File name:

addon2.exe

Full analysis: https://app.any.run/tasks/d50da6f8-7fb4-4759-9e3b-b13c6c96fd83
Verdict: Malicious activity
Analysis date: May 23, 2025, 20:59:43
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
xor-url
generic
crypto-regex
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

DF8E8755AA4E2A8D705D6C28CC0B7D2D

SHA1:

351C6E030F124208D48DBC83BA7A2B144DF6DE55

SHA256:

441F4A7FF235A84891AB4616A98C814797EBB4D5BAE46792FA6043D9C0080521

SSDEEP:

768:rTjKyq+ZRGLxf6VlqmKGcpfmA6gZGtJ+idQuaXgSLbu/MHwlR9e:JIRmHcwXJmLbo2wj9e

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 5968)

    • Changes the login/logoff helper path in the registry

      • addon2.exe (PID: 5892)

    • Starts CMD.EXE for self-deleting

      • addon2.exe (PID: 5892)

    • XORed URL has been found (YARA)

      • UserOOBEBroker.exe (PID: 664)

  • SUSPICIOUS

    • Starts a Microsoft application from unusual location

      • addon2.exe (PID: 5892)
      • addon2.exe (PID: 4688)

    • Application launched itself

      • addon2.exe (PID: 4688)

    • Reads security settings of Internet Explorer

      • addon2.exe (PID: 4688)

    • Process drops legitimate windows executable

      • addon2.exe (PID: 4688)

    • Executable content was dropped or overwritten

      • addon2.exe (PID: 4688)

    • Lists all scheduled tasks

      • schtasks.exe (PID: 3896)
      • schtasks.exe (PID: 4724)

    • Starts CMD.EXE for commands execution

      • addon2.exe (PID: 5892)
      • UserOOBEBroker.exe (PID: 664)

    • Reads the date of Windows installation

      • addon2.exe (PID: 4688)

    • Hides command output

      • cmd.exe (PID: 1276)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 1276)

    • The process executes via Task Scheduler

      • UserOOBEBroker.exe (PID: 664)

    • Found regular expressions for crypto-addresses (YARA)

      • UserOOBEBroker.exe (PID: 664)

  • INFO

    • Reads the computer name

      • addon2.exe (PID: 4688)
      • addon2.exe (PID: 5892)
      • UserOOBEBroker.exe (PID: 664)

    • Checks supported languages

      • addon2.exe (PID: 4688)
      • addon2.exe (PID: 5892)
      • UserOOBEBroker.exe (PID: 664)

    • Reads the machine GUID from the registry

      • addon2.exe (PID: 4688)
      • addon2.exe (PID: 5892)
      • UserOOBEBroker.exe (PID: 664)

    • The sample compiled with english language support

      • addon2.exe (PID: 4688)

    • Creates files in the program directory

      • addon2.exe (PID: 4688)
      • addon2.exe (PID: 5892)

    • Process checks computer location settings

      • addon2.exe (PID: 4688)

    • Checks proxy server information

      • slui.exe (PID: 5384)

    • Reads the software policy settings

      • slui.exe (PID: 5384)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (82.8)
.dll | Win32 Dynamic Link Library (generic) (7.4)
.exe | Win32 Executable (generic) (5)
.exe | Generic Win/DOS Executable (2.2)
.exe | DOS Executable Generic (2.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:05:15 03:14:30+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 51200
InitializedDataSize: 2048
UninitializedDataSize: -
EntryPoint: 0xe6de
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 10.0.26100.3624
ProductVersionNumber: 10.0.26100.3624
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: User OOBE Broker
FileVersion: 10.0.26100.3624 (WinBuild.160101.0800)
InternalName: User OOBE Broker
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: UserOOBEBroker.exe
ProductName: Microsoft® Windows® Operating System
ProductVersion: 10.0.26100.3624
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
141
Monitored processes
16
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start addon2.exe addon2.exe cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs timeout.exe no specs #XOR-URL useroobebroker.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
664"C:\ProgramData\WindowsService.{D20EA4E1-3957-11D2-A40B-0C5020524153}\UserOOBEBroker.exe"C:\ProgramData\WindowsService.{D20EA4E1-3957-11D2-A40B-0C5020524153}\UserOOBEBroker.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
User OOBE Broker
Version:
10.0.26100.3624 (WinBuild.160101.0800)
Modules
Images
c:\programdata\windowsservice.{d20ea4e1-3957-11d2-a40b-0c5020524153}\useroobebroker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
672\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1276"cmd.exe" /c timeout 5 >nul && del "C:\Users\admin\Desktop\addon2.exe"C:\Windows\System32\cmd.exeaddon2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1348"cmd.exe" /c schtasks /query /tn "WinServiceTask"C:\Windows\System32\cmd.exeaddon2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
2284schtasks /create /tn "WinServiceTask" /tr "C:\ProgramData\WindowsService.{D20EA4E1-3957-11D2-A40B-0C5020524153}\UserOOBEBroker.exe" /SC MINUTE /MO 1 /RL HIGHEST /IT /FC:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
2908\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3304"cmd.exe" /c schtasks /query /tn "WinServiceTask"C:\Windows\System32\cmd.exeUserOOBEBroker.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
3896schtasks /query /tn "WinServiceTask"C:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
4688"C:\Users\admin\Desktop\addon2.exe" C:\Users\admin\Desktop\addon2.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
User OOBE Broker
Exit code:
0
Version:
10.0.26100.3624 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\desktop\addon2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
4724schtasks /query /tn "WinServiceTask"C:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
3 905
Read events
3 904
Write events
1
Delete events
0

Modification events

(PID) Process:(5892) addon2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:writeName:Userinit
Value:
C:\Windows\system32\userinit.exe,C:\ProgramData\WindowsService.{D20EA4E1-3957-11D2-A40B-0C5020524153}\UserOOBEBroker.exe
Executable files
1
Suspicious files
0
Text files
13
Unknown types
0

Dropped files

PID
Process
Filename
Type
5892addon2.exeC:\ProgramData\WindowsService.{D20EA4E1-3957-11D2-A40B-0C5020524153}\log_390a0adb.txttext
MD5:16C9B5B180A7E3A2FBF864C715AE74DF
SHA256:211AC1F9955A867C377ED4864DDED99554E7285BB4995CC8318A5D26D0C3D28D
5892addon2.exeC:\ProgramData\WindowsService.{D20EA4E1-3957-11D2-A40B-0C5020524153}\log_3d2abca3.txttext
MD5:3BB4A1DF9F2DF34F7BB0769A4CADCF4B
SHA256:B880E7DEBF7684EB42F0E3391C48647364CCD2F64CF63BD72CFBD7C34B581EA0
5892addon2.exeC:\ProgramData\WindowsService.{D20EA4E1-3957-11D2-A40B-0C5020524153}\DataFolder_f323b5fb\file_49d6220f.txttext
MD5:7BD216F6E1E987120432B4333F0B79E5
SHA256:C8549989070B15DC0C3AD94CC167720068078DCB7BF2666EFE822CBEB8F580BA
5892addon2.exeC:\ProgramData\WindowsService.{D20EA4E1-3957-11D2-A40B-0C5020524153}\DataFolder_f323b5fb\file_81a26d93.txttext
MD5:7EF5E23EAF385B8E351153B126C01E1E
SHA256:EDA7C00A9EA0C7F469FC71156546D89C15D0A3120530C55BDC754676638EEB28
4688addon2.exeC:\ProgramData\WindowsService.{D20EA4E1-3957-11D2-A40B-0C5020524153}\UserOOBEBroker.exeexecutable
MD5:DF8E8755AA4E2A8D705D6C28CC0B7D2D
SHA256:441F4A7FF235A84891AB4616A98C814797EBB4D5BAE46792FA6043D9C0080521
5892addon2.exeC:\ProgramData\WindowsService.{D20EA4E1-3957-11D2-A40B-0C5020524153}\log_1e7aadb0.txttext
MD5:B2A113F275EE5DEC0DBC2CDE0EC41705
SHA256:5C907C5928296E84DFEEFE4C0DFFDCF18D04A42E46B0340C050625D0E8CA7942
5892addon2.exeC:\ProgramData\WindowsService.{D20EA4E1-3957-11D2-A40B-0C5020524153}\DataFolder_b6f2e887\file_f9996cb5.txttext
MD5:8752CB5D5E5D798E2465B292E64C6A90
SHA256:34C4DC29C80A5DF67DCF851A086D88CC0293D5B90287A94D002BCA7267D9460F
5892addon2.exeC:\ProgramData\WindowsService.{D20EA4E1-3957-11D2-A40B-0C5020524153}\log_6c2dcc92.txttext
MD5:DC3A6309D6CB43C47B021C84A0A6F880
SHA256:7F5D13FF842C7C2988D63A57F7AACAEF3FD0763CB6D892AD8E94982317AA0BFA
5892addon2.exeC:\ProgramData\WindowsService.{D20EA4E1-3957-11D2-A40B-0C5020524153}\DataFolder_63bd21d2\file_80c5d3e8.txttext
MD5:E7E28A5BF4EE69883F7FB55F5DEA41B0
SHA256:A908765F26E6024D06BF8978569CF74AF7D3817DA472F8515EA4BB53D3D0E6C1
5892addon2.exeC:\ProgramData\WindowsService.{D20EA4E1-3957-11D2-A40B-0C5020524153}\DataFolder_63bd21d2\file_1be4ef1e.txttext
MD5:560DF984300D14C9DDB666E087F589E5
SHA256:565FD5B8D34B6B6241E2C8E9F0495BFB4145C44D84374132446CCA81C7A356FC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
24
TCP/UDP connections
40
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
304
20.12.23.50:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
20.12.23.50:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
6988
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
6988
SIHClient.exe
GET
200
23.216.77.32:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
6988
SIHClient.exe
GET
200
23.216.77.32:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
6988
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
6988
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6988
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
2104
svchost.exe
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6988
SIHClient.exe
20.12.23.50:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6988
SIHClient.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
whitelisted
google.com
  • 142.250.186.46
whitelisted
crl.microsoft.com
  • 2.16.168.114
  • 2.16.168.124
  • 23.216.77.32
  • 23.216.77.26
  • 23.216.77.35
  • 23.216.77.31
  • 23.216.77.36
  • 23.216.77.22
  • 23.216.77.25
  • 23.216.77.30
  • 23.216.77.29
whitelisted
www.microsoft.com
  • 23.219.150.101
  • 184.30.21.171
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.248
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.43
whitelisted
login.live.com
  • 40.126.32.68
  • 20.190.160.64
  • 40.126.32.140
  • 20.190.160.22
  • 20.190.160.5
  • 20.190.160.2
  • 20.190.160.65
  • 20.190.160.14
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
addon2.exe