slui.exe

  • File Path: C:\Windows\system32\slui.exe
  • Description: Windows Activation Client

Hashes

Type Hash
MD5 3A171EFE71231ACB1B45E1FC00671EDF
SHA1 12A85CFE1D19D3844AD7081B69BC5FCC67528E74
SHA256 462E1576643D2303202BB15D0E74BCBAC17B90DB1E20003B60E022033FCF4542
SHA384 7D89BDDDD1D3582863FA75F30CE0D977129D7993AEAE83E9F6E08E781FB28DE8408B68E9024E54D6C6F489D8C6548048
SHA512 3451E60E30A2F4BA63B68DF7F42300EC532942E2585C97306D61B70D5E2B745947FC00F094C232F1AD60F1F9B9F8F8FB3208815CD68B76DE6B9E73B645AF1926
SSDEEP 6144:DcuofCPuZTuDH4SSIs00Tly7UEwqY/W5R02qO7VKCyWQp:DBoanYlT4wq3nyR

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: slui.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.0 (rs1_release.160715-1616)
  • Product Version: 10.0.14393.0
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\WINDOWS\system32\slui.exe 41
C:\Windows\system32\slui.exe 55
C:\windows\system32\slui.exe 54
C:\Windows\system32\slui.exe 55
C:\Windows\system32\slui.exe 55
C:\Windows\system32\sppcommdlg.dll 38

Possible Misuse

The following table contains possible examples of slui.exe being misused. While slui.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_uac_bypass_changepk_slui.yml description: Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61) DRL 1.0
sigma proc_creation_win_uac_bypass_changepk_slui.yml ParentImage\|endswith: '\slui.exe' DRL 1.0
sigma registry_event_shell_open_keys_manipulation.yml description: Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62) DRL 1.0
atomic-red-team T1548.002.md Target: \system32\slui.exe, \system32\changepk.exe MIT License. © 2018 Red Canary
stockpile b7344901-0b02-4ead-baf6-e3f629ed545f.yml description: executes the slui exe file handler hijack Apache-2.0

MIT License. Copyright (c) 2020-2021 Strontic.