File name:

SearcherBar.exe

Full analysis: https://app.any.run/tasks/8ed001e9-05a9-464c-a69d-a511650d9270
Verdict: Malicious activity
Analysis date: June 15, 2024, 18:09:33
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

03BC71314A16AB08A07F128AAA7FB563

SHA1:

6DB37A5484DBF66EFB65ED6B103B0B51E031B5EF

SHA256:

57F3D4173D56FCBECB7D2FF567D9717A24E31B94737235FA60AC51DB114AF23B

SSDEEP:

3072:4TyOC/FggmcvaCVooQrvlzbCpmeYmXTgzv98ZhufrRCRfNR+SUK3QJOeMBoLZe:4oxR6oQrvlipmeYmDgTqsRCF+ugJWoVe

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • SearcherBar.exe (PID: 1120)

    • Changes the autorun value in the registry

      • SearcherBar.exe (PID: 1120)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • SearcherBar.exe (PID: 1120)

    • Creates a software uninstall entry

      • SearcherBar.exe (PID: 1120)

    • Adds/modifies Windows certificates

      • mshta.exe (PID: 1800)

    • Reads the Internet Settings

      • mshta.exe (PID: 1800)

  • INFO

    • Create files in a temporary directory

      • SearcherBar.exe (PID: 1120)

    • Reads the computer name

      • SearcherBar.exe (PID: 1120)
      • wmpnscfg.exe (PID: 1676)

    • Checks supported languages

      • SearcherBar.exe (PID: 1120)
      • wmpnscfg.exe (PID: 1676)

    • Creates files in the program directory

      • SearcherBar.exe (PID: 1120)

    • Checks proxy server information

      • mshta.exe (PID: 1800)

    • Manual execution by a user

      • explorer.exe (PID: 2028)
      • mshta.exe (PID: 1800)
      • wmpnscfg.exe (PID: 1676)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 1800)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:12:15 22:26:10+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 25088
InitializedDataSize: 262144
UninitializedDataSize: 8192
EntryPoint: 0x3328
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
5
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start searcherbar.exe explorer.exe no specs mshta.exe wmpnscfg.exe no specs searcherbar.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1120"C:\Users\admin\Desktop\SearcherBar.exe" C:\Users\admin\Desktop\SearcherBar.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\searcherbar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
1676"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1800"C:\Windows\System32\mshta.exe" "C:\SearcherBar\run.hta" C:\Windows\System32\mshta.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\windows\system32\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2028"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3984"C:\Users\admin\Desktop\SearcherBar.exe" C:\Users\admin\Desktop\SearcherBar.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\searcherbar.exe
c:\windows\system32\ntdll.dll
Total events
7 172
Read events
7 068
Write events
62
Delete events
42

Modification events

(PID) Process:(1120) SearcherBar.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:SearcherBar
Value:
"C:\Windows\system32\mshta.exe" "C:\SearcherBar\run.hta"
(PID) Process:(1120) SearcherBar.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearcherBar
Operation:writeName:DisplayName
Value:
SearcherBar
(PID) Process:(1120) SearcherBar.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearcherBar
Operation:writeName:DisplayVersion
Value:
0.3
(PID) Process:(1120) SearcherBar.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearcherBar
Operation:writeName:DisplayIcon
Value:
"C:\SearcherBar\Icon.ico"
(PID) Process:(1120) SearcherBar.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearcherBar
Operation:writeName:UninstallString
Value:
"C:\SearcherBar\uninstall.exe"
(PID) Process:(1120) SearcherBar.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearcherBar
Operation:writeName:HelpLink
Value:
https://searcherbar.tilda.ws/
(PID) Process:(1120) SearcherBar.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearcherBar
Operation:writeName:URLInfoAbout
Value:
https://searcherbar.tilda.ws/
(PID) Process:(1120) SearcherBar.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearcherBar
Operation:writeName:URLUpdateInfo
Value:
https://searcherbar.tilda.ws/
(PID) Process:(1120) SearcherBar.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearcherBar
Operation:writeName:NoModify
Value:
1
(PID) Process:(1120) SearcherBar.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearcherBar
Operation:writeName:NoRepair
Value:
1
Executable files
1
Suspicious files
25
Text files
22
Unknown types
0

Dropped files

PID
Process
Filename
Type
1120SearcherBar.exeC:\SearcherBar\main.htmlhtml
MD5:83EB20ED9A049A4270774907D5769B30
SHA256:C8CB6D6C9477BE521503E22701E68B7B6A8F4073E591BA47E3A07EC2A83C8420
1120SearcherBar.exeC:\SearcherBar\assets\logo.pngimage
MD5:370C68B7128342C9B3C303639A388724
SHA256:7BEFF1D2886A1E8B8F1F82671A1B612CE1FB12D499A59B77725D4C2CD8523B93
1120SearcherBar.exeC:\SearcherBar\js\errorHandler.jstext
MD5:FDD3749773F0E6169728B4FCF512B2EE
SHA256:60B66884DDFD91C2AD2F7D3774FF8647D163F469EBE8B8F2769A575CF7C0585E
1120SearcherBar.exeC:\SearcherBar\assets\search.pngimage
MD5:05CA3F4F5B6A6CB7E1131F6169982548
SHA256:493D6A0BBD2CD7665957D5B02DB805D10C7322162680662D8C3F371C9963D629
1120SearcherBar.exeC:\SearcherBar\assets\close.pngimage
MD5:5DDD777FBA4CB0D3CB6458C7C4C737C8
SHA256:B02766DA8B6DB47C61959E1D7DFBD0170AFAD679CB7AF2B785973895E2C09314
1120SearcherBar.exeC:\SearcherBar\js\main.jstext
MD5:315600288639221BEB2F29C9D3834660
SHA256:7B7E7DF885CD9159F216B97DBC84121E9622ACBC67D22A1F5F42501CB0ADAB1C
1120SearcherBar.exeC:\SearcherBar\js\metrika.jstxt
MD5:8DA054BDFF5AF362D234C027B59D30C7
SHA256:1387306CF47156D36DD9C1D4E8DE4E0ABB2D3AC2D750D802F54A5B5D84CD7260
1120SearcherBar.exeC:\SearcherBar\css\index.csstext
MD5:60AB76717418BB6148E39E16420CCC05
SHA256:40B608123526A72CE1718D588DF1391C104FAA502C49975D67C014D09D823C69
1120SearcherBar.exeC:\SearcherBar\js\localization.jsbinary
MD5:A1D858742E4CCD0173AED604947E24A1
SHA256:3F12A4F665330563E702F82DD69A4054034051F0CCB48744C6E5469EBB3715F2
1120SearcherBar.exeC:\SearcherBar\settings.htahtml
MD5:5FCBAFE4E2E1F2E0EF7FD24BDA8BA026
SHA256:B4C138E5796BC6035B4AC818AA5EB691176D7E4397E101EA1C1F9D2A1FF1D683
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
20
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1800
mshta.exe
GET
200
104.18.21.226:80
http://ocsp.globalsign.com/gseccovsslca2018/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBSTMjK03nNiYoQYvu4Izyfn9OJNdAQUWHuOdSr%2BYYCqkEABrtboB0ZuP0gCDHK5uAcAauK0Z6NidA%3D%3D
unknown
unknown
1800
mshta.exe
GET
200
142.250.185.67:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
unknown
1800
mshta.exe
GET
200
142.250.185.67:80
http://c.pki.goog/r/r1.crl
unknown
unknown
1800
mshta.exe
GET
200
142.250.185.67:80
http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDMOFR8VxzxxAkEgX%2BGQk96
unknown
unknown
1088
svchost.exe
GET
304
95.101.54.136:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?84d56c4a787d4796
unknown
unknown
1800
mshta.exe
GET
304
95.101.54.113:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?ed460e4d79fac654
unknown
unknown
1800
mshta.exe
GET
200
104.18.38.233:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
unknown
unknown
1800
mshta.exe
GET
200
172.64.149.23:80
http://ocsp.usertrust.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEQD2zs32M1ULuTroqsVM4qGu
unknown
unknown
1800
mshta.exe
GET
200
104.18.38.233:80
http://globessl.ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSyXBy%2F8Z7NGsXSBLMTFSXlJSNoTAQU%2FZ4i%2BHrI6Hl%2BU31DmmHev9sPHQkCEGfeRJ%2B1eueWxNTLn7HDu30%3D
unknown
unknown
1800
mshta.exe
GET
200
104.18.21.226:80
http://ocsp2.globalsign.com/rootr5/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQiD0S5cIHyfrLTJ1fvAkJWflH%2B2QQUPeYpSJvqB8ohREom3m7e0oPQn1kCDQHuXyKVQkkF%2BQGRqNw%3D
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown
1800
mshta.exe
5.181.161.8:443
searcherbar.tilda.ws
Tilda Publishing Ltd.
US
unknown
1800
mshta.exe
95.101.54.113:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
1800
mshta.exe
104.18.38.233:80
ocsp.comodoca.com
CLOUDFLARENET
shared
1800
mshta.exe
172.64.149.23:80
ocsp.comodoca.com
CLOUDFLARENET
US
unknown
1800
mshta.exe
5.255.255.242:80
ya.ru
YANDEX LLC
RU
unknown
1800
mshta.exe
87.250.251.119:443
mc.yandex.ru
YANDEX LLC
RU
whitelisted
1800
mshta.exe
104.18.21.226:80
ocsp.globalsign.com
CLOUDFLARENET
shared

DNS requests

Domain
IP
Reputation
searcherbar.tilda.ws
  • 5.181.161.8
  • 5.181.161.7
  • 5.181.161.9
unknown
ctldl.windowsupdate.com
  • 95.101.54.113
  • 95.101.54.128
  • 95.101.54.136
  • 95.101.54.195
  • 95.101.54.105
  • 95.101.54.121
whitelisted
ocsp.comodoca.com
  • 104.18.38.233
  • 172.64.149.23
whitelisted
ocsp.usertrust.com
  • 172.64.149.23
  • 104.18.38.233
whitelisted
globessl.ocsp.sectigo.com
  • 104.18.38.233
  • 172.64.149.23
whitelisted
ya.ru
  • 5.255.255.242
  • 77.88.44.242
  • 77.88.55.242
whitelisted
mc.yandex.ru
  • 87.250.251.119
  • 87.250.250.119
  • 77.88.21.119
  • 93.158.134.119
whitelisted
ocsp.globalsign.com
  • 104.18.21.226
  • 104.18.20.226
whitelisted
ocsp2.globalsign.com
  • 104.18.21.226
  • 104.18.20.226
whitelisted
suggestqueries.google.com
  • 216.58.206.78
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SearcherBar.exe