Malware analysis Clear-TemplateSearch.b5010.SK048.ed.exe Malicious activity

Add for printing

File name:	Clear-TemplateSearch.b5010.SK048.ed.exe
Full analysis:	https://app.any.run/tasks/33bec33c-4e09-4e96-ba44-8b44dbb1f273
Verdict:	Malicious activity
Analysis date:	November 11, 2024, 14:19:55
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 10 sections
MD5:	4D01267756C208CA6ED1D5C10E29B874
SHA1:	CF9750E26D2FF4A77B85BB27F325387DE2DA9A02
SHA256:	4735EAFE9826D48C494A6ED662F6BE40930A3F7234D10C526D2CCA5B42D2C46F
SSDEEP:	98304:f+cD4dnAcuLHn+n+HuacjqW3Vz89dWG2d1WORyA3MCGm1Q2mYV5xH8HbOKJ+CxX5:f3X64

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 180 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 120 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Reads the Windows owner or organization settings
  - Clear-TemplateSearch.b5010.SK048.ed.tmp (PID: 6912)
- Drops 7-zip archiver for unpacking
  - Clear-TemplateSearch.b5010.SK048.ed.tmp (PID: 6912)
- Executable content was dropped or overwritten
  - Clear-TemplateSearch.b5010.SK048.ed.exe (PID: 1428)
  - 7zr.exe (PID: 7544)
  - Clear-TemplateSearch.b5010.SK048.ed.tmp (PID: 6912)
  - 7zr.exe (PID: 7636)
- Process drops legitimate windows executable
  - 7zr.exe (PID: 7544)
  - Clear-TemplateSearch.b5010.SK048.ed.tmp (PID: 6912)
- Application launched itself
  - clearbrowser.exe (PID: 8072)
  - clearbrowser.exe (PID: 8052)
  - clearbrowser.exe (PID: 612)
  - clearbrowser.exe (PID: 8228)
  - clearbrowser.exe (PID: 8264)
  - clearbrowser.exe (PID: 1112)
  - clearbrowser.exe (PID: 8336)
- Starts CMD.EXE for commands execution
  - clearbrowser.exe (PID: 612)
  - clearbrowser.exe (PID: 1112)
- The executable file from the user directory is run by the CMD process
  - Clear.Remoting.Native.exe (PID: 1764)
  - Clear.Remoting.Native.exe (PID: 6740)
  - Clear.Remoting.Native.exe (PID: 8448)
  - Clear.Remoting.Native.exe (PID: 6200)
INFO
- Checks supported languages
  - Clear-TemplateSearch.b5010.SK048.ed.exe (PID: 1428)
  - Clear-TemplateSearch.b5010.SK048.ed.tmp (PID: 6912)
- Reads the computer name
  - Clear-TemplateSearch.b5010.SK048.ed.tmp (PID: 6912)
- Reads the machine GUID from the registry
  - Clear-TemplateSearch.b5010.SK048.ed.tmp (PID: 6912)
- Create files in a temporary directory
  - Clear-TemplateSearch.b5010.SK048.ed.exe (PID: 1428)
  - Clear-TemplateSearch.b5010.SK048.ed.tmp (PID: 6912)
- Application launched itself
  - msedge.exe (PID: 3432)
  - msedge.exe (PID: 2432)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Inno Setup installer (65.1)
.exe	\|	Win32 EXE PECompact compressed (generic) (24.6)
.dll	\|	Win32 Dynamic Link Library (generic) (3.9)
.exe	\|	Win32 Executable (generic) (2.6)
.exe	\|	Win16/32 Executable Delphi generic (1.2)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2022:04:14 16:10:23+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType:	PE32
LinkerVersion:	2.25
CodeSize:	741888
InitializedDataSize:	63488
UninitializedDataSize:	-
EntryPoint:	0xb5eec
OSVersion:	6.1
ImageVersion:	6
SubsystemVersion:	6.1
Subsystem:	Windows GUI
FileVersionNumber:	1.1.4.0
ProductVersionNumber:	1.1.4.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	This installation was built with Inno Setup.
CompanyName:	Clear.App
FileDescription:	Clear Setup
FileVersion:	1.1.4.0
LegalCopyright:	Clear.App
OriginalFileName:
ProductName:	Clear
ProductVersion:	1.1.4.0/Stub::1.1.4.0/7cef363/2024-03-28T14:31:35+

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

285

Monitored processes

152

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

612

"C:\Users\admin\AppData\Local\Programs\Clear\1.1.4.0\chromium\clearbrowser.exe" --start-maximized https://clearbar.app/rd2/?id=104162Ly9hcmNhZGV0YWIuY29t&guid=f7f4d2e4-db38-48ae-818f-abefd714d363&version=1.1.4.0

