| URL: | https://d2wjbs82sgy8i4.cloudfront.net/files/ixaf13qxgk/25.0202/moba.exe |
| Full analysis: | https://app.any.run/tasks/f5051e8b-55ac-4195-a53d-887dab52f3d6 |
| Verdict: | Malicious activity |
| Threats: | Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. |
| Analysis date: | October 09, 2024, 18:13:42 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MD5: | B333AE7B47AA29FA7E2BF5F5612FC15A |
| SHA1: | 3FFD2B1D00E8D15174B1C9F289CD59658E165CA2 |
| SHA256: | 82980EB90E41320973B344FA0FA97C4C1B1930DACE7362F3265B10D7D0420347 |
| SSDEEP: | 3:N8PS/CcdM05Il/0LKcOeCjC:2+f/5Vj |
MALICIOUS
INNOSETUP has been detected (SURICATA)
- file_yMphw-1.tmp (PID: 7896)
Starts CMD.EXE for commands execution
- msedge.exe (PID: 6336)
SUSPICIOUS
Executable content was dropped or overwritten
- moba_yMphw-1.tmp (PID: 7612)
- moba_yMphw-1.exe (PID: 7496)
- moba_yMphw-1.exe (PID: 7588)
- file_yMphw-1.exe (PID: 7852)
- file_yMphw-1.tmp (PID: 7896)
- prod0.exe (PID: 7440)
- tr2e5r5o.exe (PID: 1376)
- UnifiedStub-installer.exe (PID: 7672)
- MobaXterm.exe (PID: 7936)
- setup.exe (PID: 9316)
- OperaSetup.exe (PID: 1572)
- setup.exe (PID: 8728)
- setup.exe (PID: 6512)
- setup.exe (PID: 8404)
- Assistant_114.0.5282.21_Setup.exe_sfx.exe (PID: 10352)
- setup.exe (PID: 10016)
- MobaXterm.exe (PID: 11092)
Access to an unwanted program domain was detected
- file_yMphw-1.tmp (PID: 7896)
Process drops legitimate windows executable
- tr2e5r5o.exe (PID: 1376)
- UnifiedStub-installer.exe (PID: 7672)
- msiexec.exe (PID: 8760)
- Assistant_114.0.5282.21_Setup.exe_sfx.exe (PID: 10352)
Executes as Windows Service
- rsSyncSvc.exe (PID: 7916)
- VSSVC.exe (PID: 8424)
- rsEngineSvc.exe (PID: 8260)
- rsWSC.exe (PID: 3108)
- rsClientSvc.exe (PID: 9136)
- rsEDRSvc.exe (PID: 9096)
- WmiApSrv.exe (PID: 9304)
- rsVPNSvc.exe (PID: 9324)
- rsDNSClientSvc.exe (PID: 2796)
- rsDNSResolver.exe (PID: 9700)
- rsDNSSvc.exe (PID: 7108)
- rsVPNClientSvc.exe (PID: 7748)
- WmiApSrv.exe (PID: 9152)
- WmiApSrv.exe (PID: 7960)
Executes application which crashes
- file_yMphw-1.tmp (PID: 7896)
Drops 7-zip archiver for unpacking
- UnifiedStub-installer.exe (PID: 7672)
Drops a system driver (possible attempt to evade defenses)
- UnifiedStub-installer.exe (PID: 7672)
Uses WEVTUTIL.EXE to install publishers and event logs from the manifest
- UnifiedStub-installer.exe (PID: 7672)
Application launched itself
- rsAppUI.exe (PID: 8160)
- rsAppUI.exe (PID: 7592)
- setup.exe (PID: 9316)
- setup.exe (PID: 8404)
- rsAppUI.exe (PID: 7464)
- assistant_installer.exe (PID: 3952)
The process drops C-runtime libraries
- UnifiedStub-installer.exe (PID: 7672)
Uses RUNDLL32.EXE to load library
- UnifiedStub-installer.exe (PID: 7672)
Starts itself from another location
- setup.exe (PID: 9316)
Process uses IPCONFIG to clear DNS cache
- cmd.exe (PID: 10384)
- cmd.exe (PID: 4224)
Starts CMD.EXE for commands execution
- rsDNSSvc.exe (PID: 7108)
INFO
Application launched itself
- chrome.exe (PID: 5172)
- msedge.exe (PID: 7604)
- msedge.exe (PID: 6336)
Executable content was dropped or overwritten
- chrome.exe (PID: 5172)
- msiexec.exe (PID: 8600)
- msiexec.exe (PID: 8760)
- chrome.exe (PID: 9264)
- msedge.exe (PID: 6336)
Manual execution by a user
- msedge.exe (PID: 6336)
- MobaXterm.exe (PID: 11092)
Manages system restore points
- SrTasks.exe (PID: 7088)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
383
Monitored processes
232
Malicious processes
7
Suspicious processes
9
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 848 | C:\WINDOWS\system32\cmd.exe /d /s /c ""c:\program files\reasonlabs\epp\rsExtensionHost.exe" chrome-extension://jcpgbnbdnakoblgfkbgggankeidkfcdl/ --parent-window=0" < \\.\pipe\chrome.nativeMessaging.in.33c1e94b39be4579 > \\.\pipe\chrome.nativeMessaging.out.33c1e94b39be4579 | C:\Windows\System32\cmd.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 860 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 884 | C:\WINDOWS\system32\cmd.exe /d /s /c ""c:\program files\reasonlabs\epp\rsExtensionHost.exe" chrome-extension://jcpgbnbdnakoblgfkbgggankeidkfcdl/ --parent-window=0" < \\.\pipe\chrome.nativeMessaging.in.e1ce924f96249ca3 > \\.\pipe\chrome.nativeMessaging.out.e1ce924f96249ca3 | C:\Windows\System32\cmd.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 884 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1160 | ipconfig /flushdns | C:\Windows\System32\ipconfig.exe | — | cmd.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: IP Configuration Utility Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1160 | "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=gpu-process --user-data-dir="C:\Users\admin\AppData\Roaming\ReasonLabs\DNS" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2232 --field-trial-handle=2236,i,3014510340468245216,6016226146453266321,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2 | C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe | — | rsAppUI.exe | |||||||||||
User: admin Company: Reason Cybersecurity Ltd. Integrity Level: LOW Description: ReasonLabs Application Version: 1.4.2 Modules
| |||||||||||||||
| 1344 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x294,0x298,0x29c,0x1c0,0x2a4,0x7ffbae915fd8,0x7ffbae915fe4,0x7ffbae915ff0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Version: 122.0.2365.59 Modules
| |||||||||||||||
| 1376 | "C:\Users\admin\AppData\Local\Temp\tr2e5r5o.exe" /silent | C:\Users\admin\AppData\Local\Temp\tr2e5r5o.exe | prod0.exe | ||||||||||||
User: admin Company: ReasonLabs Integrity Level: HIGH Description: ReasonLabs-setup-wizard.exe Exit code: 0 Version: 6.1.2 Modules
| |||||||||||||||
| 1376 | "C:\WINDOWS\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\Rar$EXa7628.16934\MobaXterm_installer_23.1.msi" | C:\Windows\System32\msiexec.exe | — | WinRAR.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows® installer Version: 5.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1572 | "c:\program files\reasonlabs\epp\rsExtensionHost.exe" chrome-extension://jcpgbnbdnakoblgfkbgggankeidkfcdl/ --parent-window=0 | C:\Program Files\ReasonLabs\EPP\rsExtensionHost.exe | — | cmd.exe | |||||||||||
User: admin Company: Reason Software Company Inc. Integrity Level: MEDIUM Description: rsExtensionHost Exit code: 0 Version: 3.2.0.0 Modules
| |||||||||||||||
Total events
268 623
Read events
267 697
Write events
683
Delete events
243
Modification events
| (PID) Process: | (5172) chrome.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon |
| Operation: | write | Name: | failed_count |
Value: 0 | |||
| (PID) Process: | (5172) chrome.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon |
| Operation: | write | Name: | state |
Value: 2 | |||
| (PID) Process: | (5172) chrome.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon |
| Operation: | write | Name: | state |
Value: 1 | |||
| (PID) Process: | (5172) chrome.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\StabilityMetrics |
| Operation: | write | Name: | user_experience_metrics.stability.exited_cleanly |
Value: 0 | |||
| (PID) Process: | (5172) chrome.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96} |
| Operation: | write | Name: | usagestats |
Value: 0 | |||
| (PID) Process: | (6088) chrome.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached |
| Operation: | write | Name: | {2781761E-28E0-4109-99FE-B9D127C57AFE} {56FFCC30-D398-11D0-B2AE-00A0C908FA49} 0xFFFF |
Value: 01000000000000002ED935FF761ADB01 | |||
| (PID) Process: | (7896) file_yMphw-1.tmp | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001 |
| Operation: | write | Name: | Owner |
Value: D81E00004EC12308771ADB01 | |||
| (PID) Process: | (7896) file_yMphw-1.tmp | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001 |
| Operation: | write | Name: | SessionHash |
Value: FDA7F1D493770B897ECAB950B5884C54A0708D970D84D93F39A61B310A6CDBF6 | |||
| (PID) Process: | (7896) file_yMphw-1.tmp | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001 |
| Operation: | write | Name: | Sequence |
Value: 1 | |||
| (PID) Process: | (7440) prod0.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\prod0_RASAPI32 |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
Executable files
1 123
Suspicious files
1 255
Text files
712
Unknown types
50
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 5172 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old~RF8b5fb.TMP | — | |
MD5:— | SHA256:— | |||
| 5172 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old | — | |
MD5:— | SHA256:— | |||
| 5172 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old~RF8b60a.TMP | — | |
MD5:— | SHA256:— | |||
| 5172 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old | — | |
MD5:— | SHA256:— | |||
| 5172 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old~RF8b60a.TMP | — | |
MD5:— | SHA256:— | |||
| 5172 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG.old~RF8b61a.TMP | — | |
MD5:— | SHA256:— | |||
| 5172 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old | — | |
MD5:— | SHA256:— | |||
| 5172 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG.old | — | |
MD5:— | SHA256:— | |||
| 5172 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\discounts_db\LOG.old~RF8b60a.TMP | — | |
MD5:— | SHA256:— | |||
| 5172 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\discounts_db\LOG.old | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
157
TCP/UDP connections
470
DNS requests
308
Threats
5
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
4360 | SearchApp.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D | unknown | — | — | whitelisted |
6944 | svchost.exe | GET | 200 | 184.24.77.11:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
6944 | svchost.exe | GET | 200 | 84.53.189.236:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
5172 | chrome.exe | GET | 200 | 88.221.196.193:80 | http://sslcom.ocsp-certum.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTYOkzrrCGQj08njZXbUQQpkoUmuQQUCHbNywf%2FJPbFze27kLzihDdGdfcCEQDkJwSV9oyR1tDse0lOpN8c | unknown | — | — | whitelisted |
5172 | chrome.exe | GET | 200 | 52.6.97.148:80 | http://ocsps.ssl.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQMDtATfnJO6JAXDQoHl8pAaJdhTQQU3QQJB6L1en1SUxKSle44gCUNplkCEFt%2FVDgl5BqhKt4hQ5zf5m8%3D | unknown | — | — | whitelisted |
5172 | chrome.exe | GET | 200 | 52.6.97.148:80 | http://ocsps.ssl.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQMDtATfnJO6JAXDQoHl8pAaJdhTQQU3QQJB6L1en1SUxKSle44gCUNplkCEFt%2FVDgl5BqhKt4hQ5zf5m8%3D | unknown | — | — | whitelisted |
5172 | chrome.exe | GET | 200 | 18.244.18.60:80 | http://crls.ssl.com/ssl.com-rsa-RootCA.crl | unknown | — | — | whitelisted |
5172 | chrome.exe | GET | 200 | 52.6.97.148:80 | http://ocsps.ssl.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS0UJ9%2FZn2kc3RfVu9A%2FfyFSdQVAwQURPou5oAhpEaXDmroM7xTEWZNqbkCEF4bdHMJUrH6Pg1KnFCo2r4%3D | unknown | — | — | whitelisted |
5172 | chrome.exe | GET | 200 | 18.244.18.60:80 | http://crls.ssl.com/DTNT-Intermediate-codeSigning-RSA-4096-R2.crl | unknown | — | — | whitelisted |
5172 | chrome.exe | GET | 200 | 18.244.18.60:80 | http://crls.ssl.com/DTNT-Intermediate-codeSigning-RSA-4096-R2.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
6944 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
6908 | RUXIMICS.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
5488 | MoUsoCoreWorker.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4360 | SearchApp.exe | 23.212.110.176:443 | www.bing.com | Akamai International B.V. | CZ | whitelisted |
4360 | SearchApp.exe | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
5196 | chrome.exe | 18.66.92.216:443 | d2wjbs82sgy8i4.cloudfront.net | — | US | whitelisted |
5172 | chrome.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
5196 | chrome.exe | 142.251.18.84:443 | accounts.google.com | GOOGLE | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
google.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
d2wjbs82sgy8i4.cloudfront.net |
| whitelisted |
accounts.google.com |
| whitelisted |
sb-ssl.google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
sslcom.ocsp-certum.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
7896 | file_yMphw-1.tmp | Possibly Unwanted Program Detected | ADWARE [ANY.RUN] InnoSetup Installer |
3524 | msedge.exe | Not Suspicious Traffic | INFO [ANY.RUN] An application monitoring request to sentry .io |
3524 | msedge.exe | Not Suspicious Traffic | INFO [ANY.RUN] An application monitoring request to sentry .io |
3524 | msedge.exe | Not Suspicious Traffic | INFO [ANY.RUN] An application monitoring request to sentry .io |
3524 | msedge.exe | Not Suspicious Traffic | INFO [ANY.RUN] An application monitoring request to sentry .io |
Process | Message |
|---|---|
rsEngineSvc.exe | Native library pre-loader is trying to load native SQLite library "C:\Program Files\ReasonLabs\EPP\x64\SQLite.Interop.dll"...
|
rsEDRSvc.exe | Native library pre-loader is trying to load native SQLite library "C:\Program Files\ReasonLabs\EDR\x64\SQLite.Interop.dll"...
|
assistant_installer.exe | [1009/181724.101:INFO:assistant_installer_main.cc(177)] Running assistant installer with command line "C:\Users\admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410091816521\assistant\assistant_installer.exe" --version
|