File name:

Un_A.exe

Full analysis: https://app.any.run/tasks/62bd7fa4-7ba8-46b2-a9b8-38cb8f621582
Verdict: Malicious activity
Analysis date: May 15, 2025, 13:13:26
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

B45817E5F72DA30A690602E0253BD9E4

SHA1:

26B93306F815E1483515CB1F0D0C01585C05DADC

SHA256:

71A34EBBE734B84D00DE8F9B615AC00F276A3B6952AF47CB60DAF5A4E76E5950

SSDEEP:

12288:GzrOj6nXNiVlRiY1t3yiVnVNy0VnVB/TbTIppUcifTOgkt1dv:s6M2Tb0plE6gQ11

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts NET.EXE for service management

      • net.exe (PID: 7712)
      • Un_A.exe (PID: 7412)
      • net.exe (PID: 7804)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Un_A.exe (PID: 7276)
      • Un_A.exe (PID: 7412)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • Un_A.exe (PID: 7412)

    • The process creates files with name similar to system file names

      • Un_A.exe (PID: 7412)

    • There is functionality for taking screenshot (YARA)

      • Un_A.exe (PID: 7412)

    • Reads security settings of Internet Explorer

      • Un_A.exe (PID: 7412)

    • Creates or modifies Windows services

      • Un_A.exe (PID: 7412)

    • Starts itself from another location

      • Un_A.exe (PID: 7276)

  • INFO

    • The sample compiled with japanese language support

      • Un_A.exe (PID: 7276)

    • Checks supported languages

      • Un_A.exe (PID: 7276)
      • Un_A.exe (PID: 7412)

    • Create files in a temporary directory

      • Un_A.exe (PID: 7276)
      • Un_A.exe (PID: 7412)

    • Reads the computer name

      • Un_A.exe (PID: 7412)

    • Checks proxy server information

      • Un_A.exe (PID: 7412)
      • slui.exe (PID: 6564)

    • Creates files in the program directory

      • Un_A.exe (PID: 7412)

    • Reads the software policy settings

      • slui.exe (PID: 6564)

    • The sample compiled with english language support

      • Un_A.exe (PID: 7412)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:08:01 02:42:47+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 25088
InitializedDataSize: 118784
UninitializedDataSize: 1024
EntryPoint: 0x3312
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 6.25.0.29
ProductVersionNumber: 6.25.0.29
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Japanese
CharacterSet: Windows, Japan (Shift - JIS X-0208)
CompanyName: Glarysoft Ltd
FileDescription: Glary Utilities Uninstaller
LegalCopyright: Copyright (c) 2003 - 2025 Glarysoft Ltd
ProductName: Glary Utilities
ProductVersion: 6.25.0.29
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
145
Monitored processes
13
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start un_a.exe un_a.exe sppextcomobj.exe no specs slui.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs rundll32.exe no specs slui.exe un_a.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6564C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7172"C:\Users\admin\AppData\Local\Temp\Un_A.exe" C:\Users\admin\AppData\Local\Temp\Un_A.exeexplorer.exe
User:
admin
Company:
Glarysoft Ltd
Integrity Level:
MEDIUM
Description:
Glary Utilities Uninstaller
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\un_a.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7276"C:\Users\admin\AppData\Local\Temp\Un_A.exe" C:\Users\admin\AppData\Local\Temp\Un_A.exe
explorer.exe
User:
admin
Company:
Glarysoft Ltd
Integrity Level:
HIGH
Description:
Glary Utilities Uninstaller
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\un_a.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7412"C:\Users\admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\admin\AppData\Local\Temp\C:\Users\admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
Un_A.exe
User:
admin
Company:
Glarysoft Ltd
Integrity Level:
HIGH
Description:
Glary Utilities Uninstaller
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\~nsua.tmp\un_a.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7532C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
7564"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7712net stop GUPMServiceC:\Windows\SysWOW64\net.exeUn_A.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7720\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7772C:\WINDOWS\system32\net1 stop GUPMServiceC:\Windows\SysWOW64\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
7804net stop GUMemfilesServiceC:\Windows\SysWOW64\net.exeUn_A.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
1 391
Read events
1 383
Write events
4
Delete events
4