C:\Users\admin\AppData\Local\Programs\Clear\1.1.4.0\Chromium\clearbrowser.exe

Clear.exe

User:

admin

Company:

ClearBrowser

Integrity Level:

MEDIUM

Description:

ClearBrowser

Exit code:

Version:

123.0.6270.0

Modules

Images
c:\users\admin\appdata\local\programs\clear\1.1.4.0\chromium\clearbrowser.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\programs\clear\1.1.4.0\chromium\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\winmm.dll

632

"C:\Users\admin\AppData\Local\Programs\Clear\1.1.4.0\Clear.exe" firstrun

C:\Users\admin\AppData\Local\Programs\Clear\1.1.4.0\Clear.exe

Clear-TemplateSearch.b5010.SK048.ed.tmp

User:

admin

Integrity Level:

MEDIUM

Description:

Clear

Version:

1.1.4.0

Modules

Images
c:\users\admin\appdata\local\programs\clear\1.1.4.0\clear.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

696

"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4932 --field-trial-handle=2364,i,14123798636002944041,8146264957794103457,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

PWA Identity Proxy Host

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\identity_helper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll

700

"C:\Users\admin\AppData\Local\Programs\Clear\1.1.4.0\chromium\clearbrowser.exe" --type=renderer --extension-process --no-pre-read-main-dll --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4720 --field-trial-handle=2004,i,3121260609653721376,4281407758146286421,262144 --variations-seed-version /prefetch:2

C:\Users\admin\AppData\Local\Programs\Clear\1.1.4.0\Chromium\clearbrowser.exe

—

clearbrowser.exe

User:

admin

Company:

ClearBrowser

Integrity Level:

LOW

Description:

ClearBrowser

Exit code:

Version:

123.0.6270.0

Modules

Images
c:\users\admin\appdata\local\programs\clear\1.1.4.0\chromium\clearbrowser.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\programs\clear\1.1.4.0\chromium\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

700

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5832 --field-trial-handle=2576,i,15074051082237744634,3823714640436448893,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

1112

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5336 --field-trial-handle=2576,i,15074051082237744634,3823714640436448893,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

1112

"C:\Users\admin\AppData\Local\Programs\Clear\1.1.4.0\chromium\clearbrowser.exe" --start-maximized https://clearbar.app/rd2/?id=7527Ly9hcmNhZGV0YWIuY29t&guid=f7f4d2e4-db38-48ae-818f-abefd714d363

C:\Users\admin\AppData\Local\Programs\Clear\1.1.4.0\Chromium\clearbrowser.exe

—

Clear.exe

User:

admin

Company:

ClearBrowser

Integrity Level:

MEDIUM

Description:

ClearBrowser

Version:

123.0.6270.0

1180

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2356 --field-trial-handle=2364,i,14123798636002944041,8146264957794103457,262144 --variations-seed-version /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

1204

"C:\Users\admin\AppData\Local\Programs\Clear\1.1.4.0\chromium\clearbrowser.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-pre-read-main-dll --mojo-platform-channel-handle=2564 --field-trial-handle=2004,i,3121260609653721376,4281407758146286421,262144 --variations-seed-version /prefetch:8

C:\Users\admin\AppData\Local\Programs\Clear\1.1.4.0\Chromium\clearbrowser.exe

—

clearbrowser.exe

User:

admin

Company:

ClearBrowser

Integrity Level:

LOW

Description:

ClearBrowser

Exit code:

Version:

123.0.6270.0

Modules

Images
c:\users\admin\appdata\local\programs\clear\1.1.4.0\chromium\clearbrowser.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\programs\clear\1.1.4.0\chromium\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

1248

"C:\Users\admin\AppData\Local\Programs\Clear\1.1.4.0\chromium\clearbrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-pre-read-main-dll --mojo-platform-channel-handle=5992 --field-trial-handle=2004,i,3121260609653721376,4281407758146286421,262144 --variations-seed-version /prefetch:8

C:\Users\admin\AppData\Local\Programs\Clear\1.1.4.0\Chromium\clearbrowser.exe

—

clearbrowser.exe

User:

admin

Company:

ClearBrowser

Integrity Level:

LOW

Description:

ClearBrowser

Exit code:

Version:

123.0.6270.0

Modules

Images
c:\users\admin\appdata\local\programs\clear\1.1.4.0\chromium\clearbrowser.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\programs\clear\1.1.4.0\chromium\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

Add for printing

Total events

23 059

Read events

22 886

Write events

163

Delete events

Modification events


(PID) Process:	(6912) Clear-TemplateSearch.b5010.SK048.ed.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Clear-TemplateSearch_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(6912) Clear-TemplateSearch.b5010.SK048.ed.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Clear-TemplateSearch_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(6912) Clear-TemplateSearch.b5010.SK048.ed.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Clear-TemplateSearch_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(6912) Clear-TemplateSearch.b5010.SK048.ed.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Clear-TemplateSearch_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(6912) Clear-TemplateSearch.b5010.SK048.ed.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Clear-TemplateSearch_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(6912) Clear-TemplateSearch.b5010.SK048.ed.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Clear-TemplateSearch_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(6912) Clear-TemplateSearch.b5010.SK048.ed.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Clear-TemplateSearch_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(6912) Clear-TemplateSearch.b5010.SK048.ed.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Clear-TemplateSearch_RASMANCS
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(6912) Clear-TemplateSearch.b5010.SK048.ed.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Clear-TemplateSearch_RASMANCS
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(6912) Clear-TemplateSearch.b5010.SK048.ed.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Clear-TemplateSearch_RASMANCS
Operation:	write	Name:	EnableConsoleTracing
Value: 0

Add for printing

Executable files

153

Suspicious files

781

Text files

997

Unknown types

Dropped files

PID	Process	Filename		Type
6912	Clear-TemplateSearch.b5010.SK048.ed.tmp	C:\Users\admin\AppData\Local\Temp\is-MM6DI.tmp\html\css\baselinenew.css		text
		MD5:4D9E4F45F1F8500EB7FE29AC4A34818D	SHA256:03ED977D9D2B9AEEE7912886185B69BABB7496DC9B45042190097F81153762DC
6912	Clear-TemplateSearch.b5010.SK048.ed.tmp	C:\Users\admin\AppData\Local\Temp\is-MM6DI.tmp\html\assets\common\check_badge.png		image
		MD5:5BB846C7F7965BB689DC678AF686C9BF	SHA256:DFEDC430D48922DDC24166AF1EF4E2B77112386602CB6BE15686C6A60E0D0F5C
1428	Clear-TemplateSearch.b5010.SK048.ed.exe	C:\Users\admin\AppData\Local\Temp\is-UPTQP.tmp\Clear-TemplateSearch.b5010.SK048.ed.tmp		executable
		MD5:BCFE6D377402B260F454902103B96183	SHA256:EB9401BD3941D116DB155A444CE200BACC9E3A3465B723CA7F53C35E59ACC0ED
6912	Clear-TemplateSearch.b5010.SK048.ed.tmp	C:\Users\admin\AppData\Local\Temp\is-MM6DI.tmp\is-021S7.tmp		—
		MD5:—	SHA256:—
6912	Clear-TemplateSearch.b5010.SK048.ed.tmp	C:\Users\admin\AppData\Local\Temp\is-MM6DI.tmp\chromium.7z		—
		MD5:—	SHA256:—
6912	Clear-TemplateSearch.b5010.SK048.ed.tmp	C:\Users\admin\AppData\Local\Temp\is-MM6DI.tmp\is-CI6FO.tmp		—
		MD5:—	SHA256:—
6912	Clear-TemplateSearch.b5010.SK048.ed.tmp	C:\Users\admin\AppData\Local\Temp\is-MM6DI.tmp\clear.7z		—
		MD5:—	SHA256:—
6912	Clear-TemplateSearch.b5010.SK048.ed.tmp	C:\Users\admin\AppData\Local\Temp\is-MM6DI.tmp\html\js\knockout.js		s
		MD5:052E3CBD4009F65055D36541CE9CC91D	SHA256:7EB9DAB1C04D4ABCE6749AD9D94DDD0690E3C99C6890F979F07EFE4775EE1EAB
6912	Clear-TemplateSearch.b5010.SK048.ed.tmp	C:\Users\admin\AppData\Local\Temp\is-MM6DI.tmp\Profiles\profile_map.txt		text
		MD5:6444764B2CF9F2B2C274787263A78CCB	SHA256:1AF45A6C76B8BAA3CC167690EB748D8C367D1B5E98FE3581B6D8975632FF07F7
6912	Clear-TemplateSearch.b5010.SK048.ed.tmp	C:\Users\admin\AppData\Local\Temp\is-MM6DI.tmp\_isetup\_setup64.tmp		executable
		MD5:E4211D6D009757C078A9FAC7FF4F03D4	SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

163

DNS requests

170

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5488	MoUsoCoreWorker.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5600	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
5488	MoUsoCoreWorker.exe	GET	200	23.53.40.176:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4360	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
7380	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
7380	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
3772	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
632	Clear.exe	GET	200	148.251.136.139:80	http://openweathermap.org/img/w/01d.png	unknown	—	—	whitelisted
632	Clear.exe	GET	301	142.250.186.36:80	http://www.google.com/s2/favicons?domain=https://www.office.com/&sz=128	unknown	—	—	whitelisted
632	Clear.exe	GET	301	142.250.186.36:80	http://www.google.com/s2/favicons?domain=https://chrome.google.com/webstore?hl=en&sz=128	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
6944	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	92.123.104.63:443	www.bing.com	Akamai International B.V.	DE	whitelisted
6908	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5488	MoUsoCoreWorker.exe	23.53.40.176:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5488	MoUsoCoreWorker.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4020	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
5600	svchost.exe	20.190.159.4:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 51.104.136.2	whitelisted
www.bing.com	92.123.104.63 92.123.104.66 92.123.104.6 92.123.104.62 92.123.104.5 92.123.104.59 92.123.104.61 92.123.104.58 92.123.104.57 92.123.104.30 92.123.104.18 92.123.104.17 92.123.104.19 92.123.104.20 92.123.104.14 92.123.104.29 92.123.104.24 92.123.104.16 92.123.104.4 92.123.104.64 92.123.104.67 92.123.104.9 92.123.104.65 92.123.104.10	whitelisted
crl.microsoft.com	23.53.40.176 23.53.40.178	whitelisted
google.com	142.250.185.142	whitelisted
www.microsoft.com	23.35.229.160	whitelisted
login.live.com	20.190.159.4 20.190.159.71 20.190.159.2 40.126.31.69 20.190.159.23 40.126.31.67 40.126.31.71 40.126.31.73	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
th.bing.com	92.123.104.14 92.123.104.5 92.123.104.12 92.123.104.65 92.123.104.63 92.123.104.66 92.123.104.9 92.123.104.4 92.123.104.13	whitelisted
go.microsoft.com	23.213.170.81	whitelisted
www.google-analytics.com	142.250.184.206	whitelisted

Threats

PID	Process	Class	Message
4584	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
4584	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
7708	clearbrowser.exe	Not Suspicious Traffic	INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
7708	clearbrowser.exe	Not Suspicious Traffic	INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
4584	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
4584	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
7708	clearbrowser.exe	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
7708	clearbrowser.exe	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
—	—	Not Suspicious Traffic	INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
—	—	Not Suspicious Traffic	INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)

Add for printing

Process	Message
Clear-TemplateSearch.b5010.SK048.ed.tmp	GC round 2 called
Clear-TemplateSearch.b5010.SK048.ed.tmp	GC Round One called!
Clear-TemplateSearch.b5010.SK048.ed.tmp	GC round 2 called
Clear-TemplateSearch.b5010.SK048.ed.tmp	Pre Call -> Activate -> HtmlInstaller.CallbackArgumentsImpl
Clear-TemplateSearch.b5010.SK048.ed.tmp	GC Round One called!
Clear-TemplateSearch.b5010.SK048.ed.tmp	GC Round One called!
Clear-TemplateSearch.b5010.SK048.ed.tmp	Pre Call -> Log -> HtmlInstaller.CallbackArgumentsImpl
Clear-TemplateSearch.b5010.SK048.ed.tmp	Pre Call -> AddTrackingLabel -> HtmlInstaller.CallbackArgumentsImpl
Clear-TemplateSearch.b5010.SK048.ed.tmp	GC Round One called!
Clear-TemplateSearch.b5010.SK048.ed.tmp	Pre Call -> Log -> HtmlInstaller.CallbackArgumentsImpl

General Info

Clear-TemplateSearch.b5010.SK048.ed.exe

4D01267756C208CA6ED1D5C10E29B874

CF9750E26D2FF4A77B85BB27F325387DE2DA9A02

4735EAFE9826D48C494A6ED662F6BE40930A3F7234D10C526D2CCA5B42D2C46F

98304:f+cD4dnAcuLHn+n+HuacjqW3Vz89dWG2d1WORyA3MCGm1Q2mYV5xH8HbOKJ+CxX5:f3X64

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Reads the Windows owner or organization settings

Drops 7-zip archiver for unpacking

Executable content was dropped or overwritten

Process drops legitimate windows executable

Application launched itself

Starts CMD.EXE for commands execution

The executable file from the user directory is run by the CMD process

INFO

Checks supported languages

Reads the computer name

Reads the machine GUID from the registry

Create files in a temporary directory

Application launched itself

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings