File name:

asdf.txt

Full analysis: https://app.any.run/tasks/ac8e3a0b-11cd-4273-89a2-6830351682f3
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: October 20, 2023, 17:04:46
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
stealer
Indicators:
MIME: text/plain
File info: ASCII text, with no line terminators
MD5:

55E71FC5CA1339FCF871B184DB46BD13

SHA1:

06F3E4248D176B4729FE0D3D198C7E283BAF4080

SHA256:

7E2225B65F4B678B23329D2C42F29B98528DF20A18EDCF7CC125B0F23783727F

SSDEEP:

3:OCxXhGU2byxybg22QyO/HGVClhgOm:RXhIz2Qy+mVFOm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Steals credentials from Web Browsers

      • cmd.exe (PID: 960)

    • Steals credentials

      • SearchProtocolHost.exe (PID: 2612)

    • Actions looks like stealing of personal data

      • cmd.exe (PID: 960)

  • SUSPICIOUS

    • Executes as Windows Service

      • vds.exe (PID: 1608)

    • Reads the Internet Settings

      • SearchProtocolHost.exe (PID: 3764)

  • INFO

    • Manual execution by a user

      • cmd.exe (PID: 960)

    • Executes as Windows Service

      • SearchIndexer.exe (PID: 2916)
      • SearchIndexer.exe (PID: 1924)

    • Creates files in the program directory

      • SearchIndexer.exe (PID: 2916)
      • SearchIndexer.exe (PID: 1924)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.bc | LLVM Bitcode (generic) (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
63
Monitored processes
13
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start notepad.exe no specs cmd.exe diskpart.exe no specs vdsldr.exe no specs vds.exe no specs searchindexer.exe no specs searchindexer.exe no specs searchprotocolhost.exe searchfilterhost.exe no specs searchprotocolhost.exe no specs mountvol.exe no specs mountvol.exe no specs mountvol.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
296MOUNTVOL X:\ /rC:\Windows\System32\mountvol.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Mount Volume Utility
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\mountvol.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
960"C:\Windows\System32\cmd.exe" C:\Windows\System32\cmd.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
3221225786
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1144DISKPARTC:\Windows\System32\diskpart.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
DiskPart
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\diskpart.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
1608C:\Windows\System32\vds.exeC:\Windows\System32\vds.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Virtual Disk Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vds.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\atl.dll
1908MOUNTVOL X:\ /pC:\Windows\System32\mountvol.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Mount Volume Utility
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\mountvol.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
1924C:\Windows\system32\SearchIndexer.exe /EmbeddingC:\Windows\System32\SearchIndexer.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Indexer
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\searchindexer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2132MOUNTVOL X:\ /eC:\Windows\System32\mountvol.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Mount Volume Utility
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\mountvol.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msctf.dll
2472"C:\Windows\system32\NOTEPAD.EXE" "C:\Users\admin\Desktop\asdf.txt"C:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2552"C:\Windows\system32\SearchFilterHost.exe" 0 524 528 536 65536 532 C:\Windows\System32\SearchFilterHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Windows Search Filter Host
Exit code:
0
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\searchfilterhost.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2612"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exe
SearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
Modules
Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
4 532
Read events
3 946
Write events
379
Delete events
207

Modification events

(PID) Process:(2916) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Tracing\EventThrottleState
Operation:delete valueName:000003f5
Value:
01000000EFF4565C200C00000300000000000000
(PID) Process:(2916) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Tracing\EventThrottleState
Operation:delete valueName:000003eb
Value:
010000006F74575C200C00000300000000000000
(PID) Process:(2916) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Tracing\EventThrottleState
Operation:delete valueName:00000bdc
Value:
010000003878575C200C00000300000000000000
(PID) Process:(2916) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gathering Manager
Operation:writeName:UseSystemTemp
Value:
0
(PID) Process:(2916) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex
Operation:writeName:SystemLcid
Value:
1033
(PID) Process:(2916) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\StartPages\0
Operation:writeName:CrawlControl
Value:
0
(PID) Process:(2916) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\StartPages\1
Operation:writeName:CrawlControl
Value:
0
(PID) Process:(2916) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\StartPages\2
Operation:writeName:CrawlControl
Value:
0
(PID) Process:(2916) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\StartPages\3
Operation:writeName:CrawlControl
Value:
0
(PID) Process:(2916) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\StartPages\5
Operation:writeName:CrawlControl
Value:
0
Executable files
0
Suspicious files
25
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2916SearchIndexer.exeC:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSSres00001.jrsbinary
MD5:87E50E8586DBA6B53A60855024388427
SHA256:4EC923270DB17DB7609FE39206BEBBCE31483D4AEEE6A7D69D854BD89910B8B0
2916SearchIndexer.exeC:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.logbinary
MD5:BC137698B7B3AF2D8D7158E7CC3D1B32
SHA256:3419075062538116AE35A13ADF2F3C38DA778A00D36BBCFB9521A8CD4834F3E5
1924SearchIndexer.exeC:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.logbinary
MD5:5E41B5F54EF24C5A121F835D92A984E5
SHA256:23D792019D827A71534F6062C5EE3C6C204CC4F5658A78BFA7A6433B26D58ABF
1924SearchIndexer.exeC:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSSres00002.jrsbinary
MD5:87E50E8586DBA6B53A60855024388427
SHA256:4EC923270DB17DB7609FE39206BEBBCE31483D4AEEE6A7D69D854BD89910B8B0
1924SearchIndexer.exeC:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.logbinary
MD5:5E41B5F54EF24C5A121F835D92A984E5
SHA256:23D792019D827A71534F6062C5EE3C6C204CC4F5658A78BFA7A6433B26D58ABF
1924SearchIndexer.exeC:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSSres00001.jrsbinary
MD5:87E50E8586DBA6B53A60855024388427
SHA256:4EC923270DB17DB7609FE39206BEBBCE31483D4AEEE6A7D69D854BD89910B8B0
1924SearchIndexer.exeC:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.chkbinary
MD5:D34EB3696CA9E972ABBFEF2301AC7473
SHA256:A0C17E586784AC0456B2BED0575466B155CAD88829DDFA36D5144005DC0C7406
1924SearchIndexer.exeC:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.002binary
MD5:D55C0CFDACD324A50B20D82C23AE957C
SHA256:70C336472B02A29928327DBBF62E8DE9886F2A163D206B2C687D9C76A407F4CA
1924SearchIndexer.exeC:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edbbinary
MD5:F3E663B79B3054B7D9C06F71B0A6516C
SHA256:03DCF5AFCA69BD341E78E95ED71D87F2ACB50ACC8A91730C9B0416DDF311B917
1924SearchIndexer.exeC:\programdata\microsoft\search\data\applications\windows\projects\systemindex\indexer\cifiles\INDEX.001binary
MD5:FCD6BCB56C1689FCEF28B57C22475BAD
SHA256:DE2F256064A0AF797747C2B97505DC0B9F3DF0DE4F489EAC731C23AE9CA9CC31
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
asdf.txt