File name:

UEPrereqSetup_x64.exe

Full analysis: https://app.any.run/tasks/f1889a43-7f0d-47d3-ad17-f3aa32e80d0b
Verdict: Malicious activity
Analysis date: August 01, 2025, 03:56:49
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:

EB27B8D93BBF88B9A2E9996A43663BC9

SHA1:

18A2E3BC89933582511DCF5509CE9946757EBF8E

SHA256:

794B69FF214714AD55CE778B6278493C1304512B4D0A2710883B0FFA1F88003D

SSDEEP:

393216:qAhh9tiC5hbuh+Fq6cd+teFZ21bwttVmgorCkMbJyhcUBgtzD3Xa:qmh9tiCX6AAgqiph87Xa

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Searches for installed software

      • UEPrereqSetup_x64.exe (PID: 4224)

    • There is functionality for taking screenshot (YARA)

      • UEPrereqSetup_x64.exe (PID: 4224)

    • Executable content was dropped or overwritten

      • UEPrereqSetup_x64.exe (PID: 4224)

  • INFO

    • Create files in a temporary directory

      • UEPrereqSetup_x64.exe (PID: 4224)

    • Checks supported languages

      • UEPrereqSetup_x64.exe (PID: 4224)

    • The sample compiled with english language support

      • UEPrereqSetup_x64.exe (PID: 4224)

    • Reads the computer name

      • UEPrereqSetup_x64.exe (PID: 4224)

    • Checks proxy server information

      • slui.exe (PID: 6504)

    • Reads the software policy settings

      • slui.exe (PID: 6504)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (54.3)
.exe | Win64 Executable (generic) (34.8)
.exe | Win32 Executable (generic) (5.6)
.exe | Generic Win/DOS Executable (2.5)
.exe | DOS Executable Generic (2.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:11:28 14:14:28+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 235008
InitializedDataSize: 169472
UninitializedDataSize: -
EntryPoint: 0x267a5
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 1.0.21.0
ProductVersionNumber: 1.0.21.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Epic Games, Inc.
FileDescription: UE Prerequisites (x64)
FileVersion: 1.0.21.0
InternalName: setup
LegalCopyright: Copyright Epic Games, Inc.
OriginalFileName: UEPrereqSetup_x64.exe
ProductName: UE Prerequisites (x64)
ProductVersion: 1.0.21.0
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
131
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start ueprereqsetup_x64.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
4224"C:\Users\admin\Desktop\UEPrereqSetup_x64.exe" C:\Users\admin\Desktop\UEPrereqSetup_x64.exe
explorer.exe
User:
admin
Company:
Epic Games, Inc.
Integrity Level:
MEDIUM
Description:
UE Prerequisites (x64)
Version:
1.0.21.0
Modules
Images
c:\users\admin\desktop\ueprereqsetup_x64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6504C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 891
Read events
3 891
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
7
Unknown types
0

Dropped files

PID
Process
Filename
Type
4224UEPrereqSetup_x64.exeC:\Users\admin\AppData\Local\Temp\{e9d9f387-657e-40d8-8f5b-4fc1aa768343}\.ba1\LogoSide.pngimage
MD5:702684FF196740EBAEDB34BECA30346F
SHA256:EB72044A483D1FD122A82297DE2E9142E7167BD4126E74BF9E56FEB5264107B7
4224UEPrereqSetup_x64.exeC:\Users\admin\AppData\Local\Temp\{e9d9f387-657e-40d8-8f5b-4fc1aa768343}\.ba1\Banner.bmpimage
MD5:87300B4C1B1D79F75E3C406043D73ACB
SHA256:D175F62C2B562D162D50EBA27A8E61384E7A1CFFEE043ECBB7CCFC80680C8B5A
4224UEPrereqSetup_x64.exeC:\Users\admin\AppData\Local\Temp\{e9d9f387-657e-40d8-8f5b-4fc1aa768343}\.ba1\thm.xmlxml
MD5:002167DD020013C2814485A91E9AC1BA
SHA256:5046116159F25D0DCF96FB3EDF486A8630F240C8D5578910636CD702970B1BD0
4224UEPrereqSetup_x64.exeC:\Users\admin\AppData\Local\Temp\{e9d9f387-657e-40d8-8f5b-4fc1aa768343}\.ba1\logo.pngimage
MD5:8346E21859A269DCCF1E408DC7593CCA
SHA256:CD2E8ED1FBB308D9D166F49794D323A9B22EFBA1033CDF906D1F4B030319E01B
4224UEPrereqSetup_x64.exeC:\Users\admin\AppData\Local\Temp\{e9d9f387-657e-40d8-8f5b-4fc1aa768343}\.ba1\wixstdba.dllexecutable
MD5:36B53C5299A3B39E5C9CDBBD28A09506
SHA256:97F1901E7C928B9231E503CD3A1315F0D8449356B9F25E7EB4C2CEBEEE72012A
4224UEPrereqSetup_x64.exeC:\Users\admin\AppData\Local\Temp\{e9d9f387-657e-40d8-8f5b-4fc1aa768343}\.ba1\thm.wxlxml
MD5:8F24E7371D3D8E24E28DFE0870E9BD5F
SHA256:60D44698F9334243DD351006AECB68379B8CF7000A05353638257A7D8FCA6CDE
4224UEPrereqSetup_x64.exeC:\Users\admin\AppData\Local\Temp\{e9d9f387-657e-40d8-8f5b-4fc1aa768343}\.ba1\license.rtftext
MD5:37EC54C5DA383498C2662742AF83F502
SHA256:71BB04E77BFDAECA81AEBEF50B7862EACEB7A18816B3C6D7FB81AB1928E84AC7
4224UEPrereqSetup_x64.exeC:\Users\admin\AppData\Local\Temp\{e9d9f387-657e-40d8-8f5b-4fc1aa768343}\.ba1\BootstrapperApplicationData.xmlxml
MD5:182C5C28A26176F5616A25390FD38A32
SHA256:A9C67F701D83A75110ED126401306FE948A91B3024ED074EF40270B27EDEE1F7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
46
TCP/UDP connections
52
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
95.101.35.8:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.35.8:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
184.28.154.92:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
184.28.154.92:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
184.28.154.92:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.190.160.3:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
400
20.190.160.65:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.160.131:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.160.128:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.160.5:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
95.101.35.8:80
crl.microsoft.com
Orange
NL
whitelisted
95.101.35.8:80
crl.microsoft.com
Orange
NL
whitelisted
1268
svchost.exe
184.28.154.92:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
5944
MoUsoCoreWorker.exe
184.28.154.92:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
184.28.154.92:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
2288
svchost.exe
20.190.160.3:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.142
whitelisted
crl.microsoft.com
  • 95.101.35.8
  • 95.101.35.35
whitelisted
www.microsoft.com
  • 184.28.154.92
  • 2.20.118.102
whitelisted
login.live.com
  • 20.190.160.3
  • 20.190.160.17
  • 20.190.160.132
  • 20.190.160.130
  • 20.190.160.5
  • 20.190.160.128
  • 20.190.160.131
  • 20.190.160.65
whitelisted
slscr.update.microsoft.com
  • 74.178.240.61
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
self.events.data.microsoft.com
  • 20.50.201.204
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
x1.c.lencr.org
  • 72.246.169.163
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
UEPrereqSetup_x64.exe