File name:

UxTheme.dll

Full analysis: https://app.any.run/tasks/cf8ec433-ea90-40cb-a94f-ccb0022c7d2e
Verdict: Malicious activity
Analysis date: April 24, 2025, 10:53:27
OS: Windows 10 Professional (build: 19044, 64 bit)
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (DLL) (GUI) x86-64, for MS Windows, 8 sections
MD5:

DED81AFE8B52534D73556659DF1526FD

SHA1:

6E3E2D5A9824EFBE95B191DD3A95ECC5FFE2C13F

SHA256:

90B52BCDDAB0DAF79A483788DD0BC954A820EBC0882DEB6FB11A69E36BF61614

SSDEEP:

24576:JOgFnNQJ/ZfzYrBKIReU9OAZR+R4TtTx+RLExT1LdvgWgNcjt64EG+3:JOgFnNQJ/ZfzYrBwU9PZR+R4TtTx+RLL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • The DLL Hijacking

      • sessionmsg.exe (PID: 1328)
      • LockScreenContentServer.exe (PID: 5360)

  • SUSPICIOUS

    • Reads the date of Windows installation

      • PresentationSettings.exe (PID: 8048)
      • sessionmsg.exe (PID: 1328)
      • LockScreenContentServer.exe (PID: 5360)

    • Process drops legitimate windows executable

      • rundll32.exe (PID: 7484)

  • INFO

    • Process checks whether UAC notifications are on

      • PresentationSettings.exe (PID: 8048)
      • sessionmsg.exe (PID: 1328)
      • LockScreenContentServer.exe (PID: 5360)

    • Manual execution by a user

      • PresentationSettings.exe (PID: 8048)
      • PresentationSettings.exe (PID: 8036)
      • SystemPropertiesAdvanced.exe (PID: 8024)
      • sessionmsg.exe (PID: 7224)
      • sessionmsg.exe (PID: 1328)
      • LockScreenContentServer.exe (PID: 5360)
      • LockScreenContentServer.exe (PID: 1388)

    • Reads the machine GUID from the registry

      • PresentationSettings.exe (PID: 8048)
      • sessionmsg.exe (PID: 1328)
      • LockScreenContentServer.exe (PID: 5360)

    • Reads the computer name

      • PresentationSettings.exe (PID: 8048)
      • sessionmsg.exe (PID: 1328)
      • LockScreenContentServer.exe (PID: 5360)

    • Checks supported languages

      • PresentationSettings.exe (PID: 8048)
      • sessionmsg.exe (PID: 1328)
      • LockScreenContentServer.exe (PID: 5360)

    • Reads the software policy settings

      • slui.exe (PID: 732)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2020:04:26 20:53:40+00:00
ImageFileCharacteristics: Executable, Large address aware, DLL
PEType: PE32+
LinkerVersion: 15.1
CodeSize: 593920
InitializedDataSize: 135168
UninitializedDataSize: -
EntryPoint: 0x91620
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 8.7.30.0
ProductVersionNumber: 8.7.30.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Microsoft (R) Red ISAM
FileVersion: 4.00.97
FullVersion: 8.7.3_00-b00
InternalName: MSRD2X40
LegalCopyright: Copyright (C) Mic
InalFilename: MSRD2X40.DL
Jet: n Tabjrmte E
Rsn50Urdate6: 6 ProductVersion
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
139
Monitored processes
9
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rundll32.exe no specs systempropertiesadvanced.exe no specs presentationsettings.exe no specs presentationsettings.exe no specs sessionmsg.exe no specs sessionmsg.exe no specs lockscreencontentserver.exe no specs lockscreencontentserver.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
732C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1328C:\Users\admin\AppData\Local\MCLvW\sessionmsg.exeC:\Users\admin\AppData\Local\MCLvW\sessionmsg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Remote Desktop Services Session Message Server
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\mclvw\sessionmsg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1388C:\WINDOWS\system32\LockScreenContentServer.exeC:\Windows\System32\LockScreenContentServer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
LockScreenContent Server
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\lockscreencontentserver.exe
c:\windows\system32\ntdll.dll
5360C:\Users\admin\AppData\Local\tzzEiNEF\LockScreenContentServer.exeC:\Users\admin\AppData\Local\tzzEiNEF\LockScreenContentServer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
LockScreenContent Server
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\tzzeinef\lockscreencontentserver.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
7224C:\WINDOWS\system32\sessionmsg.exeC:\Windows\System32\sessionmsg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Remote Desktop Services Session Message Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sessionmsg.exe
c:\windows\system32\ntdll.dll
7484"C:\WINDOWS\System32\rundll32.exe" C:\Users\admin\AppData\Local\Temp\UxTheme.dll, #1C:\Windows\System32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
8024C:\WINDOWS\system32\SystemPropertiesAdvanced.exeC:\Windows\System32\SystemPropertiesAdvanced.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Advanced System Settings
Exit code:
3221226540
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\systempropertiesadvanced.exe
c:\windows\system32\ntdll.dll
8036C:\WINDOWS\system32\PresentationSettings.exeC:\Windows\System32\PresentationSettings.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Mobile PC Presentation Adaptability Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\presentationsettings.exe
c:\windows\system32\ntdll.dll
8048C:\Users\admin\AppData\Local\qdmhrP\PresentationSettings.exeC:\Users\admin\AppData\Local\qdmhrP\PresentationSettings.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Mobile PC Presentation Adaptability Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\qdmhrp\presentationsettings.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\gdi32.dll
Total events
3 725
Read events
3 725
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
63
DNS requests
22
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2920
svchost.exe
GET
404
23.48.23.162:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2920
svchost.exe
GET
404
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2920
svchost.exe
GET
404
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2920
svchost.exe
GET
404
23.48.23.153:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.31.67:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2112
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6068
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
8104
SIHClient.exe
20.12.23.50:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.78
whitelisted
client.wns.windows.com
  • 172.211.123.249
  • 172.211.123.248
whitelisted
login.live.com
  • 40.126.31.67
  • 20.190.159.2
  • 40.126.31.2
  • 20.190.159.23
  • 20.190.159.0
  • 40.126.31.73
  • 20.190.159.68
  • 40.126.31.3
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
  • 2603:1030:c02:2::284
whitelisted
198.187.3.20.in-addr.arpa
unknown
4.8.2.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.2.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa
unknown
nexusrules.officeapps.live.com
  • 52.111.227.13
whitelisted
crl.microsoft.com
  • 23.48.23.162
  • 23.48.23.161
  • 23.48.23.177
  • 23.48.23.180
  • 23.48.23.181
  • 23.48.23.168
  • 23.48.23.171
  • 23.48.23.179
  • 23.48.23.173
  • 23.48.23.153
  • 23.48.23.140
  • 23.48.23.141
  • 23.48.23.134
  • 23.48.23.148
  • 23.48.23.143
  • 23.48.23.139
  • 23.48.23.146
  • 23.48.23.150
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
UxTheme.dll