File name:

ui.exe

Full analysis: https://app.any.run/tasks/a620c3db-94f7-458e-95c0-e10e22f2806e
Verdict: Malicious activity
Analysis date: January 08, 2025, 15:17:23
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 4 sections
MD5:

D77B1189017544EE50D0DFADE5484428

SHA1:

269E15C2FF66B9474F0CB758746EEFE4096435B0

SHA256:

B925133ABD817479082A6F1DEF3D02CFD0C5C72862CC563131833DE69DF214B4

SSDEEP:

49152:ygE6Str4QGB+1J1csWEtri9PGlwrKP/PJbzi8ADlDPNRj:ygE6SeQZ1jtWEpi9PGlwrgP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Checks for external IP

      • ui.exe (PID: 6444)
      • svchost.exe (PID: 2192)

    • Potential Corporate Privacy Violation

      • ui.exe (PID: 6444)
      • svchost.exe (PID: 2192)

  • INFO

    • Reads the computer name

      • ui.exe (PID: 6444)

    • Checks supported languages

      • ui.exe (PID: 6444)

    • Reads the machine GUID from the registry

      • ui.exe (PID: 6444)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (41)
.exe | Win64 Executable (generic) (36.3)
.dll | Win32 Dynamic Link Library (generic) (8.6)
.exe | Win32 Executable (generic) (5.9)
.exe | Win16/32 Executable Delphi generic (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:12:26 16:51:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 14.29
CodeSize: 791040
InitializedDataSize: 391680
UninitializedDataSize: -
EntryPoint: 0x138eb
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
127
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start ui.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
6444"C:\Users\admin\AppData\Local\Temp\ui.exe" C:\Users\admin\AppData\Local\Temp\ui.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\ui.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
965
Read events
918
Write events
23
Delete events
24

Modification events

(PID) Process:(6444) ui.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6444) ui.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6444) ui.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(6444) ui.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:Owner
Value:
2C190000A203A46FE061DB01
(PID) Process:(6444) ui.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:SessionHash
Value:
7E6A7EFFCFE322DB37AAD82DD6DF7FDB9A031F7353576752BAB4D1892082AE05
(PID) Process:(6444) ui.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:Sequence
Value:
1
(PID) Process:(6444) ui.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:RegFiles0000
Value:
\\?\C:\Users\admin\ntuser.dat.LOG2
(PID) Process:(6444) ui.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:RegFilesHash
Value:
3394E389A31055B48F7DDE331D569941642B17CB303FD60B979A5536A777654A
(PID) Process:(6444) ui.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0002
Operation:writeName:Owner
Value:
2C190000A203A46FE061DB01
(PID) Process:(6444) ui.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0002
Operation:writeName:SessionHash
Value:
D0EF5FFA9320AEED9F931019545434A49075A20786F334FD74E9288911F4A54E
Executable files
0
Suspicious files
74
Text files
55
Unknown types
1

Dropped files

PID
Process
Filename
Type
6444ui.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12der
MD5:C9BE626E9715952E9B70F92F912B9787
SHA256:C13E8D22800C200915F87F71C31185053E4E60CA25DE2E41E160E09CD2D815D4
6444ui.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8binary
MD5:971C514F84BBA0785F80AA1C23EDFD79
SHA256:F157ED17FCAF8837FA82F8B69973848C9B10A02636848F995698212A08F31895
6444ui.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8binary
MD5:6430F4F266D552F07375B6A8EAF66940
SHA256:E9A2FFF7F9A820ABF959B2F7474CE5A6BE5E58FD57AC514874935624F86650CA
6444ui.exeC:\Users\admin\Contacts\README.TXTtext
MD5:35EB00CD9B384B76C7F476ECABC2FECC
SHA256:FBFA79BB81C1A5A9A6B38F337437F1A5F5429049608C9F9F232BF09FCD6A9684
6444ui.exeC:\Users\Public\README.TXTtext
MD5:35EB00CD9B384B76C7F476ECABC2FECC
SHA256:FBFA79BB81C1A5A9A6B38F337437F1A5F5429049608C9F9F232BF09FCD6A9684
6444ui.exeC:\Users\admin\Links\README.TXTtext
MD5:35EB00CD9B384B76C7F476ECABC2FECC
SHA256:FBFA79BB81C1A5A9A6B38F337437F1A5F5429049608C9F9F232BF09FCD6A9684
6444ui.exeC:\BOOTNXTbinary
MD5:B4BF48CB09A2E58232942761E2B5A880
SHA256:D094D82E9C5AFDBF1AC1506AD2D101013279CDAD6C19351BFEA41738DA234813
6444ui.exeC:\bootTel.datbinary
MD5:598FBBD2209A0F9A84AD9C903FB644FF
SHA256:2C0414007D9F3748E43D3A8B9B01B4D7E3A29AB75E9D6BE1F7D8EC76186E5864
6444ui.exeC:\Users\admin\.ms-ad\README.TXTtext
MD5:35EB00CD9B384B76C7F476ECABC2FECC
SHA256:FBFA79BB81C1A5A9A6B38F337437F1A5F5429049608C9F9F232BF09FCD6A9684
6444ui.exeC:\Users\admin\Downloads\README.TXTtext
MD5:35EB00CD9B384B76C7F476ECABC2FECC
SHA256:FBFA79BB81C1A5A9A6B38F337437F1A5F5429049608C9F9F232BF09FCD6A9684
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
39
DNS requests
14
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6444
ui.exe
GET
200
142.250.185.195:80
http://c.pki.goog/r/gsr1.crl
unknown
whitelisted
5400
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
5400
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
6444
ui.exe
GET
200
142.250.185.195:80
http://c.pki.goog/r/r4.crl
unknown
whitelisted
7108
SIHClient.exe
GET
200
23.209.210.103:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7108
SIHClient.exe
GET
200
23.209.210.103:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1176
svchost.exe
40.126.32.140:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.229.221.95:80
EDGECAST
US
whitelisted
5208
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6444
ui.exe
192.168.100.2:445
whitelisted
6444
ui.exe
192.168.100.1:445
unknown
6444
ui.exe
192.168.100.199:445
unknown
6444
ui.exe
192.168.100.203:445
unknown

DNS requests

Domain
IP
Reputation
login.live.com
  • 40.126.32.140
  • 40.126.32.76
  • 40.126.32.74
  • 20.190.160.20
  • 40.126.32.68
  • 40.126.32.133
  • 40.126.32.134
  • 40.126.32.72
whitelisted
iplogger.co
  • 172.67.167.249
  • 104.21.82.93
shared
c.pki.goog
  • 142.250.185.195
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
whitelisted
arc.msn.com
  • 20.103.156.88
whitelisted
fd.api.iris.microsoft.com
  • 20.74.47.205
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
www.microsoft.com
  • 23.209.210.103
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted

Threats

Found threats are available for the paid subscriptions
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ui.exe