Malware analysis Clear-TemplateSearch.b5010.SK048.ed.exe Malicious activity

Add for printing

File name:	Clear-TemplateSearch.b5010.SK048.ed.exe
Full analysis:	https://app.any.run/tasks/33bec33c-4e09-4e96-ba44-8b44dbb1f273
Verdict:	Malicious activity
Analysis date:	November 11, 2024, 14:19:55
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 10 sections
MD5:	4D01267756C208CA6ED1D5C10E29B874
SHA1:	CF9750E26D2FF4A77B85BB27F325387DE2DA9A02
SHA256:	4735EAFE9826D48C494A6ED662F6BE40930A3F7234D10C526D2CCA5B42D2C46F
SSDEEP:	98304:f+cD4dnAcuLHn+n+HuacjqW3Vz89dWG2d1WORyA3MCGm1Q2mYV5xH8HbOKJ+CxX5:f3X64

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 180 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 120 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Process drops legitimate windows executable
  - Clear-TemplateSearch.b5010.SK048.ed.tmp (PID: 6912)
  - 7zr.exe (PID: 7544)
- Executable content was dropped or overwritten
  - 7zr.exe (PID: 7636)
  - Clear-TemplateSearch.b5010.SK048.ed.exe (PID: 1428)
  - Clear-TemplateSearch.b5010.SK048.ed.tmp (PID: 6912)
  - 7zr.exe (PID: 7544)
- Application launched itself
  - clearbrowser.exe (PID: 612)
  - clearbrowser.exe (PID: 8072)
  - clearbrowser.exe (PID: 8264)
  - clearbrowser.exe (PID: 8228)
  - clearbrowser.exe (PID: 1112)
  - clearbrowser.exe (PID: 8336)
  - clearbrowser.exe (PID: 8052)
- Drops 7-zip archiver for unpacking
  - Clear-TemplateSearch.b5010.SK048.ed.tmp (PID: 6912)
- Starts CMD.EXE for commands execution
  - clearbrowser.exe (PID: 1112)
  - clearbrowser.exe (PID: 612)
- The executable file from the user directory is run by the CMD process
  - Clear.Remoting.Native.exe (PID: 1764)
  - Clear.Remoting.Native.exe (PID: 6200)
  - Clear.Remoting.Native.exe (PID: 6740)
  - Clear.Remoting.Native.exe (PID: 8448)
- Reads the Windows owner or organization settings
  - Clear-TemplateSearch.b5010.SK048.ed.tmp (PID: 6912)
INFO
- Create files in a temporary directory
  - Clear-TemplateSearch.b5010.SK048.ed.exe (PID: 1428)
  - Clear-TemplateSearch.b5010.SK048.ed.tmp (PID: 6912)
- Checks supported languages
  - Clear-TemplateSearch.b5010.SK048.ed.exe (PID: 1428)
  - Clear-TemplateSearch.b5010.SK048.ed.tmp (PID: 6912)
- Reads the computer name
  - Clear-TemplateSearch.b5010.SK048.ed.tmp (PID: 6912)
- Application launched itself
  - msedge.exe (PID: 2432)
  - msedge.exe (PID: 3432)
- Reads the machine GUID from the registry
  - Clear-TemplateSearch.b5010.SK048.ed.tmp (PID: 6912)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Inno Setup installer (65.1)
.exe	\|	Win32 EXE PECompact compressed (generic) (24.6)
.dll	\|	Win32 Dynamic Link Library (generic) (3.9)
.exe	\|	Win32 Executable (generic) (2.6)
.exe	\|	Win16/32 Executable Delphi generic (1.2)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2022:04:14 16:10:23+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType:	PE32
LinkerVersion:	2.25
CodeSize:	741888
InitializedDataSize:	63488
UninitializedDataSize:	-
EntryPoint:	0xb5eec
OSVersion:	6.1
ImageVersion:	6
SubsystemVersion:	6.1
Subsystem:	Windows GUI
FileVersionNumber:	1.1.4.0
ProductVersionNumber:	1.1.4.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	This installation was built with Inno Setup.
CompanyName:	Clear.App
FileDescription:	Clear Setup
FileVersion:	1.1.4.0
LegalCopyright:	Clear.App
OriginalFileName:
ProductName:	Clear
ProductVersion:	1.1.4.0/Stub::1.1.4.0/7cef363/2024-03-28T14:31:35+

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

285

Monitored processes

152

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

612

"C:\Users\admin\AppData\Local\Programs\Clear\1.1.4.0\chromium\clearbrowser.exe" --start-maximized https://clearbar.app/rd2/?id=104162Ly9hcmNhZGV0YWIuY29t&guid=f7f4d2e4-db38-48ae-818f-abefd714d363&version=1.1.4.0

C:\Users\admin\AppData\Local\Programs\Clear\1.1.4.0\Chromium\clearbrowser.exe

Clear.exe

User:

admin

Company:

ClearBrowser

Integrity Level:

MEDIUM

Description:

ClearBrowser

Exit code:

Version:

123.0.6270.0

Modules

Images
c:\users\admin\appdata\local\programs\clear\1.1.4.0\chromium\clearbrowser.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\programs\clear\1.1.4.0\chromium\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\winmm.dll

632

"C:\Users\admin\AppData\Local\Programs\Clear\1.1.4.0\Clear.exe" firstrun

C:\Users\admin\AppData\Local\Programs\Clear\1.1.4.0\Clear.exe

Clear-TemplateSearch.b5010.SK048.ed.tmp

User:

admin

Integrity Level:

MEDIUM

Description:

Clear

Version:

1.1.4.0

Modules

Images
c:\users\admin\appdata\local\programs\clear\1.1.4.0\clear.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

696

"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4932 --field-trial-handle=2364,i,14123798636002944041,8146264957794103457,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

PWA Identity Proxy Host

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\identity_helper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll

700

"C:\Users\admin\AppData\Local\Programs\Clear\1.1.4.0\chromium\clearbrowser.exe" --type=renderer --extension-process --no-pre-read-main-dll --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4720 --field-trial-handle=2004,i,3121260609653721376,4281407758146286421,262144 --variations-seed-version /prefetch:2

C:\Users\admin\AppData\Local\Programs\Clear\1.1.4.0\Chromium\clearbrowser.exe

—

clearbrowser.exe

User:

admin

Company:

ClearBrowser

Integrity Level:

LOW

Description:

ClearBrowser

Exit code:

Version:

123.0.6270.0

Modules

Images
c:\users\admin\appdata\local\programs\clear\1.1.4.0\chromium\clearbrowser.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\programs\clear\1.1.4.0\chromium\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

700

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5832 --field-trial-handle=2576,i,15074051082237744634,3823714640436448893,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

1112

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5336 --field-trial-handle=2576,i,15074051082237744634,3823714640436448893,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

1112

"C:\Users\admin\AppData\Local\Programs\Clear\1.1.4.0\chromium\clearbrowser.exe" --start-maximized https://clearbar.app/rd2/?id=7527Ly9hcmNhZGV0YWIuY29t&guid=f7f4d2e4-db38-48ae-818f-abefd714d363

C:\Users\admin\AppData\Local\Programs\Clear\1.1.4.0\Chromium\clearbrowser.exe

—

Clear.exe

User:

admin

Company:

ClearBrowser

Integrity Level:

MEDIUM

Description:

ClearBrowser

Version:

123.0.6270.0

1180

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2356 --field-trial-handle=2364,i,14123798636002944041,8146264957794103457,262144 --variations-seed-version /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

1204

"C:\Users\admin\AppData\Local\Programs\Clear\1.1.4.0\chromium\clearbrowser.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-pre-read-main-dll --mojo-platform-channel-handle=2564 --field-trial-handle=2004,i,3121260609653721376,4281407758146286421,262144 --variations-seed-version /prefetch:8

C:\Users\admin\AppData\Local\Programs\Clear\1.1.4.0\Chromium\clearbrowser.exe

—

clearbrowser.exe

User:

admin

Company:

ClearBrowser

Integrity Level:

LOW

Description:

ClearBrowser

Exit code:

Version:

123.0.6270.0

Modules

Images
c:\users\admin\appdata\local\programs\clear\1.1.4.0\chromium\clearbrowser.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\programs\clear\1.1.4.0\chromium\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

1248

"C:\Users\admin\AppData\Local\Programs\Clear\1.1.4.0\chromium\clearbrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-pre-read-main-dll --mojo-platform-channel-handle=5992 --field-trial-handle=2004,i,3121260609653721376,4281407758146286421,262144 --variations-seed-version /prefetch:8

C:\Users\admin\AppData\Local\Programs\Clear\1.1.4.0\Chromium\clearbrowser.exe

—

clearbrowser.exe

User:

admin

Company:

ClearBrowser

Integrity Level:

LOW

Description:

ClearBrowser

Exit code:

Version:

123.0.6270.0

Modules

Images
c:\users\admin\appdata\local\programs\clear\1.1.4.0\chromium\clearbrowser.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\programs\clear\1.1.4.0\chromium\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

Add for printing

Total events

23 059

Read events

22 886

Write events

163

Delete events

Modification events


(PID) Process:	(6912) Clear-TemplateSearch.b5010.SK048.ed.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Clear-TemplateSearch_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(6912) Clear-TemplateSearch.b5010.SK048.ed.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Clear-TemplateSearch_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(6912) Clear-TemplateSearch.b5010.SK048.ed.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Clear-TemplateSearch_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(6912) Clear-TemplateSearch.b5010.SK048.ed.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Clear-TemplateSearch_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(6912) Clear-TemplateSearch.b5010.SK048.ed.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Clear-TemplateSearch_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(6912) Clear-TemplateSearch.b5010.SK048.ed.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Clear-TemplateSearch_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(6912) Clear-TemplateSearch.b5010.SK048.ed.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Clear-TemplateSearch_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(6912) Clear-TemplateSearch.b5010.SK048.ed.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Clear-TemplateSearch_RASMANCS
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(6912) Clear-TemplateSearch.b5010.SK048.ed.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Clear-TemplateSearch_RASMANCS
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(6912) Clear-TemplateSearch.b5010.SK048.ed.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Clear-TemplateSearch_RASMANCS
Operation:	write	Name:	EnableConsoleTracing
Value: 0

Add for printing

Executable files

153

Suspicious files

781

Text files

997

Unknown types

Dropped files

PID	Process	Filename		Type
6912	Clear-TemplateSearch.b5010.SK048.ed.tmp	C:\Users\admin\AppData\Local\Temp\is-MM6DI.tmp\html\css\baselinenew.css		text
		MD5:4D9E4F45F1F8500EB7FE29AC4A34818D	SHA256:03ED977D9D2B9AEEE7912886185B69BABB7496DC9B45042190097F81153762DC
6912	Clear-TemplateSearch.b5010.SK048.ed.tmp	C:\Users\admin\AppData\Local\Temp\is-MM6DI.tmp\Profiles\templatesearch_clearbar.json		text
		MD5:387CDC369AF5115D8B99042A1E900E5E	SHA256:C449EE4F6DCC58373D4FDE38E44B29FF9408624352F947EBC048D55F95923310
6912	Clear-TemplateSearch.b5010.SK048.ed.tmp	C:\Users\admin\AppData\Local\Temp\is-MM6DI.tmp\html\js\knockout.js		s
		MD5:052E3CBD4009F65055D36541CE9CC91D	SHA256:7EB9DAB1C04D4ABCE6749AD9D94DDD0690E3C99C6890F979F07EFE4775EE1EAB
6912	Clear-TemplateSearch.b5010.SK048.ed.tmp	C:\Users\admin\AppData\Local\Temp\is-MM6DI.tmp\is-021S7.tmp		—
		MD5:—	SHA256:—
6912	Clear-TemplateSearch.b5010.SK048.ed.tmp	C:\Users\admin\AppData\Local\Temp\is-MM6DI.tmp\chromium.7z		—
		MD5:—	SHA256:—
6912	Clear-TemplateSearch.b5010.SK048.ed.tmp	C:\Users\admin\AppData\Local\Temp\is-MM6DI.tmp\is-CI6FO.tmp		—
		MD5:—	SHA256:—
6912	Clear-TemplateSearch.b5010.SK048.ed.tmp	C:\Users\admin\AppData\Local\Temp\is-MM6DI.tmp\clear.7z		—
		MD5:—	SHA256:—
6912	Clear-TemplateSearch.b5010.SK048.ed.tmp	C:\Users\admin\AppData\Local\Temp\is-MM6DI.tmp\Profiles\profile_map.txt		text
		MD5:6444764B2CF9F2B2C274787263A78CCB	SHA256:1AF45A6C76B8BAA3CC167690EB748D8C367D1B5E98FE3581B6D8975632FF07F7
6912	Clear-TemplateSearch.b5010.SK048.ed.tmp	C:\Users\admin\AppData\Local\Temp\is-MM6DI.tmp\html\css\baseline-compliant.css		text
		MD5:78D40BDAB40ED79853222569B9AC5BD9	SHA256:E9B2E3C37C6463706FBE22925EB0B084AA785E78D49F65136608D9C15CA6C960
6912	Clear-TemplateSearch.b5010.SK048.ed.tmp	C:\Users\admin\AppData\Local\Temp\is-MM6DI.tmp\html\assets\common\browse_icon.png		image
		MD5:9C26F5DD459C12F2F8A28CAFB7447520	SHA256:3156AD4638AB7AE34E17E07A4BFC0E2509690B886506035DC92EF0EA8ADB0847

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

163

DNS requests

170

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5488	MoUsoCoreWorker.exe	GET	200	23.53.40.176:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5488	MoUsoCoreWorker.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5600	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
3772	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
4360	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
7380	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
7380	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
632	Clear.exe	GET	301	142.250.186.36:80	http://www.google.com/s2/favicons?domain=https://chrome.google.com/webstore?hl=en&sz=128	unknown	—	—	whitelisted
632	Clear.exe	GET	200	148.251.136.139:80	http://openweathermap.org/img/w/01d.png	unknown	—	—	whitelisted
4584	msedge.exe	GET	200	172.67.70.239:80	http://clearbar.app/wp-includes/js/wp-emoji-release.min.js?ver=6.0.1	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
6944	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	92.123.104.63:443	www.bing.com	Akamai International B.V.	DE	whitelisted
6908	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5488	MoUsoCoreWorker.exe	23.53.40.176:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5488	MoUsoCoreWorker.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4020	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
5600	svchost.exe	20.190.159.4:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 51.104.136.2	whitelisted
www.bing.com	92.123.104.63 92.123.104.66 92.123.104.6 92.123.104.62 92.123.104.5 92.123.104.59 92.123.104.61 92.123.104.58 92.123.104.57 92.123.104.30 92.123.104.18 92.123.104.17 92.123.104.19 92.123.104.20 92.123.104.14 92.123.104.29 92.123.104.24 92.123.104.16 92.123.104.4 92.123.104.64 92.123.104.67 92.123.104.9 92.123.104.65 92.123.104.10	whitelisted
crl.microsoft.com	23.53.40.176 23.53.40.178	whitelisted
google.com	142.250.185.142	whitelisted
www.microsoft.com	23.35.229.160	whitelisted
login.live.com	20.190.159.4 20.190.159.71 20.190.159.2 40.126.31.69 20.190.159.23 40.126.31.67 40.126.31.71 40.126.31.73	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
th.bing.com	92.123.104.14 92.123.104.5 92.123.104.12 92.123.104.65 92.123.104.63 92.123.104.66 92.123.104.9 92.123.104.4 92.123.104.13	whitelisted
go.microsoft.com	23.213.170.81	whitelisted
www.google-analytics.com	142.250.184.206	whitelisted

Threats

PID	Process	Class	Message
4584	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
4584	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
7708	clearbrowser.exe	Not Suspicious Traffic	INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
7708	clearbrowser.exe	Not Suspicious Traffic	INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
4584	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
4584	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
7708	clearbrowser.exe	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
7708	clearbrowser.exe	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
—	—	Not Suspicious Traffic	INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
—	—	Not Suspicious Traffic	INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)

Add for printing

Process	Message
Clear-TemplateSearch.b5010.SK048.ed.tmp	GC round 2 called
Clear-TemplateSearch.b5010.SK048.ed.tmp	GC Round One called!
Clear-TemplateSearch.b5010.SK048.ed.tmp	GC round 2 called
Clear-TemplateSearch.b5010.SK048.ed.tmp	Pre Call -> Activate -> HtmlInstaller.CallbackArgumentsImpl
Clear-TemplateSearch.b5010.SK048.ed.tmp	GC Round One called!
Clear-TemplateSearch.b5010.SK048.ed.tmp	GC Round One called!
Clear-TemplateSearch.b5010.SK048.ed.tmp	Pre Call -> Log -> HtmlInstaller.CallbackArgumentsImpl
Clear-TemplateSearch.b5010.SK048.ed.tmp	Pre Call -> AddTrackingLabel -> HtmlInstaller.CallbackArgumentsImpl
Clear-TemplateSearch.b5010.SK048.ed.tmp	GC Round One called!
Clear-TemplateSearch.b5010.SK048.ed.tmp	Pre Call -> Log -> HtmlInstaller.CallbackArgumentsImpl

General Info

Clear-TemplateSearch.b5010.SK048.ed.exe

4D01267756C208CA6ED1D5C10E29B874

CF9750E26D2FF4A77B85BB27F325387DE2DA9A02

4735EAFE9826D48C494A6ED662F6BE40930A3F7234D10C526D2CCA5B42D2C46F

98304:f+cD4dnAcuLHn+n+HuacjqW3Vz89dWG2d1WORyA3MCGm1Q2mYV5xH8HbOKJ+CxX5:f3X64

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Process drops legitimate windows executable

Executable content was dropped or overwritten

Application launched itself

Drops 7-zip archiver for unpacking

Starts CMD.EXE for commands execution

The executable file from the user directory is run by the CMD process

Reads the Windows owner or organization settings

INFO

Create files in a temporary directory

Checks supported languages

Reads the computer name

Application launched itself

Reads the machine GUID from the registry

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings