWERSHELL)

      • powershell.exe (PID: 6764)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
237
Monitored processes
106
Malicious processes
10
Suspicious processes
1

Behavior graph

Click at the process to see the details
start firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs rundll32.exe no specs explorer.exe unigetui.installer.exe unigetui.installer.tmp microsoftedgewebview2setup.exe microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdate.exe no specs microsoftedgewebview_x64_131.0.2903.146.exe setup.exe setup.exe no specs microsoftedgeupdate.exe taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs unigetui.exe no specs unigetui.exe chcp.com no specs conhost.exe no specs powershell.exe no specs where.exe no specs choco.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs where.exe no specs conhost.exe no specs where.exe no specs conhost.exe no specs where.exe no specs conhost.exe no specs where.exe no specs conhost.exe no specs winget.exe no specs conhost.exe no specs where.exe no specs where.exe no specs powershell.exe no specs conhost.exe no specs where.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs where.exe no specs conhost.exe no specs pwsh.exe no specs conhost.exe no specs winget.exe no specs conhost.exe no specs pwsh.exe conhost.exe no specs powershell.exe conhost.exe no specs where.exe no specs conhost.exe no specs choco.exe no specs conhost.exe no specs csc.exe cvtres.exe no specs winget.exe powershell.exe winget.exe choco.exe no specs conhost.exe no specs powershell.exe pwsh.exe no specs conhost.exe no specs conhost.exe no specs choco.exe no specs conhost.exe no specs pwsh.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs winget.exe conhost.exe no specs csc.exe cvtres.exe no specs csc.exe cvtres.exe no specs svchost.exe winget.exe conhost.exe no specs Delivery Optimization User no specs

Process information

PID
CMD
Path
Indicators
Parent process
556\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exewinget.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
880"C:\WINDOWS\system32\where.exe" python.exeC:\Windows\System32\where.exeUniGetUI.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Where - Lists location of files
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
1304\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exewhere.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
1400\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exewinget.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
1412C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES5091.tmp" "c:\Users\admin\AppData\Local\Temp\CSC6EC00132270E4386AB835013673CD8AF.TMP"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
14.32.31326.0
1544"C:\Users\admin\AppData\Local\Programs\UniGetUI\winget-cli_x64\winget.exe" --versionC:\Users\admin\AppData\Local\Programs\UniGetUI\winget-cli_x64\winget.exeUniGetUI.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
1616"C:\Program Files\PowerShell\7\pwsh.exe" -VersionC:\Program Files\PowerShell\7\pwsh.exeUniGetUI.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
pwsh
Exit code:
0
Version:
7.3.5.500
1684"C:\Users\admin\AppData\Local\Programs\UniGetUI\winget-cli_x64\winget.exe" update --include-unknown --accept-source-agreementsC:\Users\admin\AppData\Local\Programs\UniGetUI\winget-cli_x64\winget.exe
UniGetUI.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
1828"C:\WINDOWS\system32\where.exe" vcpkgC:\Windows\System32\where.exeUniGetUI.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Where - Lists location of files
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
1868"C:\WINDOWS\system32\where.exe" dotnet.exeC:\Windows\System32\where.exeUniGetUI.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Where - Lists location of files
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Total events
107 723
Read events
106 210
Write events
1 434
Delete events
79

Modification events

(PID) Process:(3612) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\DllPrefetchExperiment
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe
Value:
0
(PID) Process:(4488) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000801FE
Operation:writeName:VirtualDesktop
Value:
1000000030304456A48A294F7A40804AB924005FF030B61F
(PID) Process:(4488) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppBadgeUpdated
Operation:writeName:308046B0AF4A39CB
Value:
21
(PID) Process:(4488) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppLaunch
Operation:writeName:Microsoft.Windows.Explorer
Value:
51
(PID) Process:(4488) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts
Operation:writeName:LastUpdate
Value:
5B89886700000000
(PID) Process:(4488) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Ribbon
Operation:writeName:MinimizedStateTabletModeOff
Value:
0
(PID) Process:(4488) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Ribbon
Operation:writeName:QatItems
Value:
3C7369713A637573746F6D554920786D6C6E733A7369713D22687474703A2F2F736368656D61732E6D6963726F736F66742E636F6D2F77696E646F77732F323030392F726962626F6E2F716174223E3C7369713A726962626F6E206D696E696D697A65643D2266616C7365223E3C7369713A71617420706F736974696F6E3D2230223E3C7369713A736861726564436F6E74726F6C733E3C7369713A636F6E74726F6C206964513D227369713A3136313238222076697369626C653D2266616C73652220617267756D656E743D223022202F3E3C7369713A636F6E74726F6C206964513D227369713A3136313239222076697369626C653D2266616C73652220617267756D656E743D223022202F3E3C7369713A636F6E74726F6C206964513D227369713A3132333532222076697369626C653D2266616C73652220617267756D656E743D223022202F3E3C7369713A636F6E74726F6C206964513D227369713A3132333834222076697369626C653D22747275652220617267756D656E743D223022202F3E3C7369713A636F6E74726F6C206964513D227369713A3132333336222076697369626C653D22747275652220617267756D656E743D223022202F3E3C7369713A636F6E74726F6C206964513D227369713A3132333537222076697369626C653D2266616C73652220617267756D656E743D223022202F3E3C2F7369713A736861726564436F6E74726F6C733E3C2F7369713A7161743E3C2F7369713A726962626F6E3E3C2F7369713A637573746F6D55493E
(PID) Process:(4488) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Operation:writeName:ITBar7Layout
Value:
13000000000000000000000020000000100000000000000001000000010700005E01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4488) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:NodeSlots
Value:
02020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
(PID) Process:(4488) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:MRUListEx
Value:
03000000040000000E00000000000000100000000F0000000C0000000D0000000B000000050000000A000000090000000800000001000000070000000600000002000000FFFFFFFF
Executable files
1 245
Suspicious files
449
Text files
471
Unknown types
2

Dropped files

PID
Process
Filename
Type
3612firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-current.bin
MD5:
SHA256:
3612firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-child-current.binbinary
MD5:C95DDC2B1A525D1A243E4C294DA2F326
SHA256:3A5919E086BFB31E36110CF636D2D5109EB51F2C410B107F126126AB25D67363
3612firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.jsonbinary
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A
SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
3612firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\urlCache-current.binbinary
MD5:297E88D7CEB26E549254EC875649F4EB
SHA256:8B75D4FB1845BAA06122888D11F6B65E6A36B140C54A72CC13DF390FD7C95702
3612firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
3612firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
3612firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
MD5:
SHA256:
3612firefox.exeC:\Users\admin\Downloads\UniGetUI.7syBiMLG.Installer.exe.part
MD5:
SHA256:
4488explorer.exeC:\Users\admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datbinary
MD5:E49C56350AEDF784BFE00E444B879672
SHA256:A8BD235303668981563DFB5AAE338CB802817C4060E2C199B7C84901D57B7E1E
3612firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\prefs-1.jstext
MD5:2C99A16AED3906D92FFE3EF1808E2753
SHA256:08412578CC3BB4922388F8FF8C23962F616B69A1588DA720ADE429129C73C452
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
32
TCP/UDP connections
113
DNS requests
126
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6068
svchost.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6068
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
3612
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
3612
firefox.exe
POST
200
142.250.185.195:80
http://o.pki.goog/s/wr3/jLM
unknown
whitelisted
3612
firefox.exe
POST
200
172.64.149.23:80
http://ocsp.sectigo.com/
unknown
whitelisted
3612
firefox.exe
POST
142.250.185.195:80
http://o.pki.goog/s/wr3/3cs
unknown
whitelisted
3612
firefox.exe
POST
200
2.16.202.121:80
http://r11.o.lencr.org/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
6068
svchost.exe
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
6068
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
2.23.227.208:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
1076
svchost.exe
184.28.89.167:443
go.microsoft.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 2.16.164.49
  • 2.16.164.72
whitelisted
google.com
  • 142.250.186.174
  • 142.250.184.238
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 184.30.21.171
whitelisted
www.bing.com
  • 2.23.227.208
  • 2.23.227.215
whitelisted
ocsp.digicert.com
  • 2.23.77.188
  • 184.30.131.245
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
github.com
  • 140.82.121.3
whitelisted
detectportal.firefox.com
  • 34.107.221.82
whitelisted
prod.detectportal.prod.cloudops.mozgcp.net
  • 34.107.221.82
  • 2600:1901:0:38d7::
whitelisted

Threats

PID
Process
Class
Message
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
Potentially Bad Traffic
ET DNS Query for .cc TLD
Not Suspicious Traffic
INFO [ANY.RUN] Image Sharing Service (imgur.com)
Potentially Bad Traffic
ET INFO Observed Chocolatey Windows Package Management Domain (chocolatey .org in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://github.com/marticliment/UniGetUI/releases/download/3.1.5/UniGetUI.Installer.exe