Malware analysis nada_164_046d-uipak_x32.exe Malicious activity

Add for printing

File name:	nada_164_046d-uipak_x32.exe
Full analysis:	https://app.any.run/tasks/903f410e-c262-42ba-9f5d-36c7ab824f14
Verdict:	Malicious activity
Analysis date:	September 21, 2025, 07:38:52
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	qrcode
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:	391D2487595EF8E8368B9271ABC76799
SHA1:	BFA7D96B893CA7FEA349BA8D01A4F6AC17FBD968
SHA256:	85156B6391D646DFD0A9E8FBFBA5BF234E1F629C78F0844034330A862FD77C1C
SSDEEP:	6144:tzZZxgKlrEf08BCxkA6IGfA9TlM432wa7AfNgm2/xqHTi0zY108OiI:tzZz3wf0YWkIGoBMJ5QN3neVO/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- The process creates files with name similar to system file names
  - nada_164_046d-uipak_x32.exe (PID: 6492)
- Malware-specific behavior (creating "System.dll" in Temp)
  - nada_164_046d-uipak_x32.exe (PID: 6492)
- Launching a dropped file
  - nada_164_046d-uipak_x32.exe (PID: 6492)
  - uninstall.exe (PID: 2876)
- Executable content was dropped or overwritten
  - nada_164_046d-uipak_x32.exe (PID: 6492)
  - uninstall.exe (PID: 2876)
- There is functionality for taking screenshot (YARA)
  - nada_164_046d-uipak_x32.exe (PID: 6492)
- Starts itself from another location
  - uninstall.exe (PID: 2876)
INFO
- Create files in a temporary directory
  - nada_164_046d-uipak_x32.exe (PID: 6492)
  - uninstall.exe (PID: 2876)
- The sample compiled with english language support
  - nada_164_046d-uipak_x32.exe (PID: 6492)
  - uninstall.exe (PID: 2876)
- Checks proxy server information
  - slui.exe (PID: 1508)
- Manual execution by a user
  - Au_.exe (PID: 1268)
  - uninstall.exe (PID: 2876)
  - Au_.exe (PID: 7060)
  - msedge.exe (PID: 1336)
- Reads the computer name
  - nada_164_046d-uipak_x32.exe (PID: 6492)
  - identity_helper.exe (PID: 4196)
- Checks supported languages
  - nada_164_046d-uipak_x32.exe (PID: 6492)
  - uninstall.exe (PID: 2876)
  - identity_helper.exe (PID: 4196)
  - Au_.exe (PID: 1268)
  - Au_.exe (PID: 7060)
  - Au_.exe (PID: 3704)
- Reads Environment values
  - identity_helper.exe (PID: 4196)
- Application launched itself
  - msedge.exe (PID: 1336)
- Reads the software policy settings
  - slui.exe (PID: 1508)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2009:09:09 13:23:33+00:00
ImageFileCharacteristics:	No relocs, Executable, 32-bit
PEType:	PE32
LinkerVersion:	9
CodeSize:	26624
InitializedDataSize:	475136
UninitializedDataSize:	16896
EntryPoint:	0x3415
OSVersion:	5
ImageVersion:	6.1
SubsystemVersion:	5
Subsystem:	Windows GUI
FileVersionNumber:	2.0.119.0
ProductVersionNumber:	2.0.119.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	ASCII
CompanyName:	Logitech
CompanyWebsite:	http://www.logitech.com
FileDescription:	-
FileVersion:	2
LegalCopyright:	-
ProductName:	LogiUI Pak
ProductVersion:	2

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

193

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

188

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3652,i,7252976750735680898,1871839335150953328,262144 --variations-seed-version --mojo-platform-channel-handle=3664 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

133.0.3065.92

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

536

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --always-read-main-dll --field-trial-handle=7568,i,7252976750735680898,1871839335150953328,262144 --variations-seed-version --mojo-platform-channel-handle=4136 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

133.0.3065.92

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1056

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --always-read-main-dll --field-trial-handle=6192,i,7252976750735680898,1871839335150953328,262144 --variations-seed-version --mojo-platform-channel-handle=6172 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

133.0.3065.92

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1268

"C:\Users\admin\AppData\Local\Temp\~nsu.tmp\Au_.exe"

C:\Users\admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

—

explorer.exe

User:

admin

Company:

Logitech

Integrity Level:

MEDIUM

Exit code:

Version:

2.00

Modules

Images
c:\users\admin\appdata\local\temp\~nsu.tmp\au_.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

1336

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Exit code:

Version:

133.0.3065.92

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1508

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

2304

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=6580,i,7252976750735680898,1871839335150953328,262144 --variations-seed-version --mojo-platform-channel-handle=6628 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

133.0.3065.92

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2304

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --always-read-main-dll --field-trial-handle=7772,i,7252976750735680898,1871839335150953328,262144 --variations-seed-version --mojo-platform-channel-handle=7788 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

