slui.exe

  • File Path: C:\Windows\system32\slui.exe
  • Description: Windows Activation Client

Hashes

Type Hash
MD5 CAF88C49F33FA27D956BC728A041346D
SHA1 9AD7236AA1CE3101D6088E77E473A4E23AFA543E
SHA256 3B406849A07295BFE60D959F713E323B2B2FFEAD0C6A96B55CB8D74FD708481D
SHA384 81E60F2CCEBDA04C0225ED2B59F2E5CE78D9BB96F376029ECA15212B3A965F7D5C9FBB22981115B20019D255D30CC3E5
SHA512 8AC563E98BC5076E45AC9AE212888DBCEFA9CA0F12F92664099052E9EBEC193E226E283F917386743C47A918D41FC0DDA4B4164712F216ECABAB28609790671A
SSDEEP 6144:GVxpC1u+z53bQeILDS7LZAwHfMqY/W5R02qO7VKCyWQp:ixIptMX26Jq3nyR

Runtime Data

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\system32\slui.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: slui.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\WINDOWS\system32\slui.exe 47
C:\Windows\system32\slui.exe 99
C:\windows\system32\slui.exe 55
C:\Windows\system32\slui.exe 55
C:\Windows\system32\slui.exe 97
C:\Windows\system32\sppcommdlg.dll 38

Possible Misuse

The following table contains possible examples of slui.exe being misused. While slui.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_uac_bypass_changepk_slui.yml description: Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61) DRL 1.0
sigma proc_creation_win_uac_bypass_changepk_slui.yml ParentImage\|endswith: '\slui.exe' DRL 1.0
sigma registry_event_shell_open_keys_manipulation.yml description: Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62) DRL 1.0
atomic-red-team T1548.002.md Target: \system32\slui.exe, \system32\changepk.exe MIT License. © 2018 Red Canary
stockpile b7344901-0b02-4ead-baf6-e3f629ed545f.yml description: executes the slui exe file handler hijack Apache-2.0

MIT License. Copyright (c) 2020-2021 Strontic.