File name:

E.txt

Full analysis: https://app.any.run/tasks/0e20126b-9d9b-4365-bb0c-f806d4fcc65d
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: December 11, 2023, 22:22:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
stealer
Indicators:
MIME: text/x-msdos-batch
File info: DOS batch file, ASCII text, with CRLF line terminators
MD5:

C9B8888D3961327627FA1165F18A3855

SHA1:

AD302AE4663F050EBDB73EA120BADEFF1D40B4A5

SHA256:

3175B8900B5BFE57079C47D8CF4F8A0415F8289340751993F639C09A7ABCDDF0

SSDEEP:

3:mKDD2AGoKDD1TT82yByW1sFAZxlFLxX1FnLfJFf/Mp/rgABYFNFDvyej:hi/O2ayW1sFCwpTgABWyC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Steals credentials from Web Browsers

      • cmd.exe (PID: 1360)

    • Using BCDEDIT.EXE to modify recovery options

      • cmd.exe (PID: 1360)

    • Steals credentials

      • SearchProtocolHost.exe (PID: 3960)

    • Actions looks like stealing of personal data

      • cmd.exe (PID: 1360)

  • SUSPICIOUS

    • Reads the Internet Settings

      • SearchProtocolHost.exe (PID: 3652)

  • INFO

    • Manual execution by a user

      • cmd.exe (PID: 1360)

    • Executes as Windows Service

      • SearchIndexer.exe (PID: 3252)
      • SearchIndexer.exe (PID: 3340)

    • Creates files in the program directory

      • SearchIndexer.exe (PID: 3252)
      • SearchIndexer.exe (PID: 3340)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
60
Monitored processes
12
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start notepad.exe no specs cmd.exe searchindexer.exe no specs searchindexer.exe no specs searchprotocolhost.exe searchfilterhost.exe no specs searchprotocolhost.exe no specs bcdedit.exe no specs bcdedit.exe no specs bcdedit.exe no specs bcdedit.exe no specs bcdedit.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1360"C:\Windows\System32\cmd.exe" C:\Windows\System32\cmd.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1073807364
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2076"C:\Windows\system32\NOTEPAD.EXE" "C:\Users\admin\Desktop\E.txt"C:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
1073807364
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2760BCDEDIT /SET BOOTems no C:\Windows\System32\bcdedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Boot Configuration Data Editor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\bcdedit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2900BCDEDIT /set RECOVERYENABLED no C:\Windows\System32\bcdedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Boot Configuration Data Editor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\bcdedit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3220BCDEDIT /set {bootmgr} displaybootmenu noC:\Windows\System32\bcdedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Boot Configuration Data Editor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\bcdedit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3252C:\Windows\system32\SearchIndexer.exe /EmbeddingC:\Windows\System32\SearchIndexer.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Indexer
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\searchindexer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3268BCDEDIT /set ADVANCEDOPTIONS no C:\Windows\System32\bcdedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Boot Configuration Data Editor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\bcdedit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3340C:\Windows\system32\SearchIndexer.exe /EmbeddingC:\Windows\System32\SearchIndexer.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Indexer
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\searchindexer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3516"C:\Windows\system32\SearchFilterHost.exe" 0 532 536 544 65536 540 C:\Windows\System32\SearchFilterHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Windows Search Filter Host
Exit code:
0
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
Modules
Images
c:\windows\system32\searchfilterhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3652"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-1302019708-1500728564-335382590-10002_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-1302019708-1500728564-335382590-10002 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
Modules
Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
4 581
Read events
4 003
Write events
371
Delete events
207

Modification events

(PID) Process:(3252) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Tracing\EventThrottleState
Operation:delete valueName:000003f5
Value:
010000008C4BC65C200C00000100000000000000
(PID) Process:(3252) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Tracing\EventThrottleState
Operation:delete valueName:000003eb
Value:
01000000C6A5C65C200C00000100000000000000
(PID) Process:(3252) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Tracing\EventThrottleState
Operation:delete valueName:00000bdc
Value:
0100000066A8C65C200C00000100000000000000
(PID) Process:(3252) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gathering Manager
Operation:writeName:UseSystemTemp
Value:
0
(PID) Process:(3252) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex
Operation:writeName:SystemLcid
Value:
1033
(PID) Process:(3252) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\StartPages\0
Operation:writeName:CrawlControl
Value:
0
(PID) Process:(3252) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\StartPages\1
Operation:writeName:CrawlControl
Value:
0
(PID) Process:(3252) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\StartPages\2
Operation:writeName:CrawlControl
Value:
0
(PID) Process:(3252) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\StartPages\3
Operation:writeName:CrawlControl
Value:
0
(PID) Process:(3252) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\StartPages\5
Operation:writeName:CrawlControl
Value:
0
Executable files
0
Suspicious files
27
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3340SearchIndexer.exeC:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.logbinary
MD5:3045347663393F10AC1115F8571AB636
SHA256:778F73EAE1180763B53B7BD0753C6F2B5F8282BE7D1B1C3F99B656046331ED83
3252SearchIndexer.exeC:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.logbinary
MD5:CED3ED08A7FF69A7B1A5B7B9D9B9F210
SHA256:4ADFE0F6973BFC9D5FAEE45F1E9D6809ACEBD18D6555A93E3C254B7845026616
3252SearchIndexer.exeC:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSSres00001.jrsbinary
MD5:87E50E8586DBA6B53A60855024388427
SHA256:4EC923270DB17DB7609FE39206BEBBCE31483D4AEEE6A7D69D854BD89910B8B0
3340SearchIndexer.exeC:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSSres00001.jrsbinary
MD5:87E50E8586DBA6B53A60855024388427
SHA256:4EC923270DB17DB7609FE39206BEBBCE31483D4AEEE6A7D69D854BD89910B8B0
3340SearchIndexer.exeC:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.chkbinary
MD5:72523423D14B3F3F2979DD3E50693A27
SHA256:6C984F19CA6EA0F8DF5706BD06F7A64710F981E1AED7D3E8048AC098090C2E2C
1360cmd.exeC:\Windows\System32\Winevt\Logs\Microsoft-Windows-Fault-Tolerant-Heap%4Operational.evtxbinary
MD5:F5E1F9D2DA5E92D79232596CF1C88120
SHA256:C5725048D5C71F27E79465B751E4A02AE016101943A457A771D4327452B99FC0
3340SearchIndexer.exeC:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.logbinary
MD5:3045347663393F10AC1115F8571AB636
SHA256:778F73EAE1180763B53B7BD0753C6F2B5F8282BE7D1B1C3F99B656046331ED83
3340SearchIndexer.exeC:\programdata\microsoft\search\data\applications\windows\projects\systemindex\indexer\cifiles\INDEX.002binary
MD5:FCD6BCB56C1689FCEF28B57C22475BAD
SHA256:DE2F256064A0AF797747C2B97505DC0B9F3DF0DE4F489EAC731C23AE9CA9CC31
3340SearchIndexer.exeC:\programdata\microsoft\search\data\applications\windows\projects\systemindex\indexer\cifiles\INDEX.001binary
MD5:FCD6BCB56C1689FCEF28B57C22475BAD
SHA256:DE2F256064A0AF797747C2B97505DC0B9F3DF0DE4F489EAC731C23AE9CA9CC31
3340SearchIndexer.exeC:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.001binary
MD5:D55C0CFDACD324A50B20D82C23AE957C
SHA256:70C336472B02A29928327DBBF62E8DE9886F2A163D206B2C687D9C76A407F4CA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info