133.0.3065.92

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2876

"C:\Users\admin\AppData\Local\Temp\LogiUI\Pak\uninstall.exe"

C:\Users\admin\AppData\Local\Temp\LogiUI\Pak\uninstall.exe

explorer.exe

User:

admin

Company:

Logitech

Integrity Level:

MEDIUM

Exit code:

Version:

2.00

Modules

Images
c:\users\admin\appdata\local\temp\logiui\pak\uninstall.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

3092

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=2072,i,7252976750735680898,1871839335150953328,262144 --variations-seed-version --mojo-platform-channel-handle=2420 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Exit code:

Version:

133.0.3065.92

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

5 980

Read events

5 921

Write events

Delete events

Modification events


(PID) Process:	(6492) nada_164_046d-uipak_x32.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\LogiShrd\DownloadAssistant
Operation:	write	Name:	UIPath
Value: C:\Users\admin\AppData\Local\Temp\LogiUI\Pak
(PID) Process:	(6492) nada_164_046d-uipak_x32.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\LogiShrd\DownloadAssistant
Operation:	write	Name:	UIRemove
Value: C:\Users\admin\AppData\Local\Temp\LogiUI\Pak\uninstall.exe
(PID) Process:	(6492) nada_164_046d-uipak_x32.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\LogiUI Pak\Components
Operation:	write	Name:	UI
Value: 1
(PID) Process:	(6492) nada_164_046d-uipak_x32.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\LogiUI Pak
Operation:	write	Name:	Path
Value: C:\Users\admin\AppData\Local\Temp\LogiUI\Pak
(PID) Process:	(6492) nada_164_046d-uipak_x32.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\LogiUI Pak
Operation:	write	Name:	StartMenuGroup
Value: LogiLang Pak
(PID) Process:	(6492) nada_164_046d-uipak_x32.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\LogiUI Pak
Operation:	write	Name:	InstallerLanguage
Value: 1033
(PID) Process:	(3704) Au_.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\LogiShrd\DownloadAssistant
Operation:	delete value	Name:	UIPath
Value: C:\Users\admin\AppData\Local\Temp\LogiUI\Pak
(PID) Process:	(3704) Au_.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\LogiShrd\DownloadAssistant
Operation:	delete value	Name:	UIRemove
Value: C:\Users\admin\AppData\Local\Temp\LogiUI\Pak\uninstall.exe
(PID) Process:	(3704) Au_.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\LogiUI Pak\Components
Operation:	delete value	Name:	UI
Value: 1
(PID) Process:	(3704) Au_.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\LogiUI Pak\Components
Operation:	delete key	Name:	(default)
Value:

Add for printing

Executable files

Suspicious files

850

Text files

159

Unknown types

Dropped files

PID	Process	Filename		Type
6492	nada_164_046d-uipak_x32.exe	C:\Users\admin\AppData\Local\Temp\nspCC06.tmp\modern-wizard.bmp		image
		MD5:CBE40FD2B1EC96DAEDC65DA172D90022	SHA256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
6492	nada_164_046d-uipak_x32.exe	C:\Users\admin\AppData\Local\Temp\LogiUI\Pak\html\download.html		html
		MD5:8B9EB8DB472EBE5F0433AF26DC7D676F	SHA256:5B29978827B527001EDE12D08281C36CDCDF7C3D228B91166893285FCF7B4634
6492	nada_164_046d-uipak_x32.exe	C:\Users\admin\AppData\Local\Temp\LogiUI\Pak\css\basic-quickflips.css		text
		MD5:F3856202AA9A07416089BA98AD01419E	SHA256:3502017550AF6C2E1BC08C5E0A5A55C1C48706BC10A51CF2212E3A6F687791DB
6492	nada_164_046d-uipak_x32.exe	C:\Users\admin\AppData\Local\Temp\LogiUI\Pak\html\welcome.html		binary
		MD5:CFCB0E546D9A5B527FCBD970D5285BC7	SHA256:2065BCFA62B410FFA2B79AFC102B78A5071301CF16F94D2D42C12BE8365AB253
6492	nada_164_046d-uipak_x32.exe	C:\Users\admin\AppData\Local\Temp\LogiUI\Pak\css\smart.css		text
		MD5:119E08845635C6B45D3AAAECE1801072	SHA256:98FCC4A906EC8E2534224EF834E8CB1A440BDA4D2C15044D434FDBE9BCC1E9D5
6492	nada_164_046d-uipak_x32.exe	C:\Users\admin\AppData\Local\Temp\LogiUI\Pak\img\button_close_disabled.png		image
		MD5:B5F344C060C2A81EB9CFDF8FF56B776A	SHA256:9EE069E6F1C689AF4B21CA276BA7EFC117AE2D391894A03CA75E91B9D70E4F44
6492	nada_164_046d-uipak_x32.exe	C:\Users\admin\AppData\Local\Temp\LogiUI\Pak\html\finish.html		html
		MD5:572FD27E56F1A964DD0D44350FBB0572	SHA256:B82DEA4689E45D9C1861D03AD7719CC17340EAC08225206769E3A7FC8817AFA6
6492	nada_164_046d-uipak_x32.exe	C:\Users\admin\AppData\Local\Temp\LogiUI\Pak\img\icon_error.png		image
		MD5:2FCD5ED873E72D95412A3AA11E04650F	SHA256:6F2DE92FDED990DEF91A02BA1F289C4FDE1121E3B01A6EF5888EB117B4118123
6492	nada_164_046d-uipak_x32.exe	C:\Users\admin\AppData\Local\Temp\LogiUI\Pak\img\logo.png		image
		MD5:9F06CA5B2F3A8777D742C7494679905B	SHA256:5992638A5C0BB07CEBD61F48BC56029808B5B5A1E6403DC0DFB42037A2771441
6492	nada_164_046d-uipak_x32.exe	C:\Users\admin\AppData\Local\Temp\LogiUI\Pak\img\logo-too-big.png		image
		MD5:1C91C0EAE593C8AEA82B2D5F5B15366C	SHA256:7E2FAF415843068E0E4136DF6D6A16771C94A8C33A7F9B7943A283BB1983110F

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

154

DNS requests

153

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1268	svchost.exe	GET	200	92.123.133.196:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	DE	binary	825 b	whitelisted
1268	svchost.exe	GET	200	2.23.10.85:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	CZ	binary	814 b	whitelisted
1128	SIHClient.exe	GET	200	2.23.10.85:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	CZ	binary	419 b	whitelisted
5708	svchost.exe	GET	200	104.78.173.167:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	GB	binary	471 b	whitelisted
1128	SIHClient.exe	GET	200	2.23.10.85:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl	CZ	binary	813 b	whitelisted
1128	SIHClient.exe	GET	200	2.23.10.85:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	CZ	binary	407 b	whitelisted
1128	SIHClient.exe	GET	200	92.123.133.198:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	DE	binary	824 b	whitelisted
1128	SIHClient.exe	GET	200	2.23.10.85:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl	CZ	binary	400 b	whitelisted
1128	SIHClient.exe	GET	200	2.23.10.85:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl	CZ	binary	401 b	whitelisted
5328	SearchApp.exe	GET	200	104.78.173.167:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	GB	binary	313 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
1268	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5944	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5468	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1268	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1268	svchost.exe	92.123.133.196:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1268	svchost.exe	2.23.10.85:80	www.microsoft.com	AKAMAI-AS	CZ	whitelisted
1268	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5944	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 51.104.136.2 4.231.128.59 51.124.78.146 40.127.240.158	whitelisted
google.com	142.250.186.78	whitelisted
crl.microsoft.com	92.123.133.196 92.123.133.198	whitelisted
www.microsoft.com	2.23.10.85	whitelisted
login.live.com	20.190.159.73 20.190.159.71 40.126.31.71 40.126.31.2 40.126.31.128 20.190.159.130 40.126.31.67 20.190.159.23 20.190.160.4 40.126.32.76 20.190.160.64 40.126.32.138 20.190.160.20 20.190.160.22 20.190.160.132 40.126.32.74	whitelisted
ocsp.digicert.com	104.78.173.167 184.30.131.245	whitelisted
slscr.update.microsoft.com	135.232.92.137	whitelisted
fe3cr.delivery.mp.microsoft.com	20.242.39.171	whitelisted
client.wns.windows.com	172.211.123.248	whitelisted
self.events.data.microsoft.com	51.11.192.51	whitelisted

Threats

PID	Process	Class	Message
—	—	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
—	—	Potentially Bad Traffic	ET INFO Possible Chrome Plugin install
3092	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
3092	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
3092	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)

Add for printing

No debug info

General Info

nada_164_046d-uipak_x32.exe

391D2487595EF8E8368B9271ABC76799

BFA7D96B893CA7FEA349BA8D01A4F6AC17FBD968

85156B6391D646DFD0A9E8FBFBA5BF234E1F629C78F0844034330A862FD77C1C

6144:tzZZxgKlrEf08BCxkA6IGfA9TlM432wa7AfNgm2/xqHTi0zY108OiI:tzZz3wf0YWkIGoBMJ5QN3neVO/

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

The process creates files with name similar to system file names

Malware-specific behavior (creating "System.dll" in Temp)

Launching a dropped file

Executable content was dropped or overwritten

There is functionality for taking screenshot (YARA)

Starts itself from another location

INFO

Create files in a temporary directory

The sample compiled with english language support

Checks proxy server information

Manual execution by a user

Reads the computer name

Checks supported languages

Reads Environment values

Application launched itself

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings