File name:

VolcanoUI.exe

Full analysis: https://app.any.run/tasks/33797ebb-066b-4a86-9529-565c6d660574
Verdict: Malicious activity
Analysis date: November 14, 2025, 01:04:19
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
themida
xor-url
generic
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 14 sections
MD5:

0FCE49DA23D127F53C92EFD9B9ACB686

SHA1:

B003400C06803B2B54F7036486939D55AA540FA9

SHA256:

F3E0C8771F41DAAB6154F9635668DCC6C782C6C2C84AD53A6F2657C0DE4C727D

SSDEEP:

98304:XzNX1zRY4aAH4l8EUeCo+uK7Sp0+DrSLS21slLjN+cBnCfVTLxr4AW+oEU9997H0:jR3auTTm2iIsjMEn1cwfc4+qqiQaeAW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • XORed URL has been found (YARA)

      • VolcanoUI.exe (PID: 7424)

  • SUSPICIOUS

    • Reads the BIOS version

      • VolcanoUI.exe (PID: 7424)

    • Executable content was dropped or overwritten

      • VolcanoUI.exe (PID: 7424)

    • Process drops legitimate windows executable

      • VolcanoUI.exe (PID: 7424)

  • INFO

    • Checks supported languages

      • VolcanoUI.exe (PID: 7424)

    • Reads the computer name

      • VolcanoUI.exe (PID: 7424)

    • The sample compiled with english language support

      • VolcanoUI.exe (PID: 7424)

    • Reads the software policy settings

      • slui.exe (PID: 8136)

    • Checks proxy server information

      • slui.exe (PID: 8136)

    • Themida protector has been detected

      • VolcanoUI.exe (PID: 7424)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

xor-url

(PID) Process(7424) VolcanoUI.exe
Decrypted-URLs (2)https://file.volcano.wtf/versio
https://key.vol
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:11:13 13:59:19+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.16
CodeSize: 5260800
InitializedDataSize: 3294208
UninitializedDataSize: -
EntryPoint: 0x1c23058
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
144
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #XOR-URL volcanoui.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7424"C:\Users\admin\Desktop\VolcanoUI.exe" C:\Users\admin\Desktop\VolcanoUI.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\volcanoui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
xor-url
(PID) Process(7424) VolcanoUI.exe
Decrypted-URLs (2)https://file.volcano.wtf/versio
https://key.vol
8136C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 808
Read events
3 808
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
7424VolcanoUI.exeC:\Users\admin\Desktop\VolcanoCore.dllexecutable
MD5:A3E8036599F7BCA4418E033EB29ABFA3
SHA256:60C27D31FD4007BCA79AA77E38BBC81DAC2D578A468DC52EBC651409080A1929
7424VolcanoUI.exeC:\Users\admin\Desktop\WebView2Loader.dllexecutable
MD5:E2F9D2EF3446E70B50DE50F577C6939E
SHA256:A8A6CD8D6DF1F913671BCD96B6298B6F53FD066A84AE891E4D865BC1B8E8E9E4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
23
TCP/UDP connections
44
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5492
svchost.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
200
40.126.32.72:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
unknown
GET
200
135.233.95.144:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
compressed
29.1 Kb
unknown
POST
200
20.190.160.3:443
https://login.live.com/RST2.srf
unknown
unknown
POST
200
20.190.160.2:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
unknown
7928
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
7928
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
7928
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.3.crl
unknown
whitelisted
7928
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl
unknown
whitelisted
7928
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5492
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
5596
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1284
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
184.86.251.22:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
5492
svchost.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5596
MoUsoCoreWorker.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1284
RUXIMICS.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4420
svchost.exe
40.126.32.136:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
www.bing.com
  • 184.86.251.22
  • 184.86.251.27
whitelisted
google.com
  • 142.250.186.142
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
login.live.com
  • 40.126.32.136
  • 20.190.160.5
  • 40.126.32.138
  • 20.190.160.131
  • 20.190.160.20
  • 20.190.160.128
  • 40.126.32.74
  • 40.126.32.76
whitelisted
file.volcano.wtf
  • 172.67.175.175
  • 104.21.56.14
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.248
whitelisted
slscr.update.microsoft.com
  • 135.233.95.144
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
VolcanoUI.exe