File name:

rl_9b815f7b57a1b2027618721745314c23df01274bea2bbc7afac56177dbdfb0f2.exe

Full analysis: https://app.any.run/tasks/7bc8782b-4d64-4028-a1e6-bf5584c06abf
Verdict: Malicious activity
Analysis date: July 07, 2025, 13:35:34
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
themida
xor-url
generic
crypto-regex
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

49C4079FA675FC9271F6F7A8F47BC386

SHA1:

3231A278F74B1FD9014CFBA94F7145396DB565FB

SHA256:

9B815F7B57A1B2027618721745314C23DF01274BEA2BBC7AFAC56177DBDFB0F2

SSDEEP:

98304:uKHnhStVL64spGvNXzGxKCmkVR4pqQGk+b81fDI1oqg/I82yo+w:m0r5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 5884)

    • XORed URL has been found (YARA)

      • UserOOBEBroker.exe (PID: 1180)

    • Starts CMD.EXE for self-deleting

      • rl_9b815f7b57a1b2027618721745314c23df01274bea2bbc7afac56177dbdfb0f2.exe (PID: 5480)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • rl_9b815f7b57a1b2027618721745314c23df01274bea2bbc7afac56177dbdfb0f2.exe (PID: 5480)

    • Starts a Microsoft application from unusual location

      • rl_9b815f7b57a1b2027618721745314c23df01274bea2bbc7afac56177dbdfb0f2.exe (PID: 5480)

    • Reads the BIOS version

      • rl_9b815f7b57a1b2027618721745314c23df01274bea2bbc7afac56177dbdfb0f2.exe (PID: 5480)
      • UserOOBEBroker.exe (PID: 1180)

    • Starts CMD.EXE for commands execution

      • rl_9b815f7b57a1b2027618721745314c23df01274bea2bbc7afac56177dbdfb0f2.exe (PID: 5480)
      • UserOOBEBroker.exe (PID: 1180)

    • Hides command output

      • cmd.exe (PID: 2076)

    • Lists all scheduled tasks

      • schtasks.exe (PID: 4012)

    • Found regular expressions for crypto-addresses (YARA)

      • UserOOBEBroker.exe (PID: 1180)

    • Executable content was dropped or overwritten

      • rl_9b815f7b57a1b2027618721745314c23df01274bea2bbc7afac56177dbdfb0f2.exe (PID: 5480)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 2076)

    • The process executes via Task Scheduler

      • UserOOBEBroker.exe (PID: 1180)

  • INFO

    • The sample compiled with english language support

      • rl_9b815f7b57a1b2027618721745314c23df01274bea2bbc7afac56177dbdfb0f2.exe (PID: 5480)

    • Checks supported languages

      • rl_9b815f7b57a1b2027618721745314c23df01274bea2bbc7afac56177dbdfb0f2.exe (PID: 5480)
      • UserOOBEBroker.exe (PID: 1180)

    • Reads the computer name

      • rl_9b815f7b57a1b2027618721745314c23df01274bea2bbc7afac56177dbdfb0f2.exe (PID: 5480)
      • UserOOBEBroker.exe (PID: 1180)

    • Reads the machine GUID from the registry

      • rl_9b815f7b57a1b2027618721745314c23df01274bea2bbc7afac56177dbdfb0f2.exe (PID: 5480)
      • UserOOBEBroker.exe (PID: 1180)

    • Creates files in the program directory

      • rl_9b815f7b57a1b2027618721745314c23df01274bea2bbc7afac56177dbdfb0f2.exe (PID: 5480)

    • Themida protector has been detected

      • UserOOBEBroker.exe (PID: 1180)

    • Checks proxy server information

      • slui.exe (PID: 3860)

    • Reads the software policy settings

      • slui.exe (PID: 3860)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (38.2)
.exe | Win32 Executable (generic) (26.2)
.exe | Win16/32 Executable Delphi generic (12)
.exe | Generic Win/DOS Executable (11.6)
.exe | DOS Executable Generic (11.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:06:26 01:53:43+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 55808
InitializedDataSize: 2048
UninitializedDataSize: -
EntryPoint: 0x25636
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 10.0.26100.3624
ProductVersionNumber: 10.0.26100.3624
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: User OOBE Broker
FileVersion: 10.0.26100.3624 (WinBuild.160101.0800)
InternalName: User OOBE Broker
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: UserOOBEBroker.exe
ProductName: Microsoft® Windows® Operating System
ProductVersion: 10.0.26100.3624
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
145
Monitored processes
12
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rl_9b815f7b57a1b2027618721745314c23df01274bea2bbc7afac56177dbdfb0f2.exe cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs timeout.exe no specs #XOR-URL useroobebroker.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
72schtasks /create /tn "OneDrive Startup Task-S-2-5-25" /tr "C:\ProgramData\WindowsService.{D20EA4E1-3957-11D2-A40B-0C5020524153}\UserOOBEBroker.exe" /SC MINUTE /MO 1 /IT /FC:\Windows\SysWOW64\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1096\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1180"C:\ProgramData\WindowsService.{D20EA4E1-3957-11D2-A40B-0C5020524153}\UserOOBEBroker.exe"C:\ProgramData\WindowsService.{D20EA4E1-3957-11D2-A40B-0C5020524153}\UserOOBEBroker.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
User OOBE Broker
Version:
10.0.26100.3624 (WinBuild.160101.0800)
Modules
Images
c:\programdata\windowsservice.{d20ea4e1-3957-11d2-a40b-0c5020524153}\useroobebroker.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\mscoree.dll
1300\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1356\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2076"cmd.exe" /c timeout 5 >nul && del "C:\Users\admin\Desktop\rl_9b815f7b57a1b2027618721745314c23df01274bea2bbc7afac56177dbdfb0f2.exe"C:\Windows\SysWOW64\cmd.exerl_9b815f7b57a1b2027618721745314c23df01274bea2bbc7afac56177dbdfb0f2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3860C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4012schtasks /query /tn "OneDrive Startup Task-S-2-5-25"C:\Windows\SysWOW64\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
5480"C:\Users\admin\Desktop\rl_9b815f7b57a1b2027618721745314c23df01274bea2bbc7afac56177dbdfb0f2.exe" C:\Users\admin\Desktop\rl_9b815f7b57a1b2027618721745314c23df01274bea2bbc7afac56177dbdfb0f2.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
User OOBE Broker
Exit code:
0
Version:
10.0.26100.3624 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\desktop\rl_9b815f7b57a1b2027618721745314c23df01274bea2bbc7afac56177dbdfb0f2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\mscoree.dll
5552timeout 5 C:\Windows\SysWOW64\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
3 749
Read events
3 749
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
9
Unknown types
0

Dropped files

PID
Process
Filename
Type
5480rl_9b815f7b57a1b2027618721745314c23df01274bea2bbc7afac56177dbdfb0f2.exeC:\ProgramData\WindowsService.{D20EA4E1-3957-11D2-A40B-0C5020524153}\log_754254ee.txttext
MD5:92DDF49D56AC89E2634B315395A7118B
SHA256:7D3BD1F5D8D5B2B4AE77406E84E71FD4AADE6033826493F7F7F03DBE4DD37DC5
5480rl_9b815f7b57a1b2027618721745314c23df01274bea2bbc7afac56177dbdfb0f2.exeC:\ProgramData\WindowsService.{D20EA4E1-3957-11D2-A40B-0C5020524153}\log_32da23e5.txttext
MD5:ABFE3283F6044F3C64EDD191652441EC
SHA256:F9097746E273D0BF8C3DC1D0EE44307936F85DBC711D00DDBFE0F685A28B95A6
5480rl_9b815f7b57a1b2027618721745314c23df01274bea2bbc7afac56177dbdfb0f2.exeC:\ProgramData\WindowsService.{D20EA4E1-3957-11D2-A40B-0C5020524153}\log_37b741fe.txttext
MD5:2B45D1D422128CC64BCF03921D37EC51
SHA256:D982A07AB75A59F98D788144F699FE50ECC5FD6087B8DB13EB233DCB73F0EA52
5480rl_9b815f7b57a1b2027618721745314c23df01274bea2bbc7afac56177dbdfb0f2.exeC:\ProgramData\WindowsService.{D20EA4E1-3957-11D2-A40B-0C5020524153}\log_09f5ff7a.txttext
MD5:566AC3E93CBEAD6A9E815A4FE9E2CD72
SHA256:0ADF355A1B882A7880A51C9C513F517E30F808035BDA5C01BB157921016FC7D0
5480rl_9b815f7b57a1b2027618721745314c23df01274bea2bbc7afac56177dbdfb0f2.exeC:\ProgramData\WindowsService.{D20EA4E1-3957-11D2-A40B-0C5020524153}\DataFolder_ff381d17\file_00cf6b21.txttext
MD5:1CED126644FCA619A001F00799D4C86C
SHA256:E9F1E09067BCD1A8C3CB4819F505AA9D7AFAE5E5F4296E52AD7FC401D1601DDB
5480rl_9b815f7b57a1b2027618721745314c23df01274bea2bbc7afac56177dbdfb0f2.exeC:\ProgramData\WindowsService.{D20EA4E1-3957-11D2-A40B-0C5020524153}\DataFolder_1fbee1a4\file_03b75cdc.txttext
MD5:0FEE51AD43E2351B24BED03225B42BBD
SHA256:C50658212095CA48FB6BF799C09DA4A22F9207B27DE1D509AA8E5AA510947D3E
5480rl_9b815f7b57a1b2027618721745314c23df01274bea2bbc7afac56177dbdfb0f2.exeC:\ProgramData\WindowsService.{D20EA4E1-3957-11D2-A40B-0C5020524153}\log_8dc545a6.txttext
MD5:7EDE2031DD21C9C3564E7DC80C1F5535
SHA256:221E6364611533FA9B233D7DD0375458191A9F28A42633B855D9E078246CBB68
5480rl_9b815f7b57a1b2027618721745314c23df01274bea2bbc7afac56177dbdfb0f2.exeC:\ProgramData\WindowsService.{D20EA4E1-3957-11D2-A40B-0C5020524153}\DataFolder_1fbee1a4\file_2b695582.txttext
MD5:D1F4824A1E7E5BB46B3C6FCD5CF3AC23
SHA256:8C46B5F59EBFF45249D952CA0DF953681DFBA2266C3FC9E86DA5B53735C44FF7
5480rl_9b815f7b57a1b2027618721745314c23df01274bea2bbc7afac56177dbdfb0f2.exeC:\ProgramData\WindowsService.{D20EA4E1-3957-11D2-A40B-0C5020524153}\DataFolder_1fbee1a4\file_db879b6b.txttext
MD5:E9742E5A7CDD91CF02733BF4F4B311B9
SHA256:90496C2F7A01AE963143E5D78ECFC372EA0101372A05B8D25F42DAE7B1E3DA1F
5480rl_9b815f7b57a1b2027618721745314c23df01274bea2bbc7afac56177dbdfb0f2.exeC:\ProgramData\WindowsService.{D20EA4E1-3957-11D2-A40B-0C5020524153}\UserOOBEBroker.exeexecutable
MD5:49C4079FA675FC9271F6F7A8F47BC386
SHA256:9B815F7B57A1B2027618721745314C23DF01274BEA2BBC7AFAC56177DBDFB0F2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
35
TCP/UDP connections
41
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.216.77.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6492
RUXIMICS.exe
GET
200
23.216.77.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6492
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.190.160.131:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
400
40.126.32.74:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.160.5:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
GET
304
172.202.163.200:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
6492
RUXIMICS.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5944
MoUsoCoreWorker.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.216.77.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6492
RUXIMICS.exe
23.216.77.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.212.142
whitelisted
crl.microsoft.com
  • 23.216.77.19
  • 23.216.77.18
  • 23.216.77.43
  • 23.216.77.22
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
login.live.com
  • 20.190.160.131
  • 40.126.32.138
  • 20.190.160.22
  • 20.190.160.130
  • 20.190.160.4
  • 20.190.160.66
  • 20.190.160.5
  • 40.126.32.74
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.11
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
x1.c.lencr.org
  • 69.192.161.44
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
rl_9b815f7b57a1b2027618721745314c23df01274bea2bbc7afac56177dbdfb0f2.exe