Modification events

(PID) Process:(7412) Un_A.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7412) Un_A.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7412) Un_A.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7412) Un_A.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BootDefrag
Operation:writeName:Status
Value:
0
(PID) Process:(7412) Un_A.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BootDefrag
Operation:delete valueName:Status
Value:
(PID) Process:(7412) Un_A.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BootDefrag
Operation:delete keyName:(default)
Value:
(PID) Process:(7412) Un_A.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Glary Utilities Initialization
Value:
(PID) Process:(7412) Un_A.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:GUDelayStartup
Value:
Executable files
6
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
7412Un_A.exeC:\Users\admin\AppData\Local\Temp\nsfC40E.tmp\nsExec.dllexecutable
MD5:09C2E27C626D6F33018B8A34D3D98CB6
SHA256:114C6941A8B489416C84563E94FD266EA5CAD2B518DB45CD977F1F9761E00CB1
7412Un_A.exeC:\Users\admin\AppData\Local\Temp\nsfC40E.tmp\System.dllexecutable
MD5:FCCFF8CB7A1067E23FD2E2B63971A8E1
SHA256:6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E
7412Un_A.exeC:\Users\admin\AppData\Local\Temp\nsfC40E.tmp\modern-header.bmpimage
MD5:9DB3B0389E05B487A38B6604F26E12EB
SHA256:D284B34C4BE14D8BCB66B9FE0A86F9078D79A1A925D95235A653CF232E35082B
7412Un_A.exeC:\Users\admin\AppData\Local\Temp\nsfC40E.tmp\Inetc.dllexecutable
MD5:92EC4DD8C0DDD8C4305AE1684AB65FB0
SHA256:5520208A33E6409C129B4EA1270771F741D95AFE5B048C2A1E6A2CC2AD829934
7412Un_A.exeC:\Users\admin\AppData\Local\Temp\nsfC40E.tmp\modern-wizard.bmpimage
MD5:C57CE6F09C7A8E95361DFD2E7B03F49D
SHA256:720A31EE8077202126A4657BA7D28F7F46A30872B8B21D2A0E89D0AF227B109F
7412Un_A.exeC:\Users\admin\AppData\Local\Temp\nsfC40E.tmp\nsDialogs.dllexecutable
MD5:1C8B2B40C642E8B5A5B3FF102796FB37
SHA256:8780095AA2F49725388CDDF00D79A74E85C9C4863B366F55C39C606A5FB8440C
7412Un_A.exeC:\Users\admin\AppData\Local\Temp\nsfC40E.tmp\KillProcDLL.dllexecutable
MD5:2F8A43C3581AF1F31CE8D9DA0C03465B
SHA256:97B5B3985736CC0F49CEB2DA68B01CE51FA821B6DA3CEC69CFEEBFBA8D626845
7276Un_A.exeC:\Users\admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exeexecutable
MD5:B45817E5F72DA30A690602E0253BD9E4
SHA256:71A34EBBE734B84D00DE8F9B615AC00F276A3B6952AF47CB60DAF5A4E76E5950
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
24
DNS requests
19
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
23.48.23.169:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7976
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7412
Un_A.exe
POST
500
52.24.207.204:80
http://analytics.glarysoft.com/api/v1/uninstall
unknown
unknown
7976
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.48.23.169:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.5:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
7412
Un_A.exe
52.24.207.204:80
analytics.glarysoft.com
AMAZON-02
US
suspicious

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.142
whitelisted
crl.microsoft.com
  • 23.48.23.169
  • 23.48.23.147
  • 23.48.23.194
  • 23.48.23.176
  • 23.48.23.159
  • 23.48.23.143
  • 23.48.23.156
  • 23.48.23.166
  • 23.48.23.177
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 20.190.160.5
  • 20.190.160.67
  • 40.126.32.133
  • 40.126.32.140
  • 20.190.160.20
  • 40.126.32.72
  • 20.190.160.131
  • 20.190.160.14
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
analytics.glarysoft.com
  • 52.24.207.204
unknown
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted

Threats

PID
Process
Class
Message
7412
Un_A.exe
Potentially Bad Traffic
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Un_A.